Nomi Technologies, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 24923-24929 [2015-10154]

Agencies

• FEDERAL TRADE COMMISSION

[Federal Register Volume 80, Number 84 (Friday, May 1, 2015)]
[Notices]
[Pages 24923-24929]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-10154]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 132 3251]


Nomi Technologies, Inc.; Analysis of Proposed Consent Order To 
Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed Consent Agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis to Aid Public Comment

[[Page 24924]]

describes both the allegations in the draft complaint and the terms of 
the consent order--embodied in the consent agreement--that would settle 
these allegations.

DATES: Comments must be received on or before May 25, 2015.

ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/nomitechconsent online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Nomi Technologies, 
Inc.,--Consent Agreement; File No. 132 3251'' on your comment and file 
your comment online at https://ftcpublic.commentworks.com/ftc/nomitechconsent by following the instructions on the web-based form. If 
you prefer to file your comment on paper, write ``Nomi Technologies, 
Inc.,--Consent Agreement; File No. 132 3251'' on your comment and on 
the envelope, and mail your comment to the following address: Federal 
Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., 
Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment 
to the following address: Federal Trade Commission, Office of the 
Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 
5610 (Annex D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Amanda Koulousias (202-326-3334) or 
Jacqueline Connor (202-326-2844), Bureau of Consumer Protection, 600 
Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for April 23, 2015), on the World Wide Web at: 
https://www.ftc.gov/os/actions.shtm.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before May 25, 2015. 
Write ``Nomi Technologies, Inc.,--Consent Agreement; File No. 132 
3251'' on your comment. Your comment--including your name and your 
state--will be placed on the public record of this proceeding, 
including, to the extent practicable, on the public Commission Web 
site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of 
discretion, the Commission tries to remove individuals' home contact 
information from comments before placing them on the Commission Web 
site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment does not include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, do not 
include any ``[t]rade secret or any commercial or financial information 
which . . . is privileged or confidential,'' as discussed in Section 
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 
4.10(a)(2). In particular, do not include competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept 
confidential only if the FTC General Counsel, in his or her sole 
discretion, grants your request in accordance with the law and the 
public interest.
---------------------------------------------------------------------------

    \1\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/nomitechconsent by following the instructions on the web-based 
form. If this Notice appears at https://www.regulations.gov/#!home, you 
also may file a comment through that Web site.
    If you file your comment on paper, write ``Nomi Technologies, 
Inc.,--Consent Agreement; File No. 132 3251'' on your comment and on 
the envelope, and mail your comment to the following address: Federal 
Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., 
Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment 
to the following address: Federal Trade Commission, Office of the 
Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 
5610 (Annex D), Washington, DC 20024. If possible, submit your paper 
comment to the Commission by courier or overnight service.
    Visit the Commission Web site at https://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before May 25, 2015. You can find more information, 
including routine uses permitted by the Privacy Act, in the 
Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, a consent order applicable to Nomi Technologies, Inc. 
(``Nomi'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission will again review the 
agreement and the comments received, and will decide whether it should 
withdraw from the agreement and take appropriate action or make final 
the agreement's proposed order.
    Nomi uses mobile device tracking technology to provide analytics 
services to brick and mortar retailers through its ``Listen'' service. 
Nomi has been collecting information from consumers' mobile devices to 
provide the Listen service since January 2013. Nomi places sensors in 
its clients' retail locations that detect the media access control 
(``MAC'') address broadcast by a mobile device when it searches for 
WiFi networks. A MAC address is a 12-digit identifier that is unique to 
a particular device. Alternatively, in some instances Nomi collects MAC 
addresses through its clients' existing WiFi access points. In addition 
to the MAC address, Nomi

[[Page 24925]]

also collects the following information about each mobile device that 
comes within range of its sensors or its clients' WiFi access points: 
The mobile device's signal strength; the mobile device's manufacturer 
(derived from the MAC address); the location of the sensor or WiFi 
access point observing the mobile device; and the date and time the 
mobile device is observed.
    Nomi cryptographically hashes the MAC addresses it observes prior 
to storing them on its servers. Hashing obfuscates the MAC address, but 
the result is still a persistent unique identifier for that mobile 
device. Each time a MAC address is run through the same hash function, 
the resulting identifier will be the same. For example, if MAC address 
1A:2B:3C:4D:5E:6F is run through Nomi's hash function on ten different 
occasions, the resulting identifier will be the same each time. As a 
result, while Nomi does not store the MAC address, it does store a 
persistent unique identifier for each mobile device. Nomi collected 
information about approximately nine million unique mobile devices 
between January 2013 and September 2013.
    Nomi uses the information it collects to provide analytics reports 
to its clients about aggregate customer traffic patterns such as: The 
percentage of consumers merely passing by the store versus entering the 
store; the average duration of consumers' visits; types of mobile 
devices used by consumers visiting a location; the percentage of repeat 
customers within a given time period; and the number of customers that 
have also visited another location within the client's chain. Through 
October 22, 2013, Nomi's Listen service had approximately 45 clients. 
Some of these clients deployed the service in multiple locations within 
their chains.
    Nomi has not published, or otherwise made available to consumers, a 
list of the retailers that use or used the Listen service. Nomi does 
not require its clients to post disclosures or otherwise notify 
consumers that they use the Listen service. Through October 22, 2013, 
most, if not all, of Nomi's clients did not post any disclosure, or 
otherwise notify consumers, regarding their use of the Listen service.
    From at least November 2012, until October 22, 2013, Nomi 
disseminated or caused to be disseminated privacy policies on its Web 
site, nomi.com or getnomi.com, which included the following statement:

    Nomi pledges to. . . . Always allow consumers to opt out of 
Nomi's service on its Web site as well as at any retailer using 
Nomi's technology.

