FTC Settles with Retail Tracking Company that Made Privacy Policy Promises It Couldn’t Keep

Last week, the Federal Trade Commission announced its first settlement with a retail tracking company, resolving allegations that Nomi Technologies, Inc., a micro-location platform that provides analytics services to retailers through its product Listen,” failed to abide by several promises it made in its privacy policy. Under the terms of the agreement, Nomi is prohibited from misrepresenting the options it provides to consumers to control whether and how their information is collected, used, disclosed, or shared.

Listen, which serves approximately 45 retailer clients, uses a retailer’s in-store Wi-Fi to collect statistical information from customers’ mobile devices and provide aggregate customer traffic pattern reports to the retailer. According to the FTC’s complaint, Nomi’s privacy policy represented that the company would provide an opt-out mechanism for customers on the Nomi website and at any retail location, implying that customers would be notified when stores were using the technology. The FTC alleges, however, that, not only did Nomi and the retailers fail to notify customers when stores were using Listen, but no in-store opt-out mechanism was ever available. As a result, Nomi allegedly tracked customers both inside and outside of stores by their MAC address, device type, date and time, and signal strength, and provided aggregate information to its clients, such as the percentage of repeat customers and the average duration of customer visits. In particular, the complaint alleges that Nomi collected information on approximately nine million mobile devices within its first year of operation.

This consent order reminds companies that they have a responsibility to abide by the promises made in their privacy policies, even when dealing with new and emerging technology such as retail tracking. One way to avoid making this mistake is to evaluate and confirm how data are collected and likewise confirm that the privacy policy representations are consistent with practices. Additionally, mindful that business practices evolve, companies should periodically review and consider revising privacy policy statements to keep those statements accurate.