Your World of Legal Intelligence
 United States | 1-800-335-6202

Nomi Technologies, Inc.; Analysis of Proposed Consent Order To Aid Public Comment

As Enacted ( Federal Register) Cited authorities 3 Cited in Related
Vincent

Federal Register, Volume 80 Issue 84 (Friday, May 1, 2015)

Federal Register Volume 80, Number 84 (Friday, May 1, 2015)

Notices

Pages 24923-24929

From the Federal Register Online via the Government Publishing Office www.gpo.gov

FR Doc No: 2015-10154

=======================================================================

-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

File No. 132 3251

Nomi Technologies, Inc.; Analysis of Proposed Consent Order To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed Consent Agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment

Page 24924

describes both the allegations in the draft complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.

DATES: Comments must be received on or before May 25, 2015.

ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/nomitechconsent online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ``Nomi Technologies, Inc.,--Consent Agreement; File No. 132 3251'' on your comment and file your comment online at https://ftcpublic.commentworks.com/ftc/nomitechconsent by following the instructions on the web-based form. If you prefer to file your comment on paper, write ``Nomi Technologies, Inc.,--Consent Agreement; File No. 132 3251'' on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Amanda Koulousias (202-326-3334) or Jacqueline Connor (202-326-2844), Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for April 23, 2015), on the World Wide Web at: http://www.ftc.gov/os/actions.shtm.

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before May 25, 2015. Write ``Nomi Technologies, Inc.,--Consent Agreement; File No. 132 3251'' on your comment. Your comment--including your name and your state--will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals' home contact information from comments before placing them on the Commission Web site.

Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone's Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any ``trade secret or any commercial or financial information which . . . is privileged or confidential,'' as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest.

---------------------------------------------------------------------------

\1\ In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c), 16 CFR 4.9(c).

---------------------------------------------------------------------------

Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https://ftcpublic.commentworks.com/ftc/nomitechconsent by following the instructions on the web-based form. If this Notice appears at http://www.regulations.gov/#!home, you also may file a comment through that Web site.

If you file your comment on paper, write ``Nomi Technologies, Inc.,--Consent Agreement; File No. 132 3251'' on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.

Visit the Commission Web site at http://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before May 25, 2015. You can find more information, including routine uses permitted by the Privacy Act, in the Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

Analysis of Proposed Consent Order To Aid Public Comment

The Federal Trade Commission has accepted, subject to final approval, a consent order applicable to Nomi Technologies, Inc. (``Nomi'').

The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement and the comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the agreement's proposed order.

Nomi uses mobile device tracking technology to provide analytics services to brick and mortar retailers through its ``Listen'' service. Nomi has been collecting information from consumers' mobile devices to provide the Listen service since January 2013. Nomi places sensors in its clients' retail locations that detect the media access control (``MAC'') address broadcast by a mobile device when it searches for WiFi networks. A MAC address is a 12-digit identifier that is unique to a particular device. Alternatively, in some instances Nomi collects MAC addresses through its clients' existing WiFi access points. In addition to the MAC address, Nomi

Page 24925

also collects the following information about each mobile device that comes within range of its sensors or its clients' WiFi access points: The mobile device's signal strength; the mobile device's manufacturer (derived from the MAC address); the location of the sensor or WiFi access point observing the mobile device; and the date and time the mobile device is observed.

Nomi cryptographically hashes the MAC addresses it observes prior to storing them on its servers. Hashing obfuscates the MAC address, but the result is still a persistent unique identifier for that mobile device. Each time a MAC address is run through the same hash function, the resulting identifier will be the same. For example, if MAC address 1A:2B:3C:4D:5E:6F is run through Nomi's hash function on ten different occasions, the resulting identifier will be the same each time. As a result, while Nomi does not store the MAC address, it does store a persistent unique identifier for each mobile device. Nomi collected information about approximately nine million unique mobile devices between January 2013 and September 2013.

Nomi uses the information it collects to provide analytics reports to its clients about aggregate customer traffic patterns such as: The percentage of consumers merely passing by the store versus entering the store; the average duration of consumers' visits; types of mobile devices used by consumers visiting a location; the percentage of repeat customers within a given time period; and the number of customers that have also visited another location within the client's chain. Through October 22, 2013, Nomi's Listen service had approximately 45 clients. Some of these clients deployed the service in multiple locations within their chains.

Nomi has not published, or otherwise made available to consumers, a list of the retailers that use or used the Listen service. Nomi does not require its clients to post disclosures or otherwise notify consumers that they use the Listen service. Through October 22, 2013, most, if not all, of Nomi's clients did not post any disclosure, or otherwise notify consumers, regarding their use of the Listen service.