    Nomi provided, and continues to provide, an opt out on its Web site 
for consumers who do not want Nomi to store observations of their 
mobile device. In order to opt out of the Listen service on Nomi's Web 
site, consumers were required to provide Nomi with all of their mobile 
devices' MAC addresses, without knowing whether they would ever shop at 
a retail location using the Listen service. Once a consumer has entered 
the MAC address of their device into Nomi's Web site opt out, Nomi adds 
it to a blacklist of MAC addresses for which information will not be 
stored. Consumers who did not opt out on Nomi's Web site and instead 
wanted to make the opt out decision at retail locations were unable to 
do so, despite the explicit promise in Nomi's privacy policies. 
Consumers were not provided any means to opt out at retail locations 
and were unaware that the service was even being used.
    The Commission's complaint alleges that Nomi's privacy policy 
represented that: (1) Consumers could opt out of Nomi's Listen service 
at retail locations using this service, and (2) that consumers would be 
given notice when a retail location was utilizing Nomi's Listen 
service. The complaint alleges that Nomi violated Section 5 of the 
Federal Trade Commission Act by misleading consumers because, contrary 
to its representations, Nomi did not provide an opt-out mechanism at 
its clients' retail locations and neither Nomi nor its clients 
disclosed to consumers that Nomi's Listen service was being used at a 
retail location.
    The proposed order contains provisions designed to prevent Nomi 
from engaging in the future in practices similar to those alleged in 
the complaint. Part I of the proposed order prohibits Nomi from 
misrepresenting: (A) The options through which, or the extent to which, 
consumers can exercise control over the collection, use, disclosure, or 
sharing of information collected from or about them or their computers 
or devices, or (B) the extent to which consumers will be provided 
notice about how data from or about a particular consumer, computer, or 
device is collected, used, disclosed, or shared.
    Parts II through VI of the proposed order are reporting and 
compliance provisions. Part II requires Nomi to retain documents 
relating to its compliance with the order. The order requires that all 
of the documents be retained for a five-year period. Part III requires 
dissemination of the order now and in the future to all current and 
future subsidiaries, principals, officers, directors, and managers, and 
to persons with responsibilities relating to the subject matter of the 
order. Part IV ensures notification to the FTC of changes in corporate 
status. Part V mandates that Nomi submit a compliance report to the FTC 
within 90 days, and periodically thereafter as requested. Part VI is a 
provision ``sunsetting'' the order after twenty (20) years, with 
certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the proposed complaint or order or to modify the 
order's terms in any way.

    By direction of the Commission, Commissioners Ohlhausen and 
Wright dissenting.
Donald S. Clark,
Secretary.

Statement of Chairwoman Ramirez, Commissioner Brill, and Commissioner 
McSweeny

    We write to express our support for the complaint and proposed 
consent order in this case.
    Nomi Technologies, Inc. is a provider of technology services that 
allow retailers to track consumers' movements around their stores by 
detecting the media access control (``MAC'') addresses broadcast by the 
WiFi interface on consumers' mobile devices.\1\ Services like Nomi's 
benefit businesses and consumers. For example, they enable retailers to 
improve store layouts and reduce customer wait times.
---------------------------------------------------------------------------

    \1\ Although Nomi took steps to obscure the MAC addresses it 
collected by cryptographically hashing them, hashing generates a 
unique number that can be used to identify a device throughout its 
lifetime and is a process that can easily be ``reversed'' to reveal 
the original MAC address. See, e.g., Jonathan Mayer, Questionable 
Crypto in Retail Analytics, March 19, 2014, https://webpolicy.org/2014/03/19/questionable-crypto-in-retail-analytics/ (describing 
successful efforts in ``reversing the hash'' to identify the 
original MAC address).
---------------------------------------------------------------------------

    At the same time, Nomi's service, and others like it, raise privacy 
concerns because they rely on the collection and use of consumers' 
precise location data. Indeed, Nomi sought to assure consumers that its 
practices were privacy-protecting, declaring in its privacy policy that 
``privacy is our first priority.'' A core element of Nomi's assurance 
was its promise that consumers could opt out of Nomi's service through 
its Web site ``as well as at any retailer using Nomi's technology.'' 
Thus, Nomi made a specific and express promise to consumers about how, 
when, and where they could opt out of the location tracking services 
that the company provided to its clients.

