The FTC has now settled with a New York startup that stealthily tracks the movements of Americans around stores using their smartphones' Wi-Fi signals.
The regulator alleged [PDF] in late 2013 that Nomi Technologies broke the FTC Act by not being totally upfront with shoppers.
Nomi's Listen service is used by retail chains to analyze footfall: managers place throughout their stores Nomi Wi-Fi hotspots that pinpoint citizens' handhelds and log their physical whereabouts.
Shoppers are identified by their gadgets' MAC addresses. The gathered data highlights which shelves and aisles are browsed, how long people spend in the stores, and the number of people walking past a storefront without entering.
Between January and September 2013, Nomi's technology amassed records on nine million handhelds. By October that year, the upstart had 45 clients using the tech, although it won't say who they are.
Nomi tries anonymizing customers by running their MAC addresses through a hash function, but seeing as each address always produces the same hash, each shopper is more or less uniquely identified in the upstart's database. The biz compiles the data into stats for retailers to crunch.
Nomi ran afoul of the FTC by claiming it had a clear and obvious opt-out mechanism for souls who still believe that privacy exists on this planet. The FTC alleged in its formal complaint that Americans can only truly opt out and avoid being spied on if they find Nomi's website and add their MAC addresses to a blacklist.
But shoppers often have no idea Nomi's technology is present in a given store – so the offer of an opt-out is worthless.
"The acts and practices of respondent as alleged in this complaint constitute unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act," the watchdog claimed.
Under the terms of a settlement [PDF] published on Thursday, Nomi no longer claims citizens can opt-out of the system. Of course, people can opt-out of the technology via the web, but it's deemed to be so hidden, there's no point making claims online and in store that it exists. And that's all above board, it seems.
Also, for the next five years, Nomi must keep copies of its documents and public statements regarding the Listen service as well as any complaints it receives. A second provision of the deal requires Nomi to inform and train employees on the order, and how to avoid violating it for the next 10 years. The settlement will be valid for a period of 20 years, during which any repeat violations could land it a fine of up to $16,000 per cockup.
In a statement, Nomi said: "We are pleased to reach this agreement. We continually review our privacy policies to ensure that they follow best practices, and had already made the recommended changes." ®
Sponsored: Webcast: Simplify data protection on AWS