Retail-Tracking Service Provider Nomi Technologies Settles FTC Complaint Over False Statement in its Privacy Policy
Last week, the Federal Trade Commission announced a complaint against and proposed settlement with Nomi Technologies, Inc.* (“Nomi”), based on allegations that Nomi included a false representation in its Privacy Policy. Nomi is an analytics provider offering services to brick-and-mortar retail locations through its “Listen” service. To provide the service, Nomi utilizes beacons placed within its clients’ retail locations (or, in some cases, integration with a client’s existing WiFi network). The beacon or WiFi access point collects information from a physically proximate mobile device when the device searches for a WiFi connection, including the device’s MAC address and its WiFi signal strength. Nomi also identifies the location of the sensor that observed the mobile device and records the date and time of the interaction. (Nomi does not retain the MAC addresses as collected, instead hashing each MAC address and storing the resultant persistent identifier, which is then used to identify future interactions with the same mobile device.)
According to the FTC’s complaint, “Nomi uses the information it collects to provide analytics reports to its clients about the aggregate customer traffic patterns such as: [i] the percentage of consumers merely passing by the store versus entering the store; [ii] the average duration of consumers’ visits; [iii] types of mobile devices used by consumers visiting a location; [iv] the percentage of repeat customers within a given time period; and [v] the number of customers that have visited.”
The FTC’s complaint rested not on the act of collection/tracking itself, but on a particular representation that Nomi made in its Privacy Policy between November 2012 and October 2013. During that time, Nomi’s Policy stated: “Nomi pledges to… Always allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology.” Nomi did – at all relevant times – offer an online opt-out mechanism for those consumers who did not want Nomi to store observations regarding their mobile devices. However, at no time during this period did Nomi offer an in-store opt-out mechanism. In addition, the complaint noted that Nomi had approximately forty-five clients by October 2013 and alleged that it neither published a list of those clients, nor required the clients to post disclosures or otherwise notify their own retail customers regarding in-store use of the Listen service.
In its complaint, the FTC alleged that this statement in Nomi’s Privacy Policy violated the FTC Act in two ways. First, as no in-store opt-out mechanism was at any point offered, the FTC alleged that the statement itself was, on its face, false or misleading. Second, the FTC alleged that Nomi’s statement regarding the availability of an in-store opt-out mechanism was effectively a representation that “consumers would be given notice when a retail location was utilizing Nomi’s Listen service.” Since neither Nomi nor its clients provided such notice, the FTC alleged that this implicit representation was also false or misleading.
The proposed settlement requires Nomi to “not misrepresent, in any manner, expressly or by implication: (A) the options through which, or the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices or (B) the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.” It also requires Nomi to adhere to certain record-keeping and reporting requirements.
Of note, the vote to issue the complaint and accept the consent decree from Nomi was split 3-2, with Commissioners Ohlhausen and Wright each issuing a dissent. Commissioner Wright argued that the FTC should have refrained from bringing an action against Nomi due to the immateriality of the misrepresentation and the lack of evidence of consumer harm. Commissioner Wright argued that “[a] representation simply cannot be deceptive under the long-standing FTC Policy Statement on Deception in the absence of materiality.” The Commissioner expressed doubt that Nomi’s statement about the availability of an in-store opt-out mechanism would have caused a consumer reading the Privacy Policy and interested in opting out to alter his or her behavior (i.e., to wait to opt-out in store rather than doing so immediately online) and that, without the potential to influence consumer conduct, the statement was immaterial and therefore not deceptive. Commission Wright also noted that, even if the statement at issue were deceptive, Nomi was under no legal obligation to offer an opt-out mechanism prior to the consent decree and that the consent decree does not impose such an obligation. He argued that the FTC’s choice to bring an action against Nomi here “sends a dangerous message to firms weighing the costs and benefits of voluntarily providing information and choice to consumers.”
In her own dissent, Commissioner Ohlhausen similarly argued that the FTC should have exercised prosecutorial discretion and declined to bring this action against Nomi, based on the lack of evidence of consumer harm and the potential chilling effect to other businesses. Per Commissioner Ohlhausen: “I fear that the majority’s decision in this case encourages companies to do only the bare minimum on privacy, ultimately leaving consumers worse off.”
Notwithstanding the disagreement among the FTC’s Commissioners regarding the merits of this particular action, service providers offering mobile location analytics services and retailers utilizing such services should note the FTC’s interest in this topic. More generally, the Nomi action is an important reminder for all entities operating online: in considering your online Privacy Policy, remember always that it is important to say what you do and equally important to do what you say.
_____________________
* Nomi was acquired by Brickstream Corp. in October 2014 and the combined entity now operates as Nomi Corporation.
_____________________
RELATED LINKS:
Dissenting Statement of Commissioner Wright
Dissenting Statement of Commissioner Ohlhausen
Statement of Chairwoman Ramirez, Commissioner Brill, and Commissioner McSweeny