[[Page 24926]]

    As the Commission alleges in its complaint, however, this express 
promise was false. At no time during the nearly year-long period that 
Nomi made this promise to consumers did Nomi provide an in-store opt 
out at the retailers using its service. Moreover, the express promise 
of an in-store opt out necessarily makes a second, implied promise: 
That retailers using Nomi's service would notify consumers that the 
service was in use. This promise was also false. Nomi did not require 
its clients to provide such a notice. To our knowledge, no retailer 
provided such a notice on its own.
    The proposed order includes carefully-tailored relief designed to 
prevent similar violations in the future. Specifically, it prohibits 
Nomi from making future misrepresentations about the notice and choices 
that will be provided to consumers about the collection and use of 
their information.
    Nevertheless, Commissioner Wright argues in his dissent that Nomi's 
express promise to provide an in-store opt-out was not material because 
a Web site opt-out was available, and that, in any event, the 
Commission should not have brought this action because it will deter 
industry from adopting business practices that benefit consumers. In a 
separate statement, Commissioner Ohlhausen dissents on grounds of 
prosecutorial discretion. This statement addresses both dissents' 
arguments.

I. Nomi's Express Opt-Out Promise Was False and Material, and Therefore 
Deceptive

    According to the Commission's Deception Policy Statement, a 
deceptive representation, omission, or practice is one that is material 
and likely to mislead a consumer acting reasonably under the 
circumstances. ``The basic question [with respect to materiality] is 
whether the act or practice is likely to affect the consumer's conduct 
or decision with respect to the product or service.'' \2\ Furthermore, 
the Commission presumes that an express claim is material,\3\ as is 
``information pertaining to the central characteristics of the product 
or service.'' \4\
---------------------------------------------------------------------------

    \2\ Deception Policy Statement Sec.  I.
    \3\ Deception Policy Statement Sec.  IV.
    \4\ Id.
---------------------------------------------------------------------------

    Importantly, Section 5 case law makes clear that ``[m]ateriality is 
not a test of the effectiveness of the communication in reaching large 
numbers of consumers. It is a test of the likely effect of the claim on 
the conduct of a consumer who has been reached and deceived.'' \5\ 
Consumers who read the Nomi privacy statement would likely have been 
privacy-sensitive, and claims about how and when they could opt out 
would likely have especially mattered to them. Some of those consumers 
could reasonably have decided not to share their MAC address with an 
unfamiliar company in order to opt out of tracking, as the Web site-
based opt-out required. Instead, those consumers may reasonably have 
decided to wait to see if stores they patronized actually used Nomi's 
services and opt out then. Or they may have decided that they would 
simply not patronize stores that use Nomi's services, so that they 
could effectively ``vote with their feet'' rather than exercising the 
opt-out choice. Or consumers may simply have found it inconvenient to 
opt out at the moment they were viewing Nomi's privacy policy, and 
decided to opt out later.
---------------------------------------------------------------------------

    \5\ In the Matter of Novartis, 1999 FTC LEXIS 63 *38 (May 27, 
1999).
---------------------------------------------------------------------------

    These choices were rendered illusory because of Nomi's alleged 
failure to ensure that its client retailers provide any signs or opt-
outs at stores. Further, consumers visiting stores that used Nomi's 
services would have reasonably concluded, in the absence of signage and 
the promised opt-outs, that these stores did not use Nomi's services. 
Nomi's express representations regarding how consumers may opt out of 
its location tracking services go to the very heart of consumers' 
ability to make decisions about whether to participate in these 
services. Thus, we have ample reason to believe that Nomi's opt-out 
representations were material.
    In his dissent, Commissioner Wright points to certain evidence 
that, in his view, rebuts the notion that a consumer who viewed Nomi's 
privacy policy would ``bypass the easier and immediate route (the 
online opt out) in favor of waiting'' to opt out at a retail 
location.\6\ According to Commissioner Wright, because consumers who 
viewed Nomi's privacy policy opted out at a higher rate (3.8%) than 
what is reported for a certain method of opting out of online 
behavioral advertising (less than 1%),\7\ this shows that consumers who 
wanted to opt out of tracking were able to do so--and therefore, the 
representation that consumers could opt out at an individual retailer 
was not material. We do not believe the 3.8% opt-out rate provides 
reliable evidence to rebut the presumption of materiality.
---------------------------------------------------------------------------

    \6\ Statement of Commissioner Wright at 4.
    \7\ Id. at 3 & n.15.
---------------------------------------------------------------------------

    The benchmark against which Commissioner Wright measures the Nomi 
opt-out rate--the purported opt out rate for online behavioral 
advertising--is neither directly comparable to, nor provides meaningful 
information about, consumers' likely motivations in deciding whether to 
opt-out of Nomi's Listen service. The difference in opt-out rates could 
simply mean that the practice of location tracking is much more 
material to consumers than behavioral advertising, and for that reason 
a much higher number of consumers exercised the Web site opt out. 
Indeed, recent studies have shown that consumers are concerned about 
offline retail tracking and tracking that occurs over time,\8\ as took 
place here. These relative opt-out rates could just as easily imply 
that many more than 3.8% of consumers were interested in opting out of 
Nomi's retail tracking, and that the consumers who did not opt out on 
the Web site were relying on their ability to opt out in stores, as 
promised by Nomi.
---------------------------------------------------------------------------

