In a first-of-its-kind enforcement action, the Federal Trade Commission (FTC) on Thursday voted along party lines to settle deception allegations against Nomi Technologies (Nomi), a company whose technology allows retailers to track the movement of customers within stores.
The case thus makes clear that a majority of the sitting Federal Trade Commissioners believe that if a consumer control option is offered, it must be easy to find and exercise, in context. What is also clear is that the collection and use of location data is an issue the FTC is actively monitoring. As such, retailers and companies that use mobile location analytics would be wise to comply with industry guidance like the Mobile Location Analytics Code of Conduct issued by the Future of Privacy Forum.
Nomi is a startup company that began implementing its in-store tracking technology, known as its “Listen” service, in January 2013. According to the FTC’s Complaint, in order to track consumers in stores, Nomi places sensors in its clients’ retail locations that detect the MAC address of a mobile device as it searches for a wireless network, or collects MAC addresses through the existing wireless access points of its clients.1 MAC addresses are unique identifiers associated with a particular device. The FTC’s Complaint alleges that Nomi collected the MAC addresses of nine million unique mobile devices between January 2013 and September 2013.2 In addition to MAC addresses, the sensors or wireless access points collect: mobile device signal strength; the mobile device manufacturer (which can be derived from the MAC address); the location of the sensor or wireless access point observing the signal; and the date and time the mobile device is observed.3 Nomi aggregates this information into analytic reports for retail clients that, among other things, provide the percentage of consumers passing by the store versus entering the store, the average duration of consumer visits, types of mobile devices used by consumers visiting the stores, the percentage of repeat customers within a specified time period, and the number of customers that had visited another location within the client’s chain.4
In order to settle the matter, Nomi agreed that it would not misrepresent in any manner, expressly or by implication “(A) the options through which, or the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or (B) the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.”8 Nomi must further maintain certain documents and complaints related to the content of the consent order for a period of five years from the date of creation or receipt, and deliver a copy of the consent order to current and future subsidiaries, officers, directors, and managers, and to all current and future employees, agents, and representatives with responsibilities related to the consent order for 10 years.9