Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

FTC’s Latest Location-Tracking Settlement Reminds Companies to Mind Any Gap Between What They Say and What They Do

ftc-logoOn April 23, the FTC accepted an administrative consent order with Nomi Technologies, Inc., which uses mobile device tracking technology to provide analytics services to retailers through its “Listen” service.  At first blush, the action appears to involve a straightforward alleged misrepresentation in a privacy policy, but the two dissenting statements from Commissioner Wright and Commissioner Ohlhausen reveal more complex legal and policy issues.  The settlement provides useful insights into how the current Chairwoman and Commissioners view deception cases on data privacy issues.  It also affirms that a company’s public statements must be accurate, but suggests that voluntary promises relating to privacy should be made cautiously.  

The Complaint

According to the complaint issued along with the order, Nomi places sensors in its retail store clients’ stores that collect the MAC addresses of consumers’ mobile devices as the devices search for Wi-Fi networks.  It hashes the MAC address, but according to the complaint, the result is still a persistent unique identifier for the mobile device that can be tracked over time.   Nomi uses the information to provide analytics reports to its clients about aggregate customer traffic patterns such as the percentage of consumers passing the store without entering, the duration of consumer visits, the types of mobile devices used by consumers, as well as the percentage of repeat customers and the number of customers that also visited another location within a chain according to the complaint.

From November 2012 to October 2013, Nomi’s privacy policy on its website included the following statement:

Nomi pledges to . . . [a]lways allow consumers to opt out of Nomi’s service on its website as well as any retailer using Nomi’s technology.

There is no dispute that Nomi provided, and continues to provide, an opt-out on its website for consumers who do not want Nomi to store observations from their mobile devices.  The Commission’s complaint alleged, however, that not all of Nomi’s retail customers permitted users to opt out in the retail locations, and that as a result Nomi’s privacy policy misrepresented that: (1) consumers could opt out of Nomi’s Listen service at retail locations, and (2) that consumers would be given notice when a retail location was utilizing Nomi’s Listen service.

The Order

The proposed order, agreed to by three of the five FTC commissioners, prohibits Nomi from misrepresenting the options through which or the extent to which consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.

The order will be made final by the Commission after the comment period.  Based on the comments, the Commission may choose to modify the order, but that rarely happens absent a misunderstanding of the facts or the application of the order.

The Dissents

Commissioners Wright and Ohlhausen dissented from the decision to accept the order, arguing that the Commission should have exercised its prosecutorial discretion to refrain from bringing this action.  In addition, Commissioner Wright expressed his view that the alleged misrepresentation was not material, an essential element of a finding of deception under Section 5 fo the FTC Act.  The claim from Nomi’s privacy policy at issue is an express claim, which the majority of Commissioners presumed to be material.  Commissioner Wright, however, stated in his dissent that the presumption of materiality in this case was rebutted by the fact that after The New York Times published an article about Nomi, the Nomi website received 3,840 unique visitors and received 146 opt-outs, which represent a higher opt-out rate than the opt-out rate for other online activities.  He further opined that he does not believe that privacy-sensitive consumers who read the online privacy policy—and thus the ones the majority of Commissioners found were deceived—would chose to forgo the opportunity to opt out online and instead choose to opt out in a retail location.

In a separate dissent, Commissioner Ohlhausen expressed her view that the Commission “should not apply a de facto strict liability approach to a young company that attempted to go above and beyond its legal obligation to protect consumers but, in so doing, erred without benefiting itself.”  She also recommended that the Commission should use its limited resources to pursue cases that involve consumer harm, and agreed with Commissioner Wright that the evidence of consumer harm was sparse in this case.

Chairwoman Ramirez and Commissioners Brill and McSweeny wrote separately supporting the Commission’s action, and found Nomi’s failure to provide both opt-out methods as represented in its privacy policy material.  Further, they asserted that once the representation was made, Nomi had a legal obligation to fulfill the promise.  They also expressed concern for those consumers who may have visited Nomi’s website with the intention of opting out of tracking, but instead decided to wait until they visited which actual retail locations used the service.

The Nomi settlement affirms again the importance of ensuring that a company’s public statements are accurate.  The dissents provide useful insights into how Commissioners Wright and Ohlhausen will view future deception actions in terms of establishing materiality and articulating consumer harm.

Katherine Armstrong, Counsel in our Washington, D.C. office, contributed to this post.