    \8\ See New Study: Consumers Overwhelmingly Reject In-store 
Tracking by Retailers, OpinionLab, March 27, 2014 https://www.opinionlab.com/press_release/new-study-consumers-overwhelmingly-reject-in-store-tracking-by-retailers/ (44% of survey respondents 
indicated that they would be less likely to shop at a store that 
uses in-store mobile device tracking); Spring Privacy Series: Mobile 
Device Tracking Seminar, available at https://www.ftc.gov/system/files/documents/public_events/182251/140219mobiledevicetranscript.pdf; Remarks of Ilana Westerman, Create 
with Context, at 47-48; 50 (stating that a study of 4600 Americans 
showed that consumers are reluctant to give up their location 
histories).
---------------------------------------------------------------------------

    In short, the 3.8% opt-out rate for Nomi's Web site opt-out, along 
with the comparison to opt-out rates in other contexts, is simply 
insufficient evidence to evaluate what choices the other 96.2% of 
visitors to the Web site intended to make, given the promises Nomi made 
to them about their options. Commissioner Wright is simply speculating 
when he extrapolates from the available data his conclusion that in-
store opt-out rates would have been so low as to render the in-store 
option immaterial. Such inconclusive evidence fails to rebut any 
presumption of materiality that we might apply to Nomi's statements.

II. The Proposed Order Contains Appropriate and Meaningful Relief

    The Commission's acceptance of the consent agreement is appropriate 
in light of both Nomi's alleged deception and the relief in the 
proposed order. The proposed order addresses the underlying deception 
in an appropriately tailored way. It prohibits Nomi from 
misrepresenting the options that consumers have to exercise control 
over information that Nomi collects, uses, discloses, or shares about 
them or their devices.\9\ It also prohibits Nomi from misrepresenting 
the extent to

[[Page 24927]]

which consumers will be notified about such choices.\10\ Nomi may be 
subject to civil penalties if it violates either of these prohibitions. 
While the consent order does not require that Nomi provide in-store 
notice when a store uses its services or offer an in-store opt out, 
that was not the Commission's goal in bringing this case. This case is 
simply about ensuring that when companies promise consumers the ability 
to make choices, they follow through on those promises. The relief in 
the order is therefore directly tied to the deceptive practices alleged 
in the complaint.\11\ The order will also serve to deter other 
companies from making similar false promises and encourage them to 
periodically review the statements they make to consumers to ensure 
that they are accurate and up-to-date.
---------------------------------------------------------------------------

    \9\ Order Sec.  I.
    \10\ Id.
    \11\ After arguing primarily that Nomi did not violate Section 
5, Commissioner Wright argues in the alternative that the proposed 
order is too narrow. See Statement of Commissioner Wright at 4 
(stating that ``the proposed consent order does nothing to alleviate 
such harm [from retail location tracking]'' because it does not 
require Nomi to offer, and provide notice of, an in-store opt out). 
This argument is based on a misunderstanding of the injury at issue 
in this case. Here, the injury to consumers was Nomi's allegedly 
false and material statement of the opt-out choices available to 
consumers. The proposed order prohibits Nomi from making such 
representations and thereby addresses the underlying consumer 
injury.
---------------------------------------------------------------------------

    In their dissents, however, Commissioners Wright and Ohlhausen 
argue that the Commission should have declined to take action in this 
case. Commissioner Ohlhausen views this action as ``encourag[ing] 
companies to do only the bare minimum on privacy, ultimately leaving 
consumers worse off.'' \12\ Similarly, Commissioner Wright argues that 
the action against Nomi ``sends a dangerous message to firms weighing 
the costs and benefits of voluntarily providing information and choice 
to consumers.'' \13\
---------------------------------------------------------------------------

    \12\ Statement of Commissioner Ohlhausen.
    \13\ Statement of Commissioner Wright at 4.
---------------------------------------------------------------------------

    The Commission encourages companies to provide privacy choices to 
consumers, but it also must take action in appropriate cases to stop 
companies from providing false choices. Our action today does just 
that. Indeed, this case is very similar to prior Commission cases 
involving allegedly deceptive opt outs.\14\ We do not believe that any 
of these actions--including the one announced today--have deterred or 
will deter companies from providing truthful choices. To the contrary, 
companies are voluntarily adopting enforceable privacy commitments in 
the retail location tracking space \15\ and in other areas.\16\
---------------------------------------------------------------------------

