The Federal Trade Commission delivered a mixed warning to a
burgeoning segment of the software industry in a settlement
Thursday.
Nomi Technologies, formerly known as Brickstream, a startup that
tracks shoppers in stores and malls on behalf of retailers, agreed
to settle charges that it broke a promise to let consumers opt out
of its tracking and inform them they were being tracked while they
were in retail environments.
But the case, which is the first FTC complaint to be brought
against a company that tracked shoppers in stores, offers a mixed
message to location-tracking companies, whose software tools are
used by many major retailers. For such companies, the lesson may be
to avoid overpromising on their privacy policies rather than to
limit their tracking of shoppers.
Nomi, like similar startups including Euclid, SOLOMO, Radius
Networks, ilnside, and Turnstyle Solutions, monitors foot traffic
into and out of stores via Bluetooth or Wi-Fi signals from
shopper's smartphones. Such companies can tell how many consumers
passed by a store without entering, how many entered, how long they
stayed, the types of mobile devices they used, how many were repeat
customers, and how many had visited other locations of a given
retail chain.
Nomi collected signals from individual phones, but like many of
its competitors, it aggregated the data, providing stores with
reports that compared traffic over time. While such data isn't
considered "personally identifiable information"--legal parlance
for information that can identify a specific person, which is
protected under privacy laws--the FTC has said that privacy
protections can extend to "data that can be reasonably linked to a
specific consumer, computer, or device," such as the 12-digit MAC
address that is specific to a device. Companies that monitor Wi-Fi
signals necessarily collect these codes.
Nomi actually went further than the competition when it came to
protecting user privacy. It scrambled the Wi-Fi signals it
collected, making it harder for employees, clients, and hackers to
trace a signal back to a specific device. It also pledged in a
privacy policy to "always allow consumers to opt out of Nomi's
service on its website, as well as at any retailer using Nomi's
technology."
Nomi's pledge went beyond a code of conduct signed recently by
12 location-tracking startups. These companies volunteered to
promote in-store signs about tracking and opportunities to opt out,
but weren't required to do so.
Location tracking is reportedly being used by many major
retailers, said Jules Polonetsky, executive director and co-chair
of the Future of Privacy Forum, a privacy advocate sponsored by the
tech industry. But few retailers post signs. Nordstrom posted a
sign disclosing location-tracking in 2013 as part of a test,
according to a report in The Wall Street Journal. However, the
company fielded some complaints and eventually canceled the
test.
The pledge got Nomi into hot water, because its merchant
customers never posted in-store signs, the FTC said in a statement.
Nomi's "promises were not true because no in-store opt-out
mechanism was available, and consumers were not informed when the
tracking was taking place," the statement said. Nomi did offer the
ability to opt out on its website, where shoppers and others
wouldn't see it unless they visited the site unprompted. The agency
said Nomi collected information on about 9 million mobile devices
in the first nine months of 2013.
Unusually, two of the five FTC commissioners disagreed with the
decision to charge the company. Nomi is a "young company that
attempted to go above and beyond its legal obligation to protect
consumers but, in doing so, erred without benefiting itself,"
Commissioner Maureen Ohlhausen wrote in a dissent.
Under the terms of the settlement, Nomi is prohibited from
misrepresenting consumers' options for controlling whether and how
information is collected or shared. The company neither admitted or
denied any allegations named in the complaint.
A Nomi spokesman said in an email the company was "pleased to
reach this agreement." The statement said, "We continually review
our privacy policies to ensure that they follow best practices and
had already made the recommended changes in pursuit of that goal by
updating our privacy policy over a year-and-a-half ago, while we
were still an early-stage startup that was less than a year
old."
Harriet Pearson, a partner in the Washington, D.C., office of
law firm Hogan Lovells and former chief privacy officer of IBM,
said the takeaway from the case is to avoid overpromising. "Today's
action is another example of why, from startups to the Fortune 100,
companies must mind the gap between what they say and what they do
with data about consumers, " Pearson said.
Marc Rotenberg, president of the privacy advocacy group
Electronic Privacy Information Center, said that lesson highlighted
the limitation of the FTC's ability to protect consumer privacy. In
the current legal framework, "it is easier to go after companies
that make promises they fail to keep than to go after companies
that make no promises at all," he said.
Write to Elizabeth Dwoskin at elizabeth.dwoskin@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires