Decision on Nomi Listen Service Privacy Policy Splits FTC

Retailers are listening to their customers’ smart phones, and that’s a problem, the majority of the Federal Trade Commission (FTC) found.

The issue concerns a company that provided a program that secretly tracked customer movements in and around stores using their smart phones and not telling customers they are being tracked, even though the company’s privacy policy requires such notification.

By a vote of 3-2, the FTC published a proposed consent decree with Nomi Technologies, Inc. relating to its tracking software and privacy policy.  The software allows retailers to collect data from shoppers’ smart phones so that the customers can be tracked as they walk through—or even by—a store by capturing the MAC address of the device.  The MAC addresses are then encrypted, but the resulting encryption still can identify individual phones.  Thus the information can identify when a customer enters a store, the duration of his visit, the type of mobile device he is carrying, the number of times he returns, and the number of times the customer visits another of the chain’s stores.  The company argued that the software allows merchants to improve store layouts and reduce customer wait times.

The issue the FTC faced was Nomi’s privacy policy published on its website.  It stated that “privacy is our first priority.”  It promised customers that they could opt out of the tracking through its website “as well as at any retailer using Nomi’s technology.”  The problem was that no retailer posted that it was using Nomi’s technology, so customers had no way to know they were being tracked, let alone become aware that they could stop the tracking.  The company has never disclosed which retailers uses its Listen service.

The FTC majority noted Nomi’s “promise was false.  At no time during the nearly year-long period that Nomi made this promise to consumers did Nomi provide an in-store opt out at the retailers using its service.  Moreover, the express promise of an in-store opt out necessarily makes a second, implied promise:  that retailers using Nomi’s service would notify customers that the service was in use.  This promise was also false.  Nomi did not require its clients to provide such a notice.  To our knowledge, no retailer provides such a notice on its own.”

One dissenting commissioner noted that Nomi’s “Listen service can generate potentially valuable insights about aggregate in-store consumer traffic patterns, such as the average duration of customers’ visits, the percentage of repeat customers, or the percentage of consumers that pass by a store rather than entering it.”  Because the program aggregated the information, the commissioner argued that it did not individually track them.  The dissent noted that after the New York Times wrote a story about the program, the Nomi website received 148 opt-out requests, so consumers “interested in opting out of the Listen service took their first opportunity to do so.”  The dissent said the company should not be penalized “for such a minor shortcoming.”

The public has 30 days to file comments with the FTC on the proposed settlement.

In the Matter of Nomi Technologies, Inc., FTC File No. 132 3251, issued April 23, 2015.