The Federal Trade Commission recently announced a proposed settlement with a retail tracking company to resolve charges that the company’s privacy policy misled consumers about their ability to opt out of the company’s tracking services. The FTC action demonstrates the need for companies to carefully review their privacy policies to ensure they accurately reflect actual business practices. It also demonstrates the need for companies, before engaging ‎third-party vendors or service providers, to include in their due diligence an evaluation of privacy issues that may arise in such relationships and ensure such issues are appropriately addressed in any contracts.

According to the complaint, the FTC’s first against a retail tracking company, the company, Nomi Technologies, uses “mobile device tracking technology to provide analytic services to brick and mortar retailers through its ‘Listen’ service.” Using sensors placed in clients’ retail locations or their existing WiFi access points, Listen detects the media access control (MAC) address that a consumer’s mobile device broadcasts when it searches for WiFi networks. (A MAC address is a 12-digit identifier that is unique to a particular device.) The company then passes the MAC addresses through a cryptographic hash function to create a unique device identifier which it stores on its servers. Nomi also collects other information about the device, such as when and where it is detected. Based on this information, the company provides analytic reports to clients about aggregate in-store consumer traffic patterns, such as the average duration of customers’ visits, the percentage of repeat customers, and the percentage of consumers that pass by a store rather than entering it.

The FTC’s complaint claimed the company engaged in an unfair or deceptive act or practice in violation of Section 5 of the FTC Act by misleading consumers about their ability to opt out of the company’s service. According to the FTC, the privacy policy posted on the company’s website stated that the company always allowed consumers to opt out of its tracking service on its website or at any retailer using the company’s technology. The FTC alleged that although consumers could opt out on the company’s website, there was no mechanism for opting out at retail locations and consumers were unaware that a retailer was even using the company’s service (since “most, if not all” of the company’s clients did not notify consumers the service was in use). As a result, the FTC alleged that the privacy policy was false or misleading because it represented to consumers that they could opt out at retail locations and would be given notice when a retailer was using the company’s service.

The proposed consent order, which includes no monetary penalty, prohibits the company from misrepresenting (1) consumers’ options for exercising control over “the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices,” and (2) the extent to which consumers will be provided notice “about how data from or about a particular consumer, computer, or device is collected, used, disclosed or shared.” The consent order is open for public comment until May 25, 2015.

Two FTC commissioners dissented from the complaint and acceptance of the consent decree. In their dissenting statements, in addition to noting the absence of evidence indicating consumer harm, both commissioners commented that the company had no legal obligation to offer an opt-out mechanism and expressed concern that the FTC’s action could deter companies from voluntarily going beyond their legal obligations and providing more choice to consumers.

Members of Ballard Spahr’s Consumer Financial Services and Privacy and Data Security Groups regularly advise financial institutions on compliance with consumer financial services laws related to data security and privacy issues.

If you have questions, please contact CFS Practice Leader Alan S. Kaplinsky at 215.864.8544 or, Privacy and Data Security Practice Leader Daniel JT McKenna at 215.864.8321 or, Privacy and Data Security Practice Leader Philip N. Yannella, at 215.864.8180 or, or John L. Culhane, Jr., at 215.864.8535 or

Copyright © 2015 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

Consumer Financial Services
Privacy and Data Security


Visit CFPB Monitor, our blog on the Consumer Financial Protection Bureau >

Subscribe to the blog via e-mail >