When the FTC recently cracked down on a vendor that tracks shoppers' movements via their mobile devices and sells the data to retailers, it could have made a statement about what limits and notifications need to be in place. Instead, the FTC, as is its tradition, focused on a narrow phrasing issue, while buying into industry marketing arguments that are truly misleading and dangerous.
Mobile tracking — especially as those results are integrated with other data sources — is arguably the largest potential advance in retailers' attempts to understand (and to then influence) shopper behaviors. It literally can provide a record of every place shoppers visit, how long they stay and where they stand and for how long. If that data is combined with POS data, store security and even parking lot cameras that capture license plates, the possibilities are limitless. Let's say that the mobile device is seen approaching register 15 at 2:09 p.m. and stays there for three minutes. It's not that difficult to look up the transactions at that moment and make a pretty good identification of that shopper.
Tracking vendors go out of their way to stress that they anonymize shoppers by hashing their MAC addresses and replacing them with a different number. Although it's nice that they are not necessarily retaining a database of MAC addresses — then again, anything hashed can be reversed — for privacy purposes, that doesn't help. It's still a static number associated with one device and, presumably, one shopper. Vendors also generally say that they don't identify the shoppers. The question shouldn't be "Are you identifying shoppers?" The question needs to be "Are you selling information to retailers that they can use — by combining your data with other data — to identify shoppers?" That answer is almost always "yes."
Now let's look at what the FTC used to make its first shopper-mobile-tracking case. The tracking vendor was Nomi Technologies and the accusation is that Nomi made a misleading statement. At issue was Nomi's privacy policy at the time of the 2012 infraction — it should be noted that this was three years ago, which is about 40 years in Internet Mobile Time — and how it told shoppers that they could opt out of the service.
Here's the one line from Nomi's privacy policy — which the FTC published and literally labeled (in true TV lawyer fashion) Exhibit A — that is at issue: "Always allow consumers to opt out of Nomi's service on its website as well as at any retailer using Nomi's technology." The problem, from the FTC's viewpoint? That part about "as well as at any retailer using Nomi's technology" didn't turn out to be true, in that retailers had no mechanism for a shopper to opt out, other than having them go to Nomi's website — which kind of defeats the "as well as" wording.
Sticking for the moment to this one phrase, it's hard to assign too much blame to Nomi until we know what prompted Nomi to say it. Did Nomi just make it up, hoping that no one would notice? Did Nomi's retailers all tell Nomi that they would put in place such systems, but none of those retailers ever did? Did Nomi include such a requirement in retail agreements, but never tried checking to see if the retailers did what they agreed to do? All three of those scenarios would put Nomi's actions into a very different light.
The FTC's position is that none of that matters, according to FTC spokesperson Jay Mayfield. Nomi has to stand behind whatever it says in its privacy policy. If it says a retailer will do something, the onus is on Nomi to make sure it does. As for the particulars, Mayfield said the FTC would not disclose what Nomi told them. And Nomi itself did not respond when Computerworld asked it to clarify what happened.
The FTC complaint took things a little further, by saying that the opt-out "promise implied that consumers would be informed when stores were using Nomi’s tracking technology. The complaint alleges that these promises were not true because no in-store opt-out mechanism was available and consumers were not informed when the tracking was taking place."
I am not so sure that such a promise does imply that. Sometimes, a big sign at the entrance of a mall has alerted shoppers that some merchants inside might track their phones.
A point that is far more on-point in this case was touched on by a dissent from the FTC decision, specifically from FTC Commissioner Joshua D. Wright. Wright's apparently intended point was that Nomi's opt-out system worked well. "Nomi’s website received 3,840 unique visitors during the relevant timeframe and received 146 opt outs — an opt-out rate of 3.8 percent of site visitors. This opt-out rate is significantly higher than the opt-out rate for other online activities," Wright wrote. "This high rate, relative to website visitors, likely reflects the ease of a mechanism that was immediately and quickly available to consumers at the time they may have been reading the privacy policy."
First of all, to calculate an opt-out rate, you need to take the universe of beings using the service and compare that with the number of opt-outs. In this case, that would be taking the number of shoppers who were tracked by Nomi and comparing that number — not the number of website visitors — to the 146 opt-outs. One FTC filing said that "Nomi collected information about approximately nine million unique mobile devices between January 2013 and September 2013." That 9 million figure is what needs to be compared with the 146 opt-outs.
Many of the site visitors are trying to understand the company for a wide range of reasons. In this situation, Nomi had been written about in a New York Times piece, which alone could explain much of that traffic.
This brings us to the real issue. The overwhelming majority of the shoppers who were tracked had no way of knowing they were being tracked, so they therefore had no reason to pursue opt-out. Had there been opt-out stations at every retailer involved—the FTC said Nomi had about 45 retail clients at the time in question — it would have made a difference, but not because of some shopper preference to opt out at a shop versus online. No, it would have made a difference because the existence of a staffed opt-out area — say, perhaps, a table with an associate and a clipboard—would have screamed to shoppers that they were being tracked.
The opt-out procedure, by the way, would have paradoxically required them to submit their phone right then and there for scanning, so they could identify the MAC address that it needs to ignore. That's going to go over well. The shoppers who are privacy-aware enough to want to opt out are unlikely to easily cooperate with such a request.
No retailer would agree to this because it would send the wrong message to shoppers. They like having this happen secretly. And that should have been the FTC's focus.