    \14\ See U.S. v. Google Inc., No. CV 12-04177, (N.D. Cal. Nov. 
16, 2012) (stipulated injunction) ($22.5 million settlement over 
Google's allegedly deceptive opt out, which did not work on the 
Safari browser); Chitika, Inc., No. C-4324, (F.T.C. June 7, 2011) 
(consent order) available at https://www.ftc.gov/enforcement/cases-proceedings/1023087/chitika-inc-matter (alleging that advertising 
network deceived consumers by not telling them that their opt out of 
behavioral advertising cookies would last only 10 days); U.S. 
Search, Inc., No. C-4317 (Mar. 14, 2011) (consent order) available 
at https://www.ftc.gov/enforcement/cases-proceedings/us-search-inc 
(alleging that a data broker deceived consumers by failing to 
disclose limitations of its opt out).
    \15\ The Future of Privacy Forum has developed an entire self-
regulatory code that requires industry members to provide such 
choices. See also Jan Lauren Boyles et al., Pew Internet Project, 
Privacy and Data Management on Mobile Devices 2 (2012), available at 
https://www.pewinternet.org/files/old-media/Files/Reports/2012/PIP_MobilePrivacyManagement.pdf (reporting that 19% of consumers 
``turned off the location tracking feature on their cell phone 
because they were concerned that other individuals or companies 
could access that information) and Westerman, supra note 8, at 50-52 
(describing sensitivity of location history, based on study of 4600 
U.S. consumers).
    \16\ See, e.g., Future of Privacy Forum, K-12 Student Privacy 
Pledge Announced (Oct. 7, 2014), available at https://www.futureofprivacy.org/2014/10/07/k-12-student-privacy-pledge-announced/.
---------------------------------------------------------------------------

* * * * *
    The application of Section 5 deception authority to express 
statements likely to affect a consumer's choice of or conduct regarding 
a good or service is well established. For close to a year, Nomi 
claimed to offer two opt-out methods but in fact it provided only one. 
We believe this failure was material and that Nomi had a legal 
obligation to fulfill the promises it made to consumers.

 Dissenting Statement of Commissioner Maureen K. Ohlhausen

    Nomi Technologies Inc., a startup company, offered its retail 
merchant clients the ability to analyze aggregate data about consumer 
traffic in the merchants' stores. Nomi provided this service by 
observing smartphone MAC addresses--a series of hexadecimal numbers 
that every WiFi-enabled device publicly broadcasts to any listening 
receiver. Nomi did not store this publicly broadcast information, but 
instead hashed the addresses and stored the hash. Nomi provided this 
service as a third party contractor; it had no direct relationship with 
consumers. At the time covered by the complaint, the majority of Nomi's 
customers were trialing this startup service in a few stores, at most.
    It is important to note that, as a third party contractor 
collecting no personally identifiable information, Nomi had no 
obligation to offer consumers an opt out. Yet from the inception of the 
service, Nomi offered all consumers the opportunity to opt out 
globally.
    For a time, Nomi's privacy policy stated that Nomi ``pledges to . . 
. Always allow consumers to opt out of Nomi's service on its Web site 
as well as at any retailer using Nomi's technology.'' \1\ As already 
noted, Nomi did offer a global opt out on its Web site. However, it 
appears that none of Nomi's retail clients offered consumers the 
opportunity or ability to opt out. Thus, Nomi's privacy policy was 
partly inaccurate. As Commissioner Wright points out, the evidence we 
have suggests that the privacy policy's partially inaccurate statement 
harmed no consumers.\2\
---------------------------------------------------------------------------

    \1\ Complaint, Exhibit A (Nomi's privacy policy from 
approximately Nov. 2012 until Jan. 2013) (emphasis added).
    \2\ Dissenting Statement of Commissioner Joshua Wright at 2.
---------------------------------------------------------------------------

    I believe the FTC should not have brought a case against Nomi based 
on these facts and instead should have exercised its prosecutorial 
discretion, for two reasons. First, the Commission should use its 
limited resources to pursue cases that involve consumer harm. Second, 
and more importantly, we should not apply a de facto strict liability 
approach to a young company that attempted to go above and beyond its 
legal obligation to protect consumers but, in so doing, erred without 
benefiting itself. I fear that the majority's decision in this case 
encourages companies to do only the bare minimum on privacy, ultimately 
leaving consumers worse off.
    For these reasons, I dissent.

Dissenting Statement of Commissioner Joshua D. Wright

    Today, the Commission finds itself in the unfortunate position of 
trying to fix a problem that no longer exists by stretching a legal 
theory to fit the unwieldy facts before it. I dissent from the 
Commission's decision to accept for public comment a consent order with 
Nomi Technologies, Inc. (Nomi) not only because it is inconsistent with 
a fair reading of the Commission's Policy Statement on Deception, but 
also because even if the facts were to support a technical legal 
violation--which they do not--prosecutorial discretion would favor 
restraint.
    Nomi does not track individual consumers--that is, Nomi's 
technology records whether individuals are unique or repeat visitors, 
but it does not identify them. Nomi provides analytics services based 
upon data collected from mobile device tracking technology to brick-
and-mortar retailers through its

[[Page 24928]]

``Listen'' service.\1\ Nomi uses sensors placed in its clients' retail 
locations or its clients' existing WiFi access points to detect the 
media access control (MAC) address broadcast by a consumer's mobile 
device when it searches for WiFi networks. Nomi passes MAC addresses 
through a cryptographic hash function before collection and creates a 
persistent unique identifier for the mobile device.\2\ Nomi does not 
``unhash'' this identifier to retrieve the MAC addresses and Nomi does 
not store the MAC addresses of the mobile devices. In addition to 
creating this unique persistent identifier, Nomi collects the device 
manufacturer information, the device's signal strength, and the date, 
time and locating sensor of the mobile device. This information is then 
used to provide analytics to Nomi's clients. For example, even without 
knowing the identity of those visiting their stores, the data provided 
by Nomi's Listen service can generate potentially valuable insights 
about aggregate in-store consumer traffic patterns, such as the average 
duration of customers' visits, the percentage of repeat customers, or 
the percentage of consumers that pass by a store rather than entering 
it. These insights, in turn, allow retailers to measure how different 
retail promotions, product offerings, displays, and services impact 
consumers. In short, these insights help retailers optimize consumers' 
shopping experiences,\3\ inform staffing coverage for their stores, and 
improve store layouts.
---------------------------------------------------------------------------

