FTC action against Nomi a warning to retailers on privacy

The Federal Trade Commission filed a complaint against Nomi Technologies Inc. on April 23, 2015, sending a clear message to retailers on the need to align privacy policies with business practices. The complaint alleges the data analytics firm misrepresented its consumer opt-out policy and that retail clients using its service did not notify store visitors they were being tracked or offer consumers the opportunity to opt out of in-store surveillance. Nomi, acquired in 2014 by Norcross, Ga.-based Brickstream Corp., is said to be the first data analytics company to integrate video, Wi-Fi, and iBeacon technologies into an in-store analytics and marketing platform. Event-based pop-up stores and brick-and-mortar retailers can use Nomi sensors and interactive software to send targeted advertising to consumers and track their real-time spending behavior, Nomi stated. Brickstream and Nomi had reportedly deployed more than 125,000 sensors to approximately 45 major retailers worldwide by October 2013. Retail clients use the Nomi platform to gather intelligence on customer behavior and increase spend through targeted mobile ad campaigns.

Nomi’s Listen service

Nomi’s Listen service, established in January 2013, collects mobile phone data, including each phone’s unique 12-digit media access control (MAC) address, which is broadcast when the mobile device connects with or searches for a Wi-Fi network. Nomi compiles reports for retail clients from aggregated mobile phone data. The resulting charts and graphs measure customer traffic patterns, average duration of customer visits, the types of mobile devices customers use, and percentage of repeat visits as well as visits to other locations in a store’s chain. While Nomi cryptographically hashes the MAC addresses it stores, hashed data contains “persistent identifiers” unique to each mobile device that can be tracked across multiple locations. The FTC’s complaint claims that even though Nomi doesn’t store MAC addresses, the service “does store a persistent unique identifier for each mobile device,” and that approximately 9 million unique mobile identifiers were stored between January and September 2013.

Opt-out sins of omission

The FTC complaint also takes aim at ambiguities in Nomi’s opt-out policy, claiming the following are unfair and deceptive practices that violate the Federal Trade Commission Act:

• Nomi doesn’t publish a list of its clients, so consumers have no way of knowing whether they shop at a participating store.

• Consumers who would prefer not to be tracked at participating retailers need to visit the Nomi site and provide all of the MAC addresses of their mobile devices, without ever knowing if they will shop inside Nomi’s digital footprint. Many consumers are not aware of Nomi or its website.

• Nomi’s privacy policy pledges to always “allow consumers to opt out” of Nomi’s service on its website as well as at any retailer using Nomi’s technology. However, consumers who shop at participating retailers do not receive an opt-out message when they enter participating stores.

Proposed settlement and restrictions

The FTC complaint is open to commentary during a 30-day review period in which interested parties can contact the FTC and post comments on the agency’s website. Proposed settlement terms mandate that Nomi’s tracking policies must be consistent with its opt-out pledge and policy.

Other settlement provisions include a five-year probation period giving the FTC a chance to respond to “all consumer complaints directed at respondent, or forwarded to respondent by a third party, that relate to the conduct prohibited by this order and any responses to such complaints.”

Subsequent to the FTC, Nomi stated it had proactively adjusted its opt-out pledge, which had been put in place in 2013 when the company was in startup mode. The fact that Nomi no longer promises an opt-out mechanism to consumers is broadly interpreted by legal analysts to mean that the company no longer violates FTC rules and guidelines.

Privacy’s dubious future

The FTC’s actions have fueled debate in the retail community about appropriate use of technologies that gather data on consumer and human behavior. Many retailers are concerned that opt-out messages might alarm their customers, creating concerns about their privacy.

Nordstrom Inc. participated in a pilot in 2013 with Euclid, a data analytics company that uses iBeacon technology to gather data from consumers’ mobile phones. All Nordstrom test locations had posted signs, advising customers who preferred not to be tracked to turn off their mobile phones.

Savvy consumers who are aware of emerging trends in data analytics may exercise their right to opt out of being tracked by visiting Nomi, Euclid and other data analytics websites and providing all of their mobile device MAC addresses. Payments and retail analysts predict that such opt-out mechanisms, like their annual privacy message predecessors, will be mostly overlooked by consumers.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.