Privacy & Information Security Law Blog

On April 23, 2015, the Federal Trade Commission (“FTC”) announced that Nomi Technologies (“Nomi”) has agreed to settle charges stemming from allegations that the company misled consumers with respect to their ability to opt out of the company’s mobile device tracking service at retail locations. The settlement marks the FTC’s first Section 5 enforcement action against a company that provides tracking services at retailers.

Nomi provides a customer analytics service called “Listen” to brick and mortar retailers through the use of mobile device tracking technology. As part of this service, Nomi deploys sensors to its clients’ retail locations to help track consumers’ movements through their stores. According to the FTC complaint, these sensors detect the media access control (“MAC”) address of mobile devices searching for WiFi networks at the locations in order to collect information about customer traffic. Notably, the FTC alleged that despite Nomi using a hashing technique to obfuscate the MAC address of each consumer’s mobile device, the hash still constituted a persistent unique identifier for that mobile device that allowed the company to track consumers.

According to the FTC’s complaint, Nomi collected information on about nine million mobile devices within the first nine months of 2013. The complaint also alleged that during this time, consumers had the ability to opt out of Nomi’s service through the company’s website, but could not opt out at the retail locations that used the Listen service despite an explicit promise in Nomi’s privacy policies that consumers could opt out at the retail locations. From at least November 2012 until October 22, 2013, Nomi’s privacy policies on its websites allegedly represented that the company “pledges to . . . [a]lways allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology.”

Based on this single statement in the company’s privacy policies, the FTC claimed that Nomi had engaged in unfair or deceptive acts or practices in violation of Section 5 of the FTC Act as a result of the company’s failure to (i) provide an in-store opt-out mechanism for its tracking service at its clients’ retail locations, and (ii) disclose to consumers that the service was being used at a retail location.

The FTC’s vote to issue the complaint and accept the proposed consent order was 3-2, with Commissioners Maureen K. Ohlhausen and Joshua D. Wright dissenting. The consent order prohibits Nomi from misrepresenting consumers’ options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices, as well as the extent to which consumers will be notified about the company’s information practices.