    \1\ In the Matter of Nomi Technologies, Inc., FTC File No. 132-
3251, Compl. ] 3 (Apr. 23, 2015).
    \2\ For more information on cryptographic hashing, see Rob 
Sobers, The Definitive Guide to Cryptographic Hash Functions (Part 
I), Varonis (Aug. 2, 2012), https://blog.varonis.com/the-definitive-guide-to-cryptographic-hash-functions-part-1/.
    \3\ See, e.g., Alyson Shontell, It Took Only 13 Days for Former 
Salesforce Execs to Raise $3 Million for Their Startup, Nomi, 
Business Insider (Feb. 11, 2013), https://www.businessinsider.com/former-salesforce-and-buddy-media-executives-raise-3-million-nomi-2013-2 (``The moment you open Amazon.com, your entire retail 
experience is personalized, down to the promotions you see and the 
products you are pushed. That's because e-commerce is a data-driven 
industry, and Web sites know a lot about customers who stumble on to 
their Web sites. Physical stores however, where 90% of all retail 
purchases still occur, know nothing about the customers who walk in 
their doors.'').
---------------------------------------------------------------------------

    The Commission's complaint focuses upon a single statement in 
Nomi's privacy policy. Specifically, Nomi's privacy policy states that 
``Nomi pledges to . . . Always allow consumers to opt out of Nomi's 
service on its Web site as well as at any retailer using Nomi's 
technology.'' \4\ Count I of the complaint alleges Nomi represented in 
its privacy policy that consumers could opt out of its Listen service 
at retail locations using the service, but did not in fact provide a 
retail level opt out. Count II relies upon this same representation to 
allege a second deceptive practice--that the failure to provide the opt 
out in the first instance also implies a failure to provide notice to 
consumers that a specific retailer would be using the Listen 
service.\5\
---------------------------------------------------------------------------

    \4\ Compl. ] 12.
    \5\ Compl. ] 16-17.
---------------------------------------------------------------------------

    The Commission's decision to issue a complaint and accept a consent 
order for public comment in this matter is problematic for both legal 
and policy reasons. Section 5(b) of the FTC Act requires us, before 
issuing any complaint, to establish ``reason to believe that [a 
violation has occurred]'' and that an enforcement action would ``be to 
the interest of the public.'' \6\ While the Act does not set forth a 
separate standard for accepting a consent decree, I believe that 
threshold should be at least as high as for bringing the initial 
complaint. The Commission has not met the relatively low ``reason to 
believe'' bar because its complaint does not meet the basic 
requirements of the Commission's 1983 Deception Policy Statement. 
Further, the complaint and proposed settlement risk significant harm to 
consumers by deterring industry participants from adopting business 
practices that benefit consumers.
---------------------------------------------------------------------------

    \6\ 15 U.S.C. 45(b).
---------------------------------------------------------------------------

    The fundamental failure of the Commission's complaint is that the 
evidence simply does not support the allegation that Nomi's 
representation about an opportunity to opt out of the Listen service at 
the retail level--in light of the immediate and easily accessible opt 
out available on the Web page itself--was material to consumers. This 
failure alone is fatal. A representation simply cannot be deceptive 
under the long-standing FTC Policy Statement on Deception in the 
absence of materiality.\7\ The Policy Statement on Deception highlights 
the centrality of the materiality inquiry, observing that the ``basic 
question is whether the act or practice is likely to affect the 
consumer's conduct or decision with regard to a product or service.'' 
\8\ The materiality inquiry is critical because the Commission's 
construct of ``deception'' uses materiality as an evidentiary proxy for 
consumer injury: ``[i]njury exists if consumers would have chosen 
differently but for the deception. If different choices are likely, the 
claim is material, and injury is likely as well.'' \9\ This is a 
critical point. Deception causes consumer harm because it influences 
consumer behavior--that is, the deceptive statement is one that is not 
merely misleading in the abstract but one that causes cause consumers 
to make choices to their detriment that they would not have otherwise 
made. This essential link between materiality and consumer injury 
ensures the Commission's deception authority is employed to deter only 
conduct that is likely to harm consumers and does not chill business 
conduct that makes consumers better off. This link also unifies the 
Commission's two foundational consumer protection authorities--
deception and unfairness--by tethering them to consumer injury.
---------------------------------------------------------------------------

    \7\ Fed. Trade Comm'n, Policy Statement on Deception (1983), 
appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 175, 182 (1984) 
[hereinafter FTC Policy Statement on Deception], available at 
https://www.ftc.gov/public-statements/1983/10/ftc-policy-statement-deception.
    \8\ FTC Policy Statement on Deception, 103 F.T.C. at 175.
    \9\ Id. at 183.
---------------------------------------------------------------------------