From at least November 2012, until October 22, 2013, Nomi disseminated or caused to be disseminated privacy policies on its Web site, nomi.com or getnomi.com, which included the following statement:

Nomi pledges to. . . . Always allow consumers to opt out of Nomi's service on its Web site as well as at any retailer using Nomi's technology.

Nomi provided, and continues to provide, an opt out on its Web site for consumers who do not want Nomi to store observations of their mobile device. In order to opt out of the Listen service on Nomi's Web site, consumers were required to provide Nomi with all of their mobile devices' MAC addresses, without knowing whether they would ever shop at a retail location using the Listen service. Once a consumer has entered the MAC address of their device into Nomi's Web site opt out, Nomi adds it to a blacklist of MAC addresses for which information will not be stored. Consumers who did not opt out on Nomi's Web site and instead wanted to make the opt out decision at retail locations were unable to do so, despite the explicit promise in Nomi's privacy policies. Consumers were not provided any means to opt out at retail locations and were unaware that the service was even being used.

The Commission's complaint alleges that Nomi's privacy policy represented that: (1) Consumers could opt out of Nomi's Listen service at retail locations using this service, and (2) that consumers would be given notice when a retail location was utilizing Nomi's Listen service. The complaint alleges that Nomi violated Section 5 of the Federal Trade Commission Act by misleading consumers because, contrary to its representations, Nomi did not provide an opt-out mechanism at its clients' retail locations and neither Nomi nor its clients disclosed to consumers that Nomi's Listen service was being used at a retail location.

The proposed order contains provisions designed to prevent Nomi from engaging in the future in practices similar to those alleged in the complaint. Part I of the proposed order prohibits Nomi from misrepresenting: (A) The options through which, or the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or (B) the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.

Parts II through VI of the proposed order are reporting and compliance provisions. Part II requires Nomi to retain documents relating to its compliance with the order. The order requires that all of the documents be retained for a five-year period. Part III requires dissemination of the order now and in the future to all current and future subsidiaries, principals, officers, directors, and managers, and to persons with responsibilities relating to the subject matter of the order. Part IV ensures notification to the FTC of changes in corporate status. Part V mandates that Nomi submit a compliance report to the FTC within 90 days, and periodically thereafter as requested. Part VI is a provision ``sunsetting'' the order after twenty (20) years, with certain exceptions.

The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the proposed complaint or order or to modify the order's terms in any way.

By direction of the Commission, Commissioners Ohlhausen and Wright dissenting.

Donald S. Clark,

Secretary.

Statement of Chairwoman Ramirez, Commissioner Brill, and Commissioner McSweeny

We write to express our support for the complaint and proposed consent order in this case.

Nomi Technologies, Inc. is a provider of technology services that allow retailers to track consumers' movements around their stores by detecting the media access control (``MAC'') addresses broadcast by the WiFi interface on consumers' mobile devices.\1\ Services like Nomi's benefit businesses and consumers. For example, they enable retailers to improve store layouts and reduce customer wait times.

---------------------------------------------------------------------------

\1\ Although Nomi took steps to obscure the MAC addresses it collected by cryptographically hashing them, hashing generates a unique number that can be used to identify a device throughout its lifetime and is a process that can easily be ``reversed'' to reveal the original MAC address. See, e.g., Jonathan Mayer, Questionable Crypto in Retail Analytics, March 19, 2014, http://webpolicy.org/2014/03/19/questionable-crypto-in-retail-analytics/ (describing successful efforts in ``reversing the hash'' to identify the original MAC address).

---------------------------------------------------------------------------

At the same time, Nomi's service, and others like it, raise privacy concerns because they rely on the collection and use of consumers' precise location data. Indeed, Nomi sought to assure consumers that its practices were privacy-protecting, declaring in its privacy policy that ``privacy is our first priority.'' A core element of Nomi's assurance was its promise that consumers could opt out of Nomi's service through its Web site ``as well as at any retailer using Nomi's technology.'' Thus, Nomi made a specific and express promise to consumers about how, when, and where they could opt out of the location tracking services that the company provided to its clients.

Page 24926

As the Commission alleges in its complaint, however, this express promise was false. At no time during the nearly year-long period that Nomi made this promise to consumers did Nomi provide an in-store opt out at the retailers using its service. Moreover, the express promise of an in-store opt out necessarily makes a second, implied promise: That retailers using Nomi's service would notify consumers that the service was in use. This promise was also false. Nomi did not require its clients to provide such a notice. To our knowledge, no retailer provided such a notice on its own.

The proposed order includes carefully-tailored relief designed to prevent similar violations in the future. Specifically, it prohibits Nomi from making future misrepresentations about the notice and choices that will be provided to consumers about the collection and use of their information.

