By Mary Ellen Callahan and Sabrina Guenther
On April 23, 2015, the Federal Trade Commission entered into its first consent decree with an in-store consumer tracking company over allegations that the company deceptively failed to provide consumers with notice and choice regarding its tracking at client retailers.
According to the FTC’s complaint, Nomi Technologies, Inc., (Nomi) uses both its own sensors and its retail clients’ Wi-Fi access points to collect information about unique mobile devices, including the MAC address, the device manufacturer, the device’s signal strength, the location of the sensor or Wi-Fi access point observing the device, and the date and time the device is observed. Nomi had promised in its privacy policies that consumers would be notified when a retailer used its tracking services and that consumers could opt out of the tracking using either Nomi’s opt-out tool on its website or at the retailer. The FTC alleged that, despite those promises, consumers were not informed when a retailer used Nomi’s tracking services and were not offered a choice to opt out of tracking at the retailer. Nomi agreed in the consent decree not to misrepresent the choices consumers will have – or the notice they receive – about the collection, use, disclosure or sharing of information collected about them or their computers or devices.
The FTC’s focus on Nomi centers on allegations of deceptive practices. The lessons businesses can learn from such allegations remain fairly simple even in the context of new and burgeoning technologies, such as in-store tracking – Do what you say, and say what you do. Nonetheless, the FTC’s allegations offer new light on how the FTC may approach businesses’ data privacy practices, both in the retail space as well as more generally. Link to full Client Alert