    The Commission does not explain how it finds the materiality 
requirement satisfied; presumably it does so upon the assumption that 
``express statements'' are presumptively material.\10\ However, that 
presumption was never intended to substitute for common sense, 
evidence, or analysis. Indeed, the Policy Statement on Deception 
acknowledges the ``Commission will always consider relevant and 
competent evidence offered to rebut presumptions of materiality.'' \11\ 
Here, the Commission failed to discharge its commitment to duly 
consider relevant and competent evidence that squarely rebuts the 
presumption that Nomi's failure to implement an additional, retail-
level opt out was material to consumers. In other words, the Commission 
neglects to take into account evidence demonstrating consumers would 
not ``have chosen differently'' but for the allegedly deceptive 
representation.
---------------------------------------------------------------------------

    \10\ See POM Wonderful LLC, 2013 FTC LEXIS 6, *121 (2013); 
Novartis Corp., 127 F.T.C. 580, 686 (1999); American Home Prods., 98 
F.T.C. 136, 368 (1981).
    \11\ FTC Policy Statement on Deception, 103 F.T.C. at 182 n.47.
---------------------------------------------------------------------------

    Nomi represented that consumers could opt out on its Web site as 
well as in the store where the Listen service was being utilized. Nomi 
did offer a fully functional and operational global opt out from the 
Listen service on its Web site.\12\ Thus, the only remaining

[[Page 24929]]

potential issue is whether Nomi's failure to offer the represented in-
store opt out renders the statement in its privacy policy deceptive. 
The evidence strongly implies that specific representation was not 
material and therefore not deceptive. Nomi's ``tracking'' of users was 
widely publicized in a story that appeared on the front page of The New 
York Times,\13\ a publication with a daily reach of nearly 1.9 million 
readers.\14\ Most likely due to this publicity, Nomi's Web site 
received 3,840 unique visitors during the relevant timeframe and 
received 146 opt outs--an opt-out rate of 3.8% of site visitors. This 
opt-out rate is significantly higher than the opt-out rate for other 
online activities.\15\ This high rate, relative to Web site visitors, 
likely reflects the ease of a mechanism that was immediately and 
quickly available to consumers at the time they may have been reading 
the privacy policy.
---------------------------------------------------------------------------

    \12\ As such, the facts of this case are distinguishable from 
the cases cited for support by the majority in its statement. In the 
Matter of Nomi Technologies, Inc., FTC File No. 132-3251, Statement 
of Chairwoman Ramirez, Commissioner Brill, and Commissioner McSweeny 
5 n.14 (Apr. 23, 2015).
    \13\ Stephanie Clifford & Quentin Hardy, Attention, Shoppers: 
Store is Tracking Your Cell, New York Times (July 14, 2013), https://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html?pagewanted=all&_r=0.
    \14\ The Associated Press, Top 10 Newspapers by Circulation: 
Wall Street Journal Leads Weekday Circulation, Huffington Post (Apr. 
30, 2013), https://www.huffingtonpost.com/2013/05/01/newspaper-circulation-top-10_n_3188612.html.
    \15\ In perhaps the most comparable circumstance--Do Not Track 
mechanisms--the opt-out rate is extremely low. See, e.g., Jack 
Marshall, The Do Not Track Era, Digiday (Feb. 27, 2012), https://digiday.com/platforms/advertising-in-the-do-not-track-era/ 
(``[a]ccording to data from Evidon, which facilitates the serving of 
those icons, someone clicks and goes through the opt-out process 
once for every 10,000 ad impressions served''); Matthew Creamer, 
Despite Digital Privacy Uproar, Consumers are Not Opting Out, 
Advertising Age (May 31, 2011), https://adage.com/article/digital/digital-privacy-uproar-consumers-opting/227828/ (``Evidon, which has 
the longest set of data, is seeing click-through of 0.005% with only 
2% opting out from 30 billion impressions''). See also Richard 
Beaumont, Cookie Opt-Out Stats Revealed, The Cookie Collective (Feb. 
19, 2014), https://www.cookielaw.org/blog/2014/2/19/cookie-opt-out-statistics-revealed/.
---------------------------------------------------------------------------

