Mobile Location Analytics Companies Agree to Code of Conduct

November 8, 2013 by Emily Tabatabai 3 Comments

U.S. Senator Charles Schumer, the Future of Privacy Forum (“FPF”), a Washington, D.C. based think tank, and a group of location analytics companies, including Euclid, Mexia Interactive, Radius Networks, Brickstream, Turnstyle Solutions and SOLOMO, released a Code of Conduct to promote customer privacy and transparency for mobile location analytics.

Mobile location analytics technology, which allows stores to analyze shoppers’ behavior based on information collected from the shoppers’ cell phones, has faced a string of negative press in the last several months. The location analytics companies gather Wi-Fi and Bluetooth MAC address signals to monitor shoppers’ movements around the store, providing feedback such as how long shoppers wait in line at the check-out, how effective a window display draws customers into the store, and how many people who browse actually make a purchase. Retailers argue that the technology provides them with the same type of behavioral data that is already being collected from shoppers when they browse retail sites online. Customer advocates, on the other hand, raise concerns about the invasive nature of the tracking service, particularly as most customers aren’t aware that the tracking is taking place. Senator Schumer has been one of the most vocal critics of the mobile location analytics services, calling it an “unfair or deceptive” trade practice to fail to notify shoppers that their movements are being tracked or to give them a chance to opt-out of the practice. In an open letter to the FTC in July 2013, Sen. Schumer described the technology thus:

“Retailers do not ever receive affirmative consent from the customer for [location analytics] tracking, and the only options for a customer to not be tracked are to turn off their phone’s Wi-Fi or to leave the phone at home. Geophysical location data about a person is obviously highly sensitive; however, retailers are collecting this information anonymously without consent.”

In response, a group of leading mobile location analytics companies agreed to a Code of Conduct developed in collaboration with Sen. Schumer and the Future of Privacy Forum to govern mobile location analytics services. Under the Code:

A participating mobile location analytics firm will “take reasonable steps to require” participating retailers to provide customer notice through clear, in-store signage; using a standard symbol or icon to indicate the collection of mobile location analytics data; and to direct customers to industry education and opt-out website (For example, “To learn about use of customer location and your choices, visit www.smartstoreprivacy.com” would be acceptable language for in-store signage)
The mobile location analytics company will provide a detailed disclosure in its privacy policy about the use and collection of data it collects in-store, which should be separate from the disclosure of information collected through the company’s website.
Customers must be allowed the choice to opt-out of tracking. The mobile location analytics company will post a link in its privacy policy to the industry site which provides a central opt-out. A notice telling customers to turn off their mobile device or to deactivate the Wi-Fi signal is not considered sufficient “choice” under the Code.
The notice and choice requirements do not apply if the information collected is not unique to an individual device or user, or it is promptly aggregated so as not to be unique to a device or user, and individual level data is not retained. If a mobile location analytics firm records device-level information, even if it only shares aggregate information with retail clients, it must provide customer choice.
A customer’s affirmative consent is required if: (1) personal information will be linked to a mobile device identifier, or (2) a customer will be contacted based on the analytic information.

The FTC has offered support to the self-regulatory process and provided feedback on the Code during the drafting negotiations. “It’s great that industry has recognized customer concerns about invisible tracking in retail space and has taken a positive step forward in developing a self-regulatory code of conduct,” FTC Director of Customer Protection Jessica Rich told Politico.

Some critics, however, feel that the Code does not go far enough. The notice provision is weak, as it relies on the retailers to provide in-store signage for the customer. Notably, retailers were not party to the negotiations developing the Code of Conduct and no retailer has publicly agreed to post signs in their stores. Given the history – retailer Nordstrom was forced to drop its mobile location analytics pilot program in response to bad press from customers complaining after seeing posted signs – retailers are likely to want in-store signage to be as inconspicuous as possible.

The next time you’re out shopping, keep your eyes peeled for in-store signage. Are your retailers watching you?

Author: Emily Tabatabai

Emily S. Tabatabai is a member of the Privacy, Data Security and Internet Safety group at Orrick, Herrington & Sutcliffe. She regularly advises clients on an array of consumer protection and privacy matters, including data privacy and security compliance and procedure, data breach responses, online privacy, mobile privacy, behavioral advertising, sales and marketing, advertising and promotions, and social media. She has represented clients from start-ups to Fortune 500 companies in investigations before the Federal Trade Commission and State Attorneys’ General, as well as in private litigation. Emily is certified as an information privacy professional (CIPP/US and CIPP/EU) by the International Association of Privacy Professionals (“IAPP”).