Nomi FTC Settlement Highlights Risks of Publicizing Company Privacy Policies
As alleged in the FTC’s complaint, Nomi’s service provides brick-and-mortar retailers with aggregate data collected from consumers’ mobile devices as the consumers shop in, or in some cases pass by, their stores. Specifically, the service collects media access control (“MAC”) addresses, which are broadcast by devices as they search for WiFi interfaces. This information can be used to identify the general location of devices within stores at different dates and times, allowing retailers to improve store layouts and improve customer wait times. Although the service does not match MAC addresses to particular consumers’ identities, it does save MAC addresses in a coded format so consumers’ behaviors can be tracked over time. According to the FTC, the MAC is therefore a type of “persistent unique identifier” for a consumer’s device.
The latter point—based on the majority’s conclusion that “the express promise of an in-store opt-out necessarily” implies that “retailers using Nomi’s service would notify customers that the service was in use”—serves as a reminder that the FTC views implied representations to be just as actionable as express representations under Section 5.
For more information regarding the consent order between Nomi and the FTC or to discuss data security practices generally, please feel free to contact David McIntosh, Mark Szpak, or another member of Ropes & Gray’s leading privacy & data security team.