An emerging tool for retail shopper insights, under close watch from the survey, opinion and marketing research profession's primary U.S. regulator, has landed a company in hot water.

On April 23, Nomi Technologies, Inc. signed a consent agreement with the Federal Trade Commission (FTC) to settle charges that the company violated Section 5 of the FTC Act with unfair or deceptive practices in the use of its retail shopper location tracking service. The complaint charges that Nomi made false or misleading statements “that consumers could opt out of Nomi’s Listen service at retail locations using this service” and that “consumers would be given notice” when a store was using Nomi’s service. In many instances, according to the FTC, such notice and opt out were not provided at the stores using Nomi’s shopper tracking analytics service.

Shopper insights through location tracking
As the Marketing Research Association (MRA) told the FTC in March 2014, “Instead of asking hundreds of questions of respondents over a series of surveys to tease out their preferences and interests when visiting retail stores, why not just track their real-world behavior once they get there? That is one promise behind the use of location tracking technology in the retail shopper space for research purposes.”

Nomi provides mobile device tracking solutions to brick-and-mortar retail establishments to research and analyze their shopper traffic. According to the FTC's complaint, the company "places sensors in its clients’ retail locations that detect the media access control (“MAC”) address broadcast by a mobile device when it searches for WiFi networks. A MAC address is a 12-digit identifier that is unique to a particular device. Alternatively, in some instances Nomi collects MAC addresses through its clients’ existing WiFi access points." Nomi also apparently collects: the mobile device’s signal strength; the mobile device’s manufacturer (derived from the MAC address); the location of the sensor or WiFi access point observing the mobile device; and the date and time the mobile device is observed.

"Nomi uses the information it collects to provide analytics reports to its clients about aggregate customer traffic patterns,” including “the percentage of consumers merely passing by the store versus entering the store,” average duration of shopper visits, what kinds of mobile devices shoppers are using when they visit, “the percentage of repeat customers within a given time period,” and how many shoppers “have also visited another location within the client’s chain."

Privacy concerns with shopper tracking
Unfortunately, the cutting edge in advanced technology for real world marketing research raises privacy concerns. That is why MRA has advocated since 2012 that consumers should be given notice and a chance to opt out of such tracking. In this case, Nomi tried to deliver just that, but may not have perfectly succeeded.

And it is not the first time that such tracking has come to the attention of policymakers. Senator Chuck Schumer (D-NY), Rep. Jose Serrano (D-NY) and Sen. Al Franken (D-MN) have all gone after companies’ use of such shopper insights tools. So has the state of Maryland. This is also not the first time the FTC has paid attention either, having held a workshop on the technology in February 2014 (upon which MRA filed comments in response).

The FTC contended in its complaint that although Nomi "cryptographically hashes the MAC addresses it observes prior to storing them... the result is still a persistent unique identifier for that mobile device.”

The company claimed in its website privacy policy that it will “Always allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology.” However, while shoppers could opt out from having their specific devices tracked by Nomi, the FTC contends that the company “has not published, or otherwise made available to consumers, a list of the retailers that use or used the Listen service,” nor does Nomi “require its clients to post disclosures or otherwise notify consumers that they use” Nomi’s service. Most “if not all” of the company’s clients posted no notice or disclosure nor did the clients offer a way to opt out.

A rare contentious settlement
The FTC’s consent order with Nomi requires that the company "not misrepresent in any manner, expressly or by implication: (A) the options through which, or the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or (B) the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared." The settlement includes five years of related FTC oversight, but the order effectively puts the company under FTC surveillance for the next twenty years.

Interestingly, Nomi contends that it fixed its privacy policy problem a long time ago. The company told Katy on the Hill that they “had already made the recommended changes” that the FTC sought “by updating our privacy policy over a year and a half ago, while we were still an early-stage startup that was less than a year old.”

This is the kind of scenario that Sen. Deb Fischer (R-NE) may have had in mind when questioning the FTC’s privacy and data security settlements in 2014. She warned that “enforcement actions when a market is in a “nascent stage would constitute a de facto tax on innovation,” especially when they involve “pressuring companies into sweeping, multi-decade consent orders” like this one. Nomi might have been able to contest the case in court, but as Wyndham Hotels and Lab MD are finding in their fight against the FTC on data security, that can be a lengthy and harrowing process, too.

Even more interestingly, the FTC settlement with Nomi was a rare one without unanimous support from the Commissioners. Rather like the FTC’s recent report on the Internet of Things, both Commissioners Josh Wright and Maureen Ohlhausen dissented.

Ohlhausen pointed out that “as a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out,” but did anyway. So having caused no consumers any known harm, she didn’t think that Nomi should have been subject to “a de facto strict liability approach to a young company that attempted to go above and beyond its legal obligation to protect consumers but, in so doing, erred without benefiting itself.” Ohlhausen worries that this settlement will only encourage companies to do the “bare minimum on privacy.” And when the FTC provides no reward, only risk, consumers will ultimately be the losers.

Wright similarly felt that “aggressive prosecution of this sort will inevitably deter industry participants like Nomi  from engaging in voluntary practices that promote consumer choice and transparency – the very principles that lie at the heart of the Commission’s consumer protection mission. Nomi was under no legal obligation to post a privacy policy, describe its practices to consumers, or to offer an opt-out mechanism. To penalize a company for such a minor shortcoming – particularly when there is no evidence the misrepresentation harmed consumers – sends a dangerous message to firms weighing the costs and benefits of voluntarily providing information and choice to consumers.”

Takeaways for survey, opinion and marketing researchers
As stated earlier in this article, Nomi failed to “perfectly” provide notice and opt out. However, they certainly tried. MRA may file comments with the FTC in response to this proposed settlement, broadly concurring with the dissenting Commissioners.

In the meantime, researchers should always remember to do what they say, and say what they mean. Privacy policies are a must, but those policies should reflect your actual practices, since they represent a legal promise to respondents – a promise that the FTC can (aggressively) hold you to.

“It’s vital that companies keep their privacy promises to consumers when working with emerging technologies, just as it is in any other context,” commented Jessica Rich, director of the FTC’s Bureau of Consumer Protection, in response to the settlement. “If you tell a consumer that they will have choices about their privacy, you should make sure all of those choices are actually available to them.”

Also, although we agree with the dissenting Commissioners Wright and Ohlhausen that the data collected by Nomi in this case should not be considered personally identifying, researchers should tread carefully when dealing with location data and device identifiers because of the heightened sensitivity with which activists and policymakers treat such information. Reasonable notice and opt out should be provided to consumers – and if you are involved in mobile device location tracking, you should consider using the opt out system developed by the Future of Privacy Forum to provide consumer choice.

UPDATE: FTC Chief Technologist Ashkan Soltani wrote a lengthy discussion of the privacy trade-offs in retail shopper tracking.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.