Privacy

FTC Commissioners Divided over Nomi Deception Case

Published: May. 05, 2015

Updated: Oct. 05, 2020

The FTC agreed to settle charges and enter into a consent order with Nomi Technologies, Inc., a company that offers tracking analytics services to brick and mortar retailers. Nomi’s service installs sensors at retail locations and collects the media access control (“MAC”) addresses from consumers’ mobile devices when they attempt to connect with a WiFi network in and around the connected stores. Nomi then hashes this ID and creates its own unique identifier, which it retains along with information such as the device manufacturer, date and time the device was detected, and location of the sensor or WiFi access point. Using this information, Nomi can provide retailers with insights into customer traffic patterns in their store. Although the Commission acknowledged some potential privacy concerns with collection of this type of data, its proposed complaint here turned on allegedly deceptive statements found in Nomi’s privacy policy, which claimed that there would be mechanisms for opting out of this tracking at retail locations. Although Nomi provided an opt-out on its website, no mechanism was implemented at the retailers’ physical locations.

While initially this action appears to be a routine deception case, it is potentially more significant for what the Commission published along with the complaint and consent order. In a departure from most prior cases, two Commissioners (Olhaussen and Wright) published statements dissenting from the decision to bring an action, prompting the Commission majority also to issue a statement of support of its decision.

In explaining his rationale for dissenting, Commissioner Wright focused on the materiality of the alleged misstatement. He did not believe – based on the evidence – that consumers would have found the absence of an opt-out method at the retail stores to be material when such a mechanism was available online. Commissioner Ohlhausen similarly noted in her dissent that as Nomi was a third-party contractor and was not collecting any personally identifiable information, the company did not violate any laws as it had no obligation to offer an opt-out. While she nonetheless acknowledged that the privacy policy contained a partial inaccuracy, she agreed with Commissioner Wright that no consumers were harmed through this misrepresentation. Additionally, both Commissioners suggested that this enforcement action would discourage companies from offering consumers more robust or meaningful privacy choices. Chairwoman Ramirez, and Commissioners Brill and McSweeney responded in their collective statement by taking issue with the evidence offered and emphasizing that as a policy matter, “false [privacy] choices” does a disservice to consumers.

The issuance of the Commissioners’ statements in this case may signal two possible trends. First, the two dissenting commissioners seem increasingly willing to express public disagreement about the policy direction some FTC actions are taking, even at a time when the Commission’s efforts in the privacy and data security space are under particular scrutiny. See, e.g., Dissenting Statements regarding the Commission’s IoT Report from Commissioner Maureen K. Ohlhausen and Commissioner Joshua D. Wright. Second, the commissioners’ decision to respond to the dissents and more fully articulate their rationale may be a direct response to criticism levied against the Commission, in cases such as in Wyndham, for relying too heavily on orders and consent decrees to communicate their expectations regarding data security standards. Hence, the Commission may now choose to take a more proactive and explicit approach to explaining the rationale behind its decisions both in the privacy and data-security space. Whether this more fulsome public discussion becomes routine remains to be seen, but it may be a wise move on the part of the Commission to take the opportunity to explain its analytical process.

As additional evidence of this enhanced guidance, the Commission technologist, Ashkan Soltani, also posted a discussion of this case and some of the concerns with the underlying technology. He noted that identifiers such as the MAC address can reveal a person’s location, where he lives and works, and places he has recently visited. In his discussion, Soltani acknowledged the potential value of gathering these IDs but also flagged the controversial and sensitive nature of the information they can convey. For more information see Privacy trade-offs in retail tracking.

With the FTC’s fall workshop on November 16, 2015 addressing cross-device tracking, there is likely to be more to come on these technologies and their uses.