There is currently a widespread effort to quantify everything, from steps, to sleep, to batted ball exit velocity. Fifteen years ago, TV host Jeremy Clarkson tested an innovative new supercar that could quantify your driving habits. At the time, Clarkson glibly quipped that the car’s technology allowed you to “compare your drive home from work with the drive home last night.” Today, that type of data is regarded as so useful that some companies will give you the technology for free. Of course, if we can quantify driving habits, we can quantify shopping habits. Indeed, by using mobile location analytics, retailers gain valuable insight by comparing a customer’s “checkout dwell time” with the checkout dwell time last night. The problem is that customers are even less eager to be quantified than Clarkson was.

Mobile location analytics (MLA) works by placing sensors inside stores and using them to interact with the Wi-Fi and Bluetooth functions of smartphones. The resulting data is de-personalized and aggregated into analytics that tell retailers about customers’ walking paths, high-traffic areas, the duration and frequency of customer visits, the impact of advertising, and more. Retailers can use this data to help optimize their store layouts, place products, and adjust staffing levels. However, a recent FTC action highlighted the privacy concerns that temper widespread MLA use.

In April 2015, the FTC settled a complaint against Nomi Technologies, Inc., the first of its kind against an MLA provider. The complaint alleged Nomi’s privacy policy misrepresented that consumers would have the ability to opt out of MLA “at any retailer using Nomi’s technology.” In practice, according to the FTC, consumers were not actually provided a means to opt out in person. Instead, consumers – who had no clear notice that they were being tracked in the first place – could only opt out by visiting Nomi’s website.

Not surprisingly, consumers generally disapprove of being tracked. A 2014 survey showed that 77% of shoppers disapproved of in-store tracking, and businesses also cite consumer privacy concerns as stalling their adoption of MLA. Currently, the law does not directly protect consumer privacy from the type of data collection used by MLA providers1. Instead, protection for both consumers and businesses comes in the form of privacy policies and codes of conduct that provide consumers notice and choice.

The most prevalent code of conduct is promulgated by the Future of Privacy Forum. In contrast to the Nomi case, participating companies only commit to taking “reasonable steps” to ensure there is in-person signage at stores where MLA is used. More concretely, they commit to providing detailed privacy notices on their websites. They also maintain a centralized procedure for consumers to opt out of MLA across all participating companies, although some groups advocate for an opt-in consent model.

In light of Nomi and the uncertain state of MLA privacy law, the best protection for businesses is to adopt a notice and choice privacy policy, and actually follow it in practice.