FTC Censures Nomi for Secretly Tracking Consumers in Stores

Score one for consumer privacy: The Federal Trade Commission has censured Nomi Technologies for tracking mobile shoppers without their consent. In fact, the FTC said that Nomi collected information on about nine million mobile devices within the first nine months of 2013.

Nomi’s technology allows retailers to track consumers’ movements through retail stores. The FTC said in its complaint that it misled consumers with promises in its privacy policy that it would provide an in-store mechanism for consumers to opt out of that; and it also said that Nomi failed in its promise that consumers would be informed when locations were using Nomi’s tracking services.

The complaint is the FTC’s first against a retail tracking company.

“It’s vital that companies keep their privacy promises to consumers when working with emerging technologies, just as it is in any other context,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection, in a statement. “If you tell a consumer that they will have choices about their privacy, you should make sure all of those choices are actually available to them.”

Nomi, according to the complaint, places sensors in its clients’ stores that collect the MAC addresses of consumers’ mobile devices as the devices search for Wi-Fi networks. MAC addresses are unique 12-digit identifiers that are assigned to individual mobile devices. Although Nomi “hashes” the MAC addresses prior to storing them, the hashing process still results in an identifier that is unique to a consumer’s mobile device and can be tracked over time.

The complaint alleges that Nomi tracked consumers both inside and outside their clients’ stores, tracking the MAC address, device type, date and time the device was observed, and signal strength of consumers’ devices. In reports to clients, Nomi provided aggregated information on how many consumers passed by the store instead of entering, how long consumers stayed in the store, the types of devices used by consumers, how many repeat customers enter a store in a given period and how many customers had visited another location in a particular chain of stores.

The company’s privacy policy however said that it “pledged to… always allow consumers to opt out of Nomi’s service on its website, as well as at any retailer using Nomi’s technology.” While the company did provide an opt-out on its website, the complaint alleges that no such option was available at retailers using the service, and that consumers were not informed of the tracking taking place in the stores at all.

Under the terms of the settlement with the FTC, Nomi will be prohibited from misrepresenting consumers’ options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices, as well as the extent to which consumers will be notified about information practices.

What’s Hot on Infosecurity Magazine?