U.S. Supreme Court To Hear Arguments About Spokeo Lawsuit
AT&T To Pay $25 Million Penalty For Data Breaches At Offshore Call Centers

Technology Firm's Consent Agreement With The FTC Highlights The Spying On Consumers By Brick-And-Mortar Retail Stores

Logo for Nomi Technologies Everyone knows that their activity is tracked online at websites and via mobile apps. Are consumers tracked in physical brick-and-mortar retail stores? The consent agreement between Nomi Technologies and the U.S. Federal Trade Commission (FTC) sheds some light on the tracking and data collection that occurs in physical retail stores.

The FTC Complaint (Adobe PDF) described how Nomi Technologies operates:

"Nomi uses mobile device tracking technology to provide analytics services to brick and mortar retailers through its “Listen” service. Nomi has been collecting information from consumers’ mobile devices to provide the Listen service since January 2013. Nomi places sensors in its clients’ retail locations that detect the media access control (“MAC”) address broadcast by a mobile device when it searches for WiFi networks. A MAC address is a 12-digit identifier that is unique to a particular device..."

So, when consumers use a retail store's WiFi hotspot, Nomi's Listen technology collects the device's signal strength, device manufacturer, date, time, and the device's geo-location data. Combined together, these data elements describe and track each consumer's movement through the physical store. The complaint also described the data collection:

"Nomi cryptographically hashes the MAC addresses it observes prior to storing them on its servers. Hashing obfuscates the MAC address, but the result is still a persistent unique identifier for that mobile device. Each time a MAC address is run through the same hash function, the resulting identifier will be the same... As a result, while Nomi does not store the MAC address, it does store a persistent unique identifier for each mobile device. Nomi collected information about approximately nine million unique mobile devices between January 2013 and September 2013."

The FTC focused upon the consumer notice, opt-out, and data retention issues:

"Nomi does not require its clients to post disclosures or otherwise notify consumers that they use the Listen service. Through October 22, 2013, most, if not all, of Nomi’s clients did not post any disclosure, or otherwise notify consumers, regarding their use of the Listen service. Nomi provided, and continues to provide, an opt out on its website for consumers who do not want Nomi to store observations of their mobile device. Once a consumer has entered the MAC address of their device into Nomi’s website opt out, Nomi adds it to a blacklist of MAC addresses for which information will not be stored. Nomi did not make an opt out available through any other means, including at any of its clients’ retail locations."

The Complaint explained further the opt-out problems for consumers that don't want to be tracked:

"In order to opt out of the Listen service on Nomi’s website, consumers were required to provide Nomi with all of their mobile devices’ MAC addresses, without knowing whether they would ever shop at a retail location using the Listen service. Consumers who did not opt out on Nomi’s website and instead wanted to make the opt out decision at retail locations were unable to do so, despite the explicit promise in Nomi’s privacy policies. Consumers were not provided any means to opt out at retail locations and were unaware that the service was even being used."

The FTC news release described the terms of the consent agreement, which focused upon the notice, opt-out access and data collection issues:

"... Nomi will be prohibited from misrepresenting consumers’ options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices, as well as the extent to which consumers will be notified about information practices... The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through May 25, 2015, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically."

Who is Nomi? According to the company website, it's management team includes:

  • President and CEO; Steve Jeffrey
  • Founder and Chief Strategy Officer: Amir Hudda
  • Founder and Chief Marketing Officer; Marc Ferrentino
  • Chief Technology Officer: Ralph Crabtree
  • SVP Global Retail Big Box And Grocery: Steve Hornyak

Another problem I see: you don't need to enter a brick-and-mortar retail store to be tracked. Maybe you are dining outside, waiting for a ride pickup, smoking a cigarette, or waiting for a shopper inside. Connect to the retailer's WiFi hotspot and you'll likely be tracked. We know this from the analytical reports Nomi produces for its retail clients. The FTC Complaint described five types of analytical reports:

"A. the percentage of consumers merely passing by the store versus entering the store; B. the average duration of consumers’ visits; C. types of mobile devices used by consumers visiting a location; D. the percentage of repeat customer s within a given time period; and E. the number of customers that have also visited another location within the client’s chain."

What are consumers to make of this? I see five things:

  1. Your smartphone is a blabbermouth. So are your tablet and laptop. Know how to turn off the geo-location tracking features in your phone.
  2. Decades ago, a prominent economist warned, "there's no such thing as a free lunch." That advice still applies today, and especially with "free" WiFi hotspots.
  3. Just like government spy agencies, retailers and technology companies will conduct surveillance on consumers without notice. (Learn about the five ways retail stores spy on shoppers.) Retailers know that at least half of adult shoppers use their phones while in their stores. Demand to see the retailer's brick-and-mortar notices and an opt-out from any tracking. Shop elsewhere if you don't like the responses you receive. Tell your elected officials that legislation is needed to ensure notice at brick-and-mortar stores.
  4. I wonder what the twisted logic is for retail executives to decide to spy on its customers and not provide any notice nor opt-out mechanisms. It raises ethical questions. What else are they hiding? What other activities in their business processes abuse consumers?
  5. I also wonder about children's online privacy or COPPA. Why? First, 24 percent of teens are online constantly and 92 percent go online daily. So, it seems safe to assume similar usage statistics for children younger than 13. Second, many large supermarket chains provide dining areas for shoppers to eat prepared foods. At the large stores near me, these dining areas are popular hangout spots for students after school lets out.

In my view, there is enough blame to go around. There's enough blame for both retailers and technology firms that choose to spy in these shady and ethically-questionable manners. Companies and retailers already notify online visitors, typically with Terms of Use and Privacy policies at websites. Similar notices should be provided offline to brick-and-mortar shoppers.

Which retail store chains use Nomi's services? Which retail stores decided to treat their customers (and prospective customers) in such a poor fashion? Nomi isn't saying:

"Nomi collected information about approximately nine million unique mobile devices between January 2013 and September 2013... Through October 22, 2013, Nomi’s Listen service had approximately 45 clients. Some of these clients deployed the service in multiple locations within their chains. Nomi has not published, or otherwise made available to consumers, a list of the retailers that use or used the Listen service."

Hornyak's title provides a clue. A good bet is that retail stores or grocery chains that terminated their loyalty-card programs probably use Nomi's Listen (or a competitor's equivalent) service. That way, the retailer can track everyone: customers who would have joined their loyalty program, customers who wouldn't have joined the loyalty program, and prospective customers. The cost savings from the terminated loyalty-card program are probably used to pay Nomi's fees.

What are your opinions of the tracking and data collection? Of the consent agreement? If you submitted comments to the FTC, please share below. Do you know of any retail stores that terminated their loyalty card program?


Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

In addition to opting out of tracking by retail stores, there is another effective measure which defeats all tracking and data collection from one's phones and smartphones and other computers. That is to use a Faraday Bag to encase one's phones and smartphones. But, of course, a Farady Bag (Bag) has the big disadvantage of transforming one's mobile phone into a phonebooth that can receive and send communications only when it is out of the Bag. But the upside is that the Bag effectively gags your blabbermouth of phone and makes it silent.

The comments to this entry are closed.