When the FTC recently cracked down on a vendor that tracks shoppers' movements via their mobile devices and sells the data to retailers, it could have made a statement about what limits and notifications need to be in place. Instead, the FTC, as is its tradition, focused on a narrow phrasing issue, while buying into industry marketing arguments that are truly misleading and dangerous.
Mobile tracking — especially as those results are integrated with other data sources — is arguably the largest potential advance in retailers' attempts to understand (and to then influence) shopper behaviors. It literally can provide a record of every place shoppers visit, how long they stay and where they stand and for how long. If that data is combined with POS data, store security and even parking lot cameras that capture license plates, the possibilities are limitless. Let's say that the mobile device is seen approaching register 15 at 2:09 p.m. and stays there for three minutes. It's not that difficult to look up the transactions at that moment and make a pretty good identification of that shopper.
Tracking vendors go out of their way to stress that they anonymize shoppers by hashing their MAC addresses and replacing them with a different number. Although it's nice that they are not necessarily retaining a database of MAC addresses — then again, anything hashed can be reversed — for privacy purposes, that doesn't help. It's still a static number associated with one device and, presumably, one shopper. Vendors also generally say that they don't identify the shoppers. The question shouldn't be "Are you identifying shoppers?" The question needs to be "Are you selling information to retailers that they can use — by combining your data with other data — to identify shoppers?" That answer is almost always "yes."
Sticking for the moment to this one phrase, it's hard to assign too much blame to Nomi until we know what prompted Nomi to say it. Did Nomi just make it up, hoping that no one would notice? Did Nomi's retailers all tell Nomi that they would put in place such systems, but none of those retailers ever did? Did Nomi include such a requirement in retail agreements, but never tried checking to see if the retailers did what they agreed to do? All three of those scenarios would put Nomi's actions into a very different light.
The FTC complaint took things a little further, by saying that the opt-out "promise implied that consumers would be informed when stores were using Nomi’s tracking technology. The complaint alleges that these promises were not true because no in-store opt-out mechanism was available and consumers were not informed when the tracking was taking place."
I am not so sure that such a promise does imply that. Sometimes, a big sign at the entrance of a mall has alerted shoppers that some merchants inside might track their phones.
First of all, to calculate an opt-out rate, you need to take the universe of beings using the service and compare that with the number of opt-outs. In this case, that would be taking the number of shoppers who were tracked by Nomi and comparing that number — not the number of website visitors — to the 146 opt-outs. One FTC filing said that "Nomi collected information about approximately nine million unique mobile devices between January 2013 and September 2013." That 9 million figure is what needs to be compared with the 146 opt-outs.
Many of the site visitors are trying to understand the company for a wide range of reasons. In this situation, Nomi had been written about in a New York Times piece, which alone could explain much of that traffic.
This brings us to the real issue. The overwhelming majority of the shoppers who were tracked had no way of knowing they were being tracked, so they therefore had no reason to pursue opt-out. Had there been opt-out stations at every retailer involved—the FTC said Nomi had about 45 retail clients at the time in question — it would have made a difference, but not because of some shopper preference to opt out at a shop versus online. No, it would have made a difference because the existence of a staffed opt-out area — say, perhaps, a table with an associate and a clipboard—would have screamed to shoppers that they were being tracked.
The opt-out procedure, by the way, would have paradoxically required them to submit their phone right then and there for scanning, so they could identify the MAC address that it needs to ignore. That's going to go over well. The shoppers who are privacy-aware enough to want to opt out are unlikely to easily cooperate with such a request.
No retailer would agree to this because it would send the wrong message to shoppers. They like having this happen secretly. And that should have been the FTC's focus.
This article is published as part of the IDG Contributor Network. Want to Join?