On February 19, 2014, the Federal Trade Commission (“FTC”) hosted a public seminar on mobile device tracking, the first event in the  FTC’s Spring Privacy Series on emerging consumer privacy issues.  The seminar included a tutorial on how retail tracking technology works, along with a panel featuring representatives from consumer groups, and the retail, marketing, and technology industries, who discussed the risks and benefits, consumer awareness and perceptions, and the future of mobile device tracking. 

According to Commission staff, the purpose of the seminar was to explore potential privacy concerns and questions about the expanding practice of retailers and other businesses tracking consumers’ movements throughout and around retail store locations.  

How Mobile Device Tracking Works

Ashkan Soltani, an independent researcher on privacy and security  issues,  opened the seminar with  a  technical overview on mobile device tracking.  Mr. Soltani  explained that such tracking occurs through the use of mobile phones and other location-aware devices that  collect location information  via GPS antennas, local wi-fi signals, and cellular towers. Because these devices emit, as well as receive location data, businesses can use such devices to determine when consumers entered a store, how long they were there, what type of phone they use, where in the store they shopped, and more.  Using a device’s Bluetooth capabilities (sometimes referred to as Bluetooth Low Energy or iBeacons), a business can also sendmessages to a device to inform  consumers  of relevant information (e.g., coupons or sale information). 

Mr. Soltani also described how each device includes a unique number that serves as a reliable and robust identifier for such device.  Using the device’s unique identifier, a business can determine whether they have seen a particular device in their stores before, as well as the location habits of that particular device.  While most businesses that track mobile devices use a process called “hashing” to make the information collected non-personally identifiable, Mr. Soltani noted that hashing did not render the data collected completely anonymous. 

Mr. Soltani acknowledged the benefits of mobile device tracking, including the potential to (1) improve consumers’ shopping experience by informing their devices of nearby sales and applicable coupons; and (2) help businesses identify how best to display popular products and improve  line waits  at registers.   Nevertheless, he cautioned that businesses should proceed carefully given real privacy concerns. Through aggregate analytics of the data collected, businesses can ascertain a relatively accurate picture of daily behavior patterns for individuals linked to a unique identifier.  Moreover, the collection of data via mobile devices is invisible and passive, and it is difficult for consumers to opt out of mobile device tracking.  Additionally, he noted that device tracking creates certain security and hacking concerns.  

Balancing Consumer Benefits With Privacy Concerns

Following the remarks by Mr. Soltani, a panel  of technology and mobile tracking experts discussed the consumer benefits and awareness, and the privacy concerns relating to mobile device tracking, mainly in the context of brick-and-mortar retailers.  The discussion centered on several key topics:

Consumer Awareness of Tracking

Ilana Westerman, chief executive officer of marketing design firm Create with Context, described  the results of  recent research  gauging consumers’ response  to various tracking scenarios, and the extent to which consumers are aware that tracking is occurring in the retail store environment.  Results of the study included the following: 

  • Only a third of consumer respondents were aware that retailers engage in tracking via location data from the consumers’ mobile device 
  • Consumers are more concerned with  a retailer’s ability to build a profile based on historical location data than with real-time tracking at the store location
  • Consumers are less concerned with a retailer’s ability to obtain location data from a smartphone than other types of personal data (e.g., contact lists, preferences, etc.) 

Ms. Westerman described efforts underway to increase  consumer  awareness  of mobile device tracking through explicit means such as enhanced in-store signage, as well as creating “ambient awareness” through  a universal seal indicating that  location  data collection isoccurring.  She acknowledged the challenges in increasing consumer awareness due to low consumer recall with respect to in-store signs, and challenges with real-time notice on the user’s smartphone because consumers focus more on the products they came to purchase rather than their device.   In contrast, Mallory Duncan, senior vice president and general counsel at the National Retail Federation, suggested that  a large percentage of  consumers already expect that they are being tracked to a certain degree when shopping. 

Is Mobile Device Tracking Data “Unidentifiable”? 

The panel also debated the extent to which the data collected by retailers is and can remain unidentifiable.  Several panelists downplayed concerns that the tracking data can be used to pinpoint specific individuals.  For example, Glenn Tinley, president of analytics firm Mexia Interactive, stated that there is little risk to consumers when a retailer captures a smartphone user’s MAC address because it does not provide any specific information about the user of such device.  

In response, Seth Schoen, senior staff technologist with the Electronic Frontier Foundation, highlighted the risk that initially unidentifiable location data may be combined with other  data sources to  identify specific  individuals.  Further, Mr. Schoen explained that,  while current retailers may agree to use aggregate data only, other companies inevitably will want to learn more about individual consumers as the technology continues to evolve.  According to Mr. Schoen, the profiling analytics that have not yet been deployed  are cause for the biggest concern, particularly because there is a low barrier to entry to deploy technologies that can collect consumer location data.  As a result, he advocated for consumer protection approaches such as a “Change my MAC address” button on wireless devices, which would allow for real-time tracking but limit the extent of historical data that can identify habitual patterns among consumers. 

“Data  Trails Are a Form of Pollution”  

Mr. Schoen referred to historical consumer data trails as a “form of pollution” in the sense that consumers  cannot see  the data collection occurring  and  are  not aware of the  initial harm, yet the potential harm increases as more data is accumulated over time.  He suggested that concerns over  long-term  collection  will  increase  as businesses deploy more tracking sensors.  As a result, he believes that industry discussion has been too focused on notice, while ignoring consent.  To address the concern, he  proposed a model in which retailers offer apps that users can download if they wish to be tracked, thereby limiting data collection to users who made an affirmative choice to be tracked.

In response, James Risenbach, chief executive officer at iInside, noted that certain members of the mobile analytics industry recently signed on to a Code of Conduct that includes a set of principles that govern the collection and use of mobile device tracking data.  As part of this Code, participating retailers and other firms have agreed to adopt in-store signage to promote consumer awareness of mobile device tracking.  Participating firms will also honor a new program that will enable consumers to opt-out of future tracking.

Conclusion

The topic and timing of the seminar provides clear indicators that mobile privacy and data security issues will remain an important area of focus for the Commission in 2014, both in terms of potential policy initiatives and enforcement.  The seminar, along with other upcoming events in the FTC’s Spring Privacy Series, should also serve as a reminder that, to avoid regulatory scrutiny in the year ahead, businesses that collect consumer information should continue to apply the three core recommendations in the Commission’s privacy framework:  “privacy by design”; simplified privacy choices to consumers; and greater transparency about data collection and use.