Nevertheless, Commissioner Wright argues in his dissent that Nomi's express promise to provide an in-store opt-out was not material because a Web site opt-out was available, and that, in any event, the Commission should not have brought this action because it will deter industry from adopting business practices that benefit consumers. In a separate statement, Commissioner Ohlhausen dissents on grounds of prosecutorial discretion. This statement addresses both dissents' arguments.

  1. Nomi's Express Opt-Out Promise Was False and Material, and Therefore Deceptive

    According to the Commission's Deception Policy Statement, a deceptive representation, omission, or practice is one that is material and likely to mislead a consumer acting reasonably under the circumstances. ``The basic question with respect to materiality is whether the act or practice is likely to affect the consumer's conduct or decision with respect to the product or service.'' \2\ Furthermore, the Commission presumes that an express claim is material,\3\ as is ``information pertaining to the central characteristics of the product or service.'' \4\

    ---------------------------------------------------------------------------

    \2\ Deception Policy Statement Sec. I.

    \3\ Deception Policy Statement Sec. IV.

    \4\ Id.

    ---------------------------------------------------------------------------

    Importantly, Section 5 case law makes clear that ``materiality is not a test of the effectiveness of the communication in reaching large numbers of consumers. It is a test of the likely effect of the claim on the conduct of a consumer who has been reached and deceived.'' \5\ Consumers who read the Nomi privacy statement would likely have been privacy-sensitive, and claims about how and when they could opt out would likely have especially mattered to them. Some of those consumers could reasonably have decided not to share their MAC address with an unfamiliar company in order to opt out of tracking, as the Web site-

    based opt-out required. Instead, those consumers may reasonably have decided to wait to see if stores they patronized actually used Nomi's services and opt out then. Or they may have decided that they would simply not patronize stores that use Nomi's services, so that they could effectively ``vote with their feet'' rather than exercising the opt-out choice. Or consumers may simply have found it inconvenient to opt out at the moment they were viewing Nomi's privacy policy, and decided to opt out later.

    ---------------------------------------------------------------------------

    \5\ In the Matter of Novartis, 1999 FTC LEXIS 63 *38 (May 27, 1999).

    ---------------------------------------------------------------------------

    These choices were rendered illusory because of Nomi's alleged failure to ensure that its client retailers provide any signs or opt-

    outs at stores. Further, consumers visiting stores that used Nomi's services would have reasonably concluded, in the absence of signage and the promised opt-outs, that these stores did not use Nomi's services. Nomi's express representations regarding how consumers may opt out of its location tracking services go to the very heart of consumers' ability to make decisions about whether to participate in these services. Thus, we have ample reason to believe that Nomi's opt-out representations were material.

    In his dissent, Commissioner Wright points to certain evidence that, in his view, rebuts the notion that a consumer who viewed Nomi's privacy policy would ``bypass the easier and immediate route (the online opt out) in favor of waiting'' to opt out at a retail location.\6\ According to Commissioner Wright, because consumers who viewed Nomi's privacy policy opted out at a higher rate (3.8%) than what is reported for a certain method of opting out of online behavioral advertising (less than 1%),\7\ this shows that consumers who wanted to opt out of tracking were able to do so--and therefore, the representation that consumers could opt out at an individual retailer was not material. We do not believe the 3.8% opt-out rate provides reliable evidence to rebut the presumption of materiality.

    ---------------------------------------------------------------------------

    \6\ Statement of Commissioner Wright at 4.

    \7\ Id. at 3 & n.15.

    ---------------------------------------------------------------------------

    The benchmark against which Commissioner Wright measures the Nomi opt-out rate--the purported opt out rate for online behavioral advertising--is neither directly comparable to, nor provides meaningful information about, consumers' likely motivations in deciding whether to opt-out of Nomi's Listen service. The difference in opt-out rates could simply mean that the practice of location tracking is much more material to consumers than behavioral advertising, and for that reason a much higher number of consumers exercised the Web site opt out. Indeed, recent studies have shown that consumers are concerned about offline retail tracking and tracking that occurs over time,\8\ as took place here. These relative opt-out rates could just as easily imply that many more than 3.8% of consumers were interested in opting out of Nomi's retail tracking, and that the consumers who did not opt out on the Web site were relying on their ability to opt out in stores, as promised by Nomi.

    ---------------------------------------------------------------------------

    \8\ See New Study: Consumers Overwhelmingly Reject In-store Tracking by Retailers, OpinionLab, March 27, 2014 http://www.opinionlab.com/press_release/new-study-consumers-overwhelmingly-reject-in-store-tracking-by-retailers/ (44% of survey respondents indicated that they would be less likely to shop at a store that uses in-store mobile device tracking); Spring Privacy Series: Mobile Device Tracking Seminar, available at http://www.ftc.gov/system/files/documents/public_events/182251/140219mobiledevicetranscript.pdf; Remarks of Ilana Westerman, Create with Context, at 47-48; 50 (stating that a study of 4600 Americans showed that consumers are reluctant to give up their location histories).

