FTC Continues its Push to Regulate the Collection and Use of Location Information

Recently, the Federal Trade Commission (FTC) announced that it had settled charges with Nomi Technologies, Inc. regarding its collection and use of information that could be used to track the movements of individuals through their mobile devices. Nomi offers an analytics service in connection with which Nomi deployed sensors at brick and mortar retailers to collect the media access control (MAC) address of shoppers’ mobile devices. A MAC address is a 12-digit identifier that is unique to a particular device. Nomi took steps to obfuscate the MAC address itself, but in the process created a unique device identifier for that mobile device. Nomi used this information to collect traffic patterns of customers and passers-by and related information at the stores.

From at least November 2012 until October 22, 2013, Nomi’s privacy policy stated that the company will “[a]lways allow consumers to opt out of Nomi’s service on its website as well as any retailer using Nomi’s technology.” However, during that period consumers were unable to opt out of the collection of MAC addresses, nor were retailers with sensors required by Nomi to notify customers that their MAC addresses were being collected. The FTC charged that the misrepresentation in the privacy policy and the failure to notify customers that MAC addresses were being collected were “unfair or deceptive acts or practices,” and, therefore, violated Section 5 of the FTC Act.     

The FTC’s action against Nomi highlights its growing efforts to regulate the collection and use of information that can be associated with the location of consumers (“geolocation information”), even though there is very limited legislative or statutory authority in the U.S. protecting geolocation information. In fact, there is not a uniform definition, unlike other types of information that businesses must protect. Moreover, it is important to note that there is nothing in the complaint to suggest that Nomi or the retailers used the information to identify a particular individual or to aggregate MAC addresses with personally identifiable information. Instead, Nomi’s primary failure was simply to comply with its own privacy policy and to notify consumers that MAC addresses were being collected. 

It is also noteworthy that the FTC did not discuss the precision of the geolocation information (i.e. one foot, one yard, etc.) or the frequency with which the geolocation information was collected. Without further clarification from the FTC, a growing number of companies that are collecting and using sensor data could be considered, directly or indirectly, to be tracking the movements of individuals. Many of these companies probably do not even consider themselves in the “tracking” business. However, until the FTC provides further guidance, these companies should make sure that their privacy policies are up-to-date and that they are complying with all of the relevant terms. In addition, these companies should require any third party data suppliers to provide adequate notice of collection to consumers.