    The Commission's reliance upon a presumption of materiality as to 
the additional representation of the availability of an in-store opt 
out is dubious in light of evidence of the opt-out rate for the Web 
page mechanism. Actual evidence of consumer behavior indicates that 
consumers that were interested in opting out of the Listen service took 
their first opportunity to do so. To presume the materiality of a 
representation in a privacy policy concerning the availability of an 
additional, in-store opt-out mechanism requires one to accept the 
proposition that the privacy-sensitive consumer would be more likely to 
bypass the easier and immediate route (the online opt out) in favor of 
waiting until she had the opportunity to opt out in a physical 
location. Here, we can easily dispense with shortcut presumptions meant 
to aid the analysis of consumer harm rather than substitute for it. The 
data allow us to know with an acceptable level of precision how many 
consumers--3.8% of them--reached the privacy policy, read it, and made 
the decision to opt out when presented with that immediate choice. The 
Commission's complaint instead adopts an approach that places legal 
form over substance, is inconsistent with the available data, and 
defies common sense.
    The Commission's approach here is problematic for another reason. 
To the extent there is consumer injury when consumers are offered an 
opt out from tracking that cannot be effectuated, or that more 
generally, consumers are uncomfortable with such tracking and it should 
be disclosed to them, the proposed consent order does nothing to 
alleviate such harm and will, instead, likely exacerbate it. Nomi has 
removed its representation about a retail level opt-out mechanism from 
its privacy policy. The proposed consent order does not require Nomi to 
offer such a mechanism, nor does it require Nomi to disclose the 
tracking in retail locations.\16\ It is unlikely that Nomi could agree 
to such a condition any case--Nomi contracts with retailers and has no 
control over the retailers' premises. The order does not--and cannot--
compel retailers to disclose the tracking technology.
---------------------------------------------------------------------------

    \16\ In the Matter of Nomi Technologies, Inc., FTC File No. 132-
3251, Proposed Consent Order Part I (Apr. 23, 2015).
---------------------------------------------------------------------------

    Even assuming arguendo Nomi's privacy policy statement is deceptive 
under the Deception Policy Statement, the FTC would better serve 
consumers by declining to take action against Nomi. The analytical 
failings of the Commission's approach are not harmless error. Rather, 
aggressive prosecution of this sort will inevitably deter industry 
participants like Nomi from engaging in voluntary practices that 
promote consumer choice and transparency--the very principles that lie 
at the heart of the Commission's consumer protection mission.\17\ Nomi 
was under no legal obligation to post a privacy policy, describe its 
practices to consumers, or to offer an opt-out mechanism. To penalize a 
company for such a minor shortcoming--particularly when there is no 
evidence the misrepresentation harmed consumers--sends a dangerous 
message to firms weighing the costs and benefits of voluntarily 
providing information and choice to consumers.
---------------------------------------------------------------------------

    \17\ In addition, Nomi arguably offered a product that was more 
privacy-protective than other, more intrusive methods that retailers 
currently employ, such as video cameras. See Clifford & Hardy, supra 
note 14 (``Cameras have become so sophisticated, with sharper lenses 
and data-processing, that companies can analyze what shoppers are 
looking at, and even what their mood is.'').
---------------------------------------------------------------------------

    Finally, market forces already appear to be responding to consumer 
preferences related to tracking technology. For example, in response to 
potential consumer discomfort some retailers have discontinued or 
changed the methods by which they track visitors to their physical 
stores.\18\ Technological innovation has also responded to incentives 
to provide a better consumer experience, including a Bluetooth 
technology that provides not only an opt-in choice for consumers,\19\ 
but also gives retailers the opportunity to provide their consumers 
with a more robust shopping experience.\20\ Notably, Nomi itself has 
responded to these market changes and no longer offers the MAC address 
tracking technology to any retailer other than its legacy customers.
---------------------------------------------------------------------------

    \18\ See, e.g., Amy Hollyfield, Philz to Stop Tracking Customers 
via Smartphones, ABC 7 News (May 29, 2014), https://abc7news.com/business/philz-to-stop-tracking-customers-via-smartphones/83943/; 
Peter Cohan, How Nordstrom Uses WiFi to Spy On Shoppers, Forbes (May 
9, 2013), https://www.forbes.com/sites/petercohan/2013/05/09/how-nordstrom-and-home-depot-use-wifi-to-spy-on-shoppers/.
    \19\ See, e.g., Siraj Datoo, High Street Shops are Studying 
Shopper Behaviour by Tracking Their Smartphones or Movement, The 
Guardian (Oct. 3, 2013), https://www.theguardian.com/news/datablog/2013/oct/03/analytics-amazon-retailers-physical-cookies-high-street 
(``If customers create accounts on the wireless network--something 
millions have done--they first have to accept terms and conditions 
that opts them in to having their movements monitored when inside 
the stores''); Jess Bolluyt, What's So Bad About In-Store Tracking?, 
The Cheat Sheet (Nov. 27, 2014), https://www.cheatsheet.com/technology/whats-so-bad-about-in-store-tracking.html/?a=viewall 
(``customers have to turn on Bluetooth, accept location services, 
and opt in to receive notifications'').
    \20\ See, e.g., Greg Petro, How Proximity Marketing Is Driving 
Retail Sales, Forbes (Oct. 8, 2014),  https://www.forbes.com/sites/gregpetro/2014/10/08/how-proximity-marketing-is-driving-retail-sales/(``[This will] allow Macy's to send personalized department-
level deals, discounts, recommendations and rewards to customers who 
opt-in to receive the offers''); Datoo, supra note 20 (after opting 
in, ``[u]sers can then add their loyalty card numbers to receive 
personalised recommendations.'').
---------------------------------------------------------------------------

    Accordingly, I dissent from the issuance of this complaint and the 
acceptance of a consent decree for public comment.

[FR Doc. 2015-10154 Filed 4-30-15; 8:45 am]
 BILLING CODE 6750-01-P