    ---------------------------------------------------------------------------

    In short, the 3.8% opt-out rate for Nomi's Web site opt-out, along with the comparison to opt-out rates in other contexts, is simply insufficient evidence to evaluate what choices the other 96.2% of visitors to the Web site intended to make, given the promises Nomi made to them about their options. Commissioner Wright is simply speculating when he extrapolates from the available data his conclusion that in-

    store opt-out rates would have been so low as to render the in-store option immaterial. Such inconclusive evidence fails to rebut any presumption of materiality that we might apply to Nomi's statements.

  2. The Proposed Order Contains Appropriate and Meaningful Relief

    The Commission's acceptance of the consent agreement is appropriate in light of both Nomi's alleged deception and the relief in the proposed order. The proposed order addresses the underlying deception in an appropriately tailored way. It prohibits Nomi from misrepresenting the options that consumers have to exercise control over information that Nomi collects, uses, discloses, or shares about them or their devices.\9\ It also prohibits Nomi from misrepresenting the extent to

    Page 24927

    which consumers will be notified about such choices.\10\ Nomi may be subject to civil penalties if it violates either of these prohibitions. While the consent order does not require that Nomi provide in-store notice when a store uses its services or offer an in-store opt out, that was not the Commission's goal in bringing this case. This case is simply about ensuring that when companies promise consumers the ability to make choices, they follow through on those promises. The relief in the order is therefore directly tied to the deceptive practices alleged in the complaint.\11\ The order will also serve to deter other companies from making similar false promises and encourage them to periodically review the statements they make to consumers to ensure that they are accurate and up-to-date.

    ---------------------------------------------------------------------------

    \9\ Order Sec. I.

    \10\ Id.

    \11\ After arguing primarily that Nomi did not violate Section 5, Commissioner Wright argues in the alternative that the proposed order is too narrow. See Statement of Commissioner Wright at 4 (stating that ``the proposed consent order does nothing to alleviate such harm from retail location tracking'' because it does not require Nomi to offer, and provide notice of, an in-store opt out). This argument is based on a misunderstanding of the injury at issue in this case. Here, the injury to consumers was Nomi's allegedly false and material statement of the opt-out choices available to consumers. The proposed order prohibits Nomi from making such representations and thereby addresses the underlying consumer injury.

    ---------------------------------------------------------------------------

    In their dissents, however, Commissioners Wright and Ohlhausen argue that the Commission should have declined to take action in this case. Commissioner Ohlhausen views this action as ``encouraging companies to do only the bare minimum on privacy, ultimately leaving consumers worse off.'' \12\ Similarly, Commissioner Wright argues that the action against Nomi ``sends a dangerous message to firms weighing the costs and benefits of voluntarily providing information and choice to consumers.'' \13\

    ---------------------------------------------------------------------------

    \12\ Statement of Commissioner Ohlhausen.

    \13\ Statement of Commissioner Wright at 4.

    ---------------------------------------------------------------------------

    The Commission encourages companies to provide privacy choices to consumers, but it also must take action in appropriate cases to stop companies from providing false choices. Our action today does just that. Indeed, this case is very similar to prior Commission cases involving allegedly deceptive opt outs.\14\ We do not believe that any of these actions--including the one announced today--have deterred or will deter companies from providing truthful choices. To the contrary, companies are voluntarily adopting enforceable privacy commitments in the retail location tracking space \15\ and in other areas.\16\

    ---------------------------------------------------------------------------

    \14\ See U.S. v. Google Inc., No. CV 12-04177, (N.D. Cal. Nov. 16, 2012) (stipulated injunction) ($22.5 million settlement over Google's allegedly deceptive opt out, which did not work on the Safari browser); Chitika, Inc., No. C-4324, (F.T.C. June 7, 2011) (consent order) available at http://www.ftc.gov/enforcement/cases-proceedings/1023087/chitika-inc-matter (alleging that advertising network deceived consumers by not telling them that their opt out of behavioral advertising cookies would last only 10 days); U.S. Search, Inc., No. C-4317 (Mar. 14, 2011) (consent order) available at http://www.ftc.gov/enforcement/cases-proceedings/us-search-inc (alleging that a data broker deceived consumers by failing to disclose limitations of its opt out).

