FTC complains retail tracking firm didn't notify customers

Nomi falsely told customers they could opt out of tracking, the agency says

A company that tracked retail store customers through their smartphones without notifying them and without giving them a chance to turn off the tracking has settled a U.S. Federal Trade Commission complaint that it didn't live up to its privacy promises.

Retail tracking firm Nomi Technologies stated in its privacy policy from late 2012 that it would provide a customer opt-out mechanism at stores using its tracking services, thus implying that it would notify customers of the tracking efforts, the FTC said. But the company did not give customers an opt-out option and did not notify customers they were being tracked, the agency said Thursday.

Nomi collected information on about 9 million mobile devices during the first nine months of 2013, according to a complaint filed by the agency.

"It's vital that companies keep their privacy promises to consumers when working with emerging technologies, just as it is in any other context," Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a statement. "If you tell a consumer that they will have choices about their privacy, you should make sure all of those choices are actually available to them."

Nomi, founded in September 2012, said it was pleased to reach the settlement with the FTC. "We continually review our privacy policies to ensure that they follow best practices and had already made the recommended changes in pursuit of that goal by updating our privacy policy over a year and a half ago, while we were still an early-stage startup that was less than a year old," the company said in a statement.

The company also noted that the FTC's two Republican commissioners opposed the agency taking action against the company. There was no consumer harm in the case, Republican Commissioner Maureen Ohlhausen said.

Nomi is a "young company that attempted to go above and beyond its legal obligation to protect consumers but, in doing so, erred without benefitting itself," Ohlhausen wrote in her dissent.

Nomi installs sensors in its clients' stores that collect the MAC addresses of store customers' mobile devices as the devices search for Wi-Fi networks. Nomi partially obscures, or hashes, the MAC addresses before storing them, but the process produces an identifier that is unique to a consumer's mobile device and can be tracked over time, the FTC said.

Nomi tracked consumers both inside and outside their clients' stores, including the device type, date and time and other information, according to the FTC's complaint.

In reports to retail clients, Nomi provided aggregated information on how many consumers passed by the store instead of entering, how long consumers stayed in the store, the types of devices used by consumers, how many repeat customers enter a store in a given period and how many customers had visited another location in a particular chain of stores.

In the settlement with the FTC, Nomi is prohibited from misrepresenting consumers' options for controlling whether information is collected, use or shared about them and their devices. Nomi is also prohibited from misrepresenting how it notifies consumers about its information-gathering practices.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Federal Trade CommissionregulationsecurityMaureen OhlhausenJessica RichNomi Technologiesgovernmentprivacy

More about Federal Trade CommissionFTCIDGNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place