Nomi Technologies, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 24923-24929 [2015-10154]

Download as PDF Federal Register / Vol. 80, No. 84 / Friday, May 1, 2015 / Notices entities and other stakeholders potentially affected by the process. The structure and responsibilities of the Committee are unchanged from when it was originally established in May 2011. The Committee will continue to operate in accordance with the provisions of the Federal Advisory Committee Act. FOR FURTHER INFORMATION CONTACT: Mr. Robert E. Feldman, Committee Management Officer of the FDIC, at (202) 898–7043. Dated: April 28, 2015. Federal Deposit Insurance Corporation. Robert E. Feldman, Committee Management Officer. [FR Doc. 2015–10204 Filed 4–30–15; 8:45 am] BILLING CODE 6714–01–P FEDERAL DEPOSIT INSURANCE CORPORATION FDIC Advisory Committee on Economic Inclusion (ComE-IN); Notice of Meeting Federal Deposit Insurance Corporation (FDIC). ACTION: Notice of open meeting. AGENCY: enter the building. The FDIC will provide attendees with auxiliary aids (e.g., sign language interpretation) required for this meeting. Those attendees needing such assistance should call (703) 562–6067 (Voice or TTY) at least two days before the meeting to make necessary arrangements. Written statements may be filed with the committee before or after the meeting. This ComE-IN meeting will be Webcast live via the Internet at: https://fdic.primetime.media platform.com/#/channel/ 1384299229422/Advisory+Committee+ on+Economic+Inclusion. Questions or troubleshooting help can be found at the same link. For optimal viewing, a high speed internet connection is recommended. The ComE-IN meeting videos are made available on-demand approximately two weeks after the event. Dated: April 27, 2015. Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary, Federal Deposit Insurance Corporation. [FR Doc. 2015–10119 Filed 4–30–15; 8:45 am] BILLING CODE 6714–01–P In accordance with the Federal Advisory Committee Act, notice is hereby given of a meeting of the FDIC Advisory Committee on Economic Inclusion, which will be held in Washington, DC. The Advisory Committee will provide advice and recommendations on initiatives to expand access to banking services by underserved populations. DATES: Friday, May 15, 2015, from 9 a.m. to 3 p.m. ADDRESSES: The meeting will be held in the FDIC Board Room on the sixth floor of the FDIC Building located at 550 17th Street NW., Washington, DC. FOR FURTHER INFORMATION CONTACT: Requests for further information concerning the meeting may be directed to Mr. Robert E. Feldman, Committee Management Officer of the FDIC, at (202) 898–7043. SUPPLEMENTARY INFORMATION: Agenda: The agenda will be focused on affordable small-dollar loans and youth financial education opportunities. The agenda may be subject to change. Any changes to the agenda will be announced at the beginning of the meeting. Type of Meeting: The meeting will be open to the public, limited only by the space available on a first-come, firstserved basis. For security reasons, members of the public will be subject to security screening procedures and must present a valid photo identification to mstockstill on DSK4VPTVN1PROD with NOTICES SUMMARY: VerDate Sep<11>2014 18:14 Apr 30, 2015 Jkt 235001 FEDERAL ELECTION COMMISSION Sunshine Act Notice Federal Election Commission. Wednesday, May 6, 2015 AT 2:00 p.m. PLACE: 999 E Street NW., Washington, DC (Ninth Floor). STATUS: This hearing will be open to the public. ITEM TO BE DISCUSSED: Audit Hearing: Gary Johnson 2012, Inc. Individuals who plan to attend and require special assistance, such as sign language interpretation or other reasonable accommodations, should contact Shawn Woodhead Werth, Secretary, at (202) 694–1040, at least 72 hours prior to the hearing date. PERSON TO CONTACT FOR INFORMATION: Judith Ingram, Press Officer, Telephone: (202) 694–1220. AGENCY: DATE AND TIME: Shawn Woodhead Werth, Secretary and Clerk of the Commission. [FR Doc. 2015–10339 Filed 4–29–15; 4:15 pm] BILLING CODE 6715–01–P 24923 pursuant to the Bank Holding Company Act of 1956 (12 U.S.C. 1841 et seq.) (BHC Act), Regulation Y (12 CFR part 225), and all other applicable statutes and regulations to become a bank holding company and/or to acquire the assets or the ownership of, control of, or the power to vote shares of a bank or bank holding company and all of the banks and nonbanking companies owned by the bank holding company, including the companies listed below. The applications listed below, as well as other related filings required by the Board, are available for immediate inspection at the Federal Reserve Bank indicated. The applications will also be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing on the standards enumerated in the BHC Act (12 U.S.C. 1842(c)). If the proposal also involves the acquisition of a nonbanking company, the review also includes whether the acquisition of the nonbanking company complies with the standards in section 4 of the BHC Act (12 U.S.C. 1843). Unless otherwise noted, nonbanking activities will be conducted throughout the United States. Unless otherwise noted, comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors not later than May 28, 2015. A. Federal Reserve Bank of Minneapolis (Jacquelyn K. Brunmeier, Assistant Vice President) 90 Hennepin Avenue, Minneapolis, Minnesota 55480–0291: 1. First Interstate BancSystem, Inc., Billings, Montana; to merge with Absarokee Bancorporation, Inc., and thereby indirectly acquire United Bank, both in Absarokee, Montana. Board of Governors of the Federal Reserve System, April 28, 2015. Michael J. Lewandowski, Associate Secretary of the Board. [FR Doc. 2015–10178 Filed 4–30–15; 8:45 am] BILLING CODE 6210–01–P FEDERAL TRADE COMMISSION [File No. 132 3251] Nomi Technologies, Inc.; Analysis of Proposed Consent Order To Aid Public Comment Federal Trade Commission. Proposed Consent Agreement. AGENCY: FEDERAL RESERVE SYSTEM Formations of, Acquisitions by, and Mergers of Bank Holding Companies The companies listed in this notice have applied to the Board for approval, PO 00000 Frm 00032 Fmt 4703 Sfmt 4703 ACTION: The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment SUMMARY: E:\FR\FM\01MYN1.SGM 01MYN1 mstockstill on DSK4VPTVN1PROD with NOTICES 24924 Federal Register / Vol. 80, No. 84 / Friday, May 1, 2015 / Notices describes both the allegations in the draft complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations. DATES: Comments must be received on or before May 25, 2015. ADDRESSES: Interested parties may file a comment at https:// ftcpublic.commentworks.com/ftc/ nomitechconsent online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘Nomi Technologies, Inc.,—