    \15\ The Future of Privacy Forum has developed an entire self-

    regulatory code that requires industry members to provide such choices. See also Jan Lauren Boyles et al., Pew Internet Project, Privacy and Data Management on Mobile Devices 2 (2012), available at http://www.pewinternet.org/files/old-media/Files/Reports/2012/PIP_MobilePrivacyManagement.pdf (reporting that 19% of consumers ``turned off the location tracking feature on their cell phone because they were concerned that other individuals or companies could access that information) and Westerman, supra note 8, at 50-52 (describing sensitivity of location history, based on study of 4600 U.S. consumers).

    \16\ See, e.g., Future of Privacy Forum, K-12 Student Privacy Pledge Announced (Oct. 7, 2014), available at http://www.futureofprivacy.org/2014/10/07/k-12-student-privacy-pledge-announced/.

    ---------------------------------------------------------------------------

    * * * * *

    The application of Section 5 deception authority to express statements likely to affect a consumer's choice of or conduct regarding a good or service is well established. For close to a year, Nomi claimed to offer two opt-out methods but in fact it provided only one. We believe this failure was material and that Nomi had a legal obligation to fulfill the promises it made to consumers.

    Dissenting Statement of Commissioner Maureen K. Ohlhausen

    Nomi Technologies Inc., a startup company, offered its retail merchant clients the ability to analyze aggregate data about consumer traffic in the merchants' stores. Nomi provided this service by observing smartphone MAC addresses--a series of hexadecimal numbers that every WiFi-enabled device publicly broadcasts to any listening receiver. Nomi did not store this publicly broadcast information, but instead hashed the addresses and stored the hash. Nomi provided this service as a third party contractor; it had no direct relationship with consumers. At the time covered by the complaint, the majority of Nomi's customers were trialing this startup service in a few stores, at most.

    It is important to note that, as a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out. Yet from the inception of the service, Nomi offered all consumers the opportunity to opt out globally.

    For a time, Nomi's privacy policy stated that Nomi ``pledges to . . . Always allow consumers to opt out of Nomi's service on its Web site as well as at any retailer using Nomi's technology.'' \1\ As already noted, Nomi did offer a global opt out on its Web site. However, it appears that none of Nomi's retail clients offered consumers the opportunity or ability to opt out. Thus, Nomi's privacy policy was partly inaccurate. As Commissioner Wright points out, the evidence we have suggests that the privacy policy's partially inaccurate statement harmed no consumers.\2\

    ---------------------------------------------------------------------------

    \1\ Complaint, Exhibit A (Nomi's privacy policy from approximately Nov. 2012 until Jan. 2013) (emphasis added).

    \2\ Dissenting Statement of Commissioner Joshua Wright at 2.

    ---------------------------------------------------------------------------

    I believe the FTC should not have brought a case against Nomi based on these facts and instead should have exercised its prosecutorial discretion, for two reasons. First, the Commission should use its limited resources to pursue cases that involve consumer harm. Second, and more importantly, we should not apply a de facto strict liability approach to a young company that attempted to go above and beyond its legal obligation to protect consumers but, in so doing, erred without benefiting itself. I fear that the majority's decision in this case encourages companies to do only the bare minimum on privacy, ultimately leaving consumers worse off.

    For these reasons, I dissent.

    Dissenting Statement of Commissioner Joshua D. Wright

    Today, the Commission finds itself in the unfortunate position of trying to fix a problem that no longer exists by stretching a legal theory to fit the unwieldy facts before it. I dissent from the Commission's decision to accept for public comment a consent order with Nomi Technologies, Inc. (Nomi) not only because it is inconsistent with a fair reading of the Commission's Policy Statement on Deception, but also because even if the facts were to support a technical legal violation--which they do not--prosecutorial discretion would favor restraint.

    Nomi does not track individual consumers--that is, Nomi's technology records whether individuals are unique or repeat visitors, but it does not identify them. Nomi provides analytics services based upon data collected from mobile device tracking technology to brick-

    and-mortar retailers through its

    Page 24928

    ``Listen'' service.\1\ Nomi uses sensors placed in its clients' retail locations or its clients' existing WiFi access points to detect the media access control (MAC) address broadcast by a consumer's mobile device when it searches for WiFi networks. Nomi passes MAC addresses through a cryptographic hash function before collection and creates a persistent unique identifier for the mobile device.\2\ Nomi does not ``unhash'' this identifier to retrieve the MAC addresses and Nomi does not store the MAC addresses of the mobile devices. In addition to creating this unique persistent identifier, Nomi collects the device manufacturer information, the device's signal strength, and the date, time and locating sensor of the mobile device. This information is then used to provide analytics to Nomi's clients. For example, even without knowing the identity of those visiting their stores, the data provided by Nomi's Listen service can generate potentially valuable insights about aggregate in-store consumer traffic patterns, such as the average duration of customers' visits, the percentage of repeat customers, or the percentage of consumers that pass by a store rather than entering it. These insights, in turn, allow retailers to measure how different retail promotions, product offerings, displays, and services impact consumers. In short, these insights help retailers optimize consumers' shopping experiences,\3\ inform staffing coverage for their stores, and improve store layouts.

    ---------------------------------------------------------------------------

    \1\ In the Matter of Nomi Technologies, Inc., FTC File No. 132-

    3251, Compl. 3 (Apr. 23, 2015).

    \2\ For more information on cryptographic hashing, see Rob Sobers, The Definitive Guide to Cryptographic Hash Functions (Part I), Varonis (Aug. 2, 2012), http://blog.varonis.com/the-definitive-guide-to-cryptographic-hash-functions-part-1/.

    \3\ See, e.g., Alyson Shontell, It Took Only 13 Days for Former Salesforce Execs to Raise $3 Million for Their Startup, Nomi, Business Insider (Feb. 11, 2013), http://www.businessinsider.com/former-salesforce-and-buddy-media-executives-raise-3-million-nomi-2013-2 (``The moment you open Amazon.com, your entire retail experience is personalized, down to the promotions you see and the products you are pushed. That's because e-commerce is a data-driven industry, and Web sites know a lot about customers who stumble on to their Web sites. Physical stores however, where 90% of all retail purchases still occur, know nothing about the customers who walk in their doors.'').

    ---------------------------------------------------------------------------

    The Commission's complaint focuses upon a single statement in Nomi's privacy policy. Specifically, Nomi's privacy policy states that ``Nomi pledges to . . . Always allow consumers to opt out of Nomi's service on its Web site as well as at any retailer using Nomi's technology.'' \4\ Count I of the complaint alleges Nomi represented in its privacy policy that consumers could opt out of its Listen service at retail locations using the service, but did not in fact provide a retail level opt out. Count II relies upon this same representation to allege a second deceptive practice--that the failure to provide the opt out in the first instance also implies a failure to provide notice to consumers that a specific retailer would be using the Listen service.\5\

    ---------------------------------------------------------------------------

    \4\ Compl. 12.

    \5\ Compl. 16-17.

    ---------------------------------------------------------------------------

    The Commission's decision to issue a complaint and accept a consent order for public comment in this matter is problematic for both legal and policy reasons. Section 5(b) of the FTC Act requires us, before issuing any complaint, to establish ``reason to believe that a violation has occurred'' and that an enforcement action would ``be to the interest of the public.'' \6\ While the Act does not set forth a separate standard for accepting a consent decree, I believe that threshold should be at least as high as for bringing the initial complaint. The Commission has not met the relatively low ``reason to believe'' bar because its complaint does not meet the basic requirements of the Commission's 1983 Deception Policy Statement. Further, the complaint and proposed settlement risk significant harm to consumers by deterring industry participants from adopting business practices that benefit consumers.

    ---------------------------------------------------------------------------

    \6\ 15 U.S.C. 45(b).

    ---------------------------------------------------------------------------

    The fundamental failure of the Commission's complaint is that the evidence simply does not support the allegation that Nomi's representation about an opportunity to opt out of the Listen service at the retail level--in light of the immediate and easily accessible opt out available on the Web page itself--was material to consumers. This failure alone is fatal. A representation simply cannot be deceptive under the long-standing FTC Policy Statement on Deception in the absence of materiality.\7\ The Policy Statement on Deception highlights the centrality of the materiality inquiry, observing that the ``basic question is whether the act or practice is likely to affect the consumer's conduct or decision with regard to a product or service.'' \8\ The materiality inquiry is critical because the Commission's construct of ``deception'' uses materiality as an evidentiary proxy for consumer injury: ``injury exists if consumers would have chosen differently but for the deception. If different choices are likely, the claim is material, and injury is likely as well.'' \9\ This is a critical point. Deception causes consumer harm because it influences consumer behavior--that is, the deceptive statement is one that is not merely misleading in the abstract but one that causes cause consumers to make choices to their detriment that they would not have otherwise made. This essential link between materiality and consumer injury ensures the Commission's deception authority is employed to deter only conduct that is likely to harm consumers and does not chill business conduct that makes consumers better off. This link also unifies the Commission's two foundational consumer protection authorities--

    deception and unfairness--by tethering them to consumer injury.

    ---------------------------------------------------------------------------

    \7\ Fed. Trade Comm'n, Policy Statement on Deception (1983), appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 175, 182 (1984) hereinafter FTC Policy Statement on Deception, available at https://www.ftc.gov/public-statements/1983/10/ftc-policy-statement-deception.

    \8\ FTC Policy Statement on Deception, 103 F.T.C. at 175.

    \9\ Id. at 183.

    ---------------------------------------------------------------------------

    The Commission does not explain how it finds the materiality requirement satisfied; presumably it does so upon the assumption that ``express statements'' are presumptively material.\10\ However, that presumption was never intended to substitute for common sense, evidence, or analysis. Indeed, the Policy Statement on Deception acknowledges the ``Commission will always consider relevant and competent evidence offered to rebut presumptions of materiality.'' \11\ Here, the Commission failed to discharge its commitment to duly consider relevant and competent evidence that squarely rebuts the presumption that Nomi's failure to implement an additional, retail-

    level opt out was material to consumers. In other words, the Commission neglects to take into account evidence demonstrating consumers would not ``have chosen differently'' but for the allegedly deceptive representation.

    ---------------------------------------------------------------------------

    \10\ See POM Wonderful LLC, 2013 FTC LEXIS 6, *121 (2013); Novartis Corp., 127 F.T.C. 580, 686 (1999); American Home Prods., 98 F.T.C. 136, 368 (1981).

    \11\ FTC Policy Statement on Deception, 103 F.T.C. at 182 n.47.

    ---------------------------------------------------------------------------

    Nomi represented that consumers could opt out on its Web site as well as in the store where the Listen service was being utilized. Nomi did offer a fully functional and operational global opt out from the Listen service on its Web site.\12\ Thus, the only remaining

    Page 24929

    potential issue is whether Nomi's failure to offer the represented in-

    store opt out renders the statement in its privacy policy deceptive. The evidence strongly implies that specific representation was not material and therefore not deceptive. Nomi's ``tracking'' of users was widely publicized in a story that appeared on the front page of The New York Times,\13\ a publication with a daily reach of nearly 1.9 million readers.\14\ Most likely due to this publicity, Nomi's Web site received 3,840 unique visitors during the relevant timeframe and received 146 opt outs--an opt-out rate of 3.8% of site visitors. This opt-out rate is significantly higher than the opt-out rate for other online activities.\15\ This high rate, relative to Web site visitors, likely reflects the ease of a mechanism that was immediately and quickly available to consumers at the time they may have been reading the privacy policy.

    ---------------------------------------------------------------------------

    \12\ As such, the facts of this case are distinguishable from the cases cited for support by the majority in its statement. In the Matter of Nomi Technologies, Inc., FTC File No. 132-3251, Statement of Chairwoman Ramirez, Commissioner Brill, and Commissioner McSweeny 5 n.14 (Apr. 23, 2015).

    \13\ Stephanie Clifford & Quentin Hardy, Attention, Shoppers: Store is Tracking Your Cell, New York Times (July 14, 2013), http://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html?pagewanted=all&_r=0.

    \14\ The Associated Press, Top 10 Newspapers by Circulation: Wall Street Journal Leads Weekday Circulation, Huffington Post (Apr. 30, 2013), http://www.huffingtonpost.com/2013/05/01/newspaper-circulation-top-10_n_3188612.html.

    \15\ In perhaps the most comparable circumstance--Do Not Track mechanisms--the opt-out rate is extremely low. See, e.g., Jack Marshall, The Do Not Track Era, Digiday (Feb. 27, 2012), http://digiday.com/platforms/advertising-in-the-do-not-track-era/ (``according to data from Evidon, which facilitates the serving of those icons, someone clicks and goes through the opt-out process once for every 10,000 ad impressions served''); Matthew Creamer, Despite Digital Privacy Uproar, Consumers are Not Opting Out, Advertising Age (May 31, 2011), http://adage.com/article/digital/digital-privacy-uproar-consumers-opting/227828/ (``Evidon, which has the longest set of data, is seeing click-through of 0.005% with only 2% opting out from 30 billion impressions''). See also Richard Beaumont, Cookie Opt-Out Stats Revealed, The Cookie Collective (Feb. 19, 2014), http://www.cookielaw.org/blog/2014/2/19/cookie-opt-out-statistics-revealed/.

    ---------------------------------------------------------------------------

    The Commission's reliance upon a presumption of materiality as to the additional representation of the availability of an in-store opt out is dubious in light of evidence of the opt-out rate for the Web page mechanism. Actual evidence of consumer behavior indicates that consumers that were interested in opting out of the Listen service took their first opportunity to do so. To presume the materiality of a representation in a privacy policy concerning the availability of an additional, in-store opt-out mechanism requires one to accept the proposition that the privacy-sensitive consumer would be more likely to bypass the easier and immediate route (the online opt out) in favor of waiting until she had the opportunity to opt out in a physical location. Here, we can easily dispense with shortcut presumptions meant to aid the analysis of consumer harm rather than substitute for it. The data allow us to know with an acceptable level of precision how many consumers--3.8% of them--reached the privacy policy, read it, and made the decision to opt out when presented with that immediate choice. The Commission's complaint instead adopts an approach that places legal form over substance, is inconsistent with the available data, and defies common sense.

    The Commission's approach here is problematic for another reason. To the extent there is consumer injury when consumers are offered an opt out from tracking that cannot be effectuated, or that more generally, consumers are uncomfortable with such tracking and it should be disclosed to them, the proposed consent order does nothing to alleviate such harm and will, instead, likely exacerbate it. Nomi has removed its representation about a retail level opt-out mechanism from its privacy policy. The proposed consent order does not require Nomi to offer such a mechanism, nor does it require Nomi to disclose the tracking in retail locations.\16\ It is unlikely that Nomi could agree to such a condition any case--Nomi contracts with retailers and has no control over the retailers' premises. The order does not--and cannot--

    compel retailers to disclose the tracking technology.

    ---------------------------------------------------------------------------

    \16\ In the Matter of Nomi Technologies, Inc., FTC File No. 132-

    3251, Proposed Consent Order Part I (Apr. 23, 2015).

    ---------------------------------------------------------------------------

    Even assuming arguendo Nomi's privacy policy statement is deceptive under the Deception Policy Statement, the FTC would better serve consumers by declining to take action against Nomi. The analytical failings of the Commission's approach are not harmless error. Rather, aggressive prosecution of this sort will inevitably deter industry participants like Nomi from engaging in voluntary practices that promote consumer choice and transparency--the very principles that lie at the heart of the Commission's consumer protection mission.\17\ Nomi was under no legal obligation to post a privacy policy, describe its practices to consumers, or to offer an opt-out mechanism. To penalize a company for such a minor shortcoming--particularly when there is no evidence the misrepresentation harmed consumers--sends a dangerous message to firms weighing the costs and benefits of voluntarily providing information and choice to consumers.

    ---------------------------------------------------------------------------

    \17\ In addition, Nomi arguably offered a product that was more privacy-protective than other, more intrusive methods that retailers currently employ, such as video cameras. See Clifford & Hardy, supra note 14 (``Cameras have become so sophisticated, with sharper lenses and data-processing, that companies can analyze what shoppers are looking at, and even what their mood is.'').

    ---------------------------------------------------------------------------

    Finally, market forces already appear to be responding to consumer preferences related to tracking technology. For example, in response to potential consumer discomfort some retailers have discontinued or changed the methods by which they track visitors to their physical stores.\18\ Technological innovation has also responded to incentives to provide a better consumer experience, including a Bluetooth technology that provides not only an opt-in choice for consumers,\19\ but also gives retailers the opportunity to provide their consumers with a more robust shopping experience.\20\ Notably, Nomi itself has responded to these market changes and no longer offers the MAC address tracking technology to any retailer other than its legacy customers.

    ---------------------------------------------------------------------------

    \18\ See, e.g., Amy Hollyfield, Philz to Stop Tracking Customers via Smartphones, ABC 7 News (May 29, 2014), http://abc7news.com/business/philz-to-stop-tracking-customers-via-smartphones/83943/; Peter Cohan, How Nordstrom Uses WiFi to Spy On Shoppers, Forbes (May 9, 2013), http://www.forbes.com/sites/petercohan/2013/05/09/how-nordstrom-and-home-depot-use-wifi-to-spy-on-shoppers/.

    \19\ See, e.g., Siraj Datoo, High Street Shops are Studying Shopper Behaviour by Tracking Their Smartphones or Movement, The Guardian (Oct. 3, 2013), http://www.theguardian.com/news/datablog/2013/oct/03/analytics-amazon-retailers-physical-cookies-high-street (``If customers create accounts on the wireless network--something millions have done--they first have to accept terms and conditions that opts them in to having their movements monitored when inside the stores''); Jess Bolluyt, What's So Bad About In-Store Tracking?, The Cheat Sheet (Nov. 27, 2014), http://www.cheatsheet.com/technology/whats-so-bad-about-in-store-tracking.html/?a=viewall (``customers have to turn on Bluetooth, accept location services, and opt in to receive notifications'').

    \20\ See, e.g., Greg Petro, How Proximity Marketing Is Driving Retail Sales, Forbes (Oct. 8, 2014), http://www.forbes.com/sites/gregpetro/2014/10/08/how-proximity-marketing-is-driving-retail-sales/(``This will allow Macy's to send personalized department-

    level deals, discounts, recommendations and rewards to customers who opt-in to receive the offers''); Datoo, supra note 20 (after opting in, ``users can then add their loyalty card numbers to receive personalised recommendations.'').

    ---------------------------------------------------------------------------

    Accordingly, I dissent from the issuance of this complaint and the acceptance of a consent decree for public comment.

    FR Doc. 2015-10154 Filed 4-30-15; 8:45 am

    BILLING CODE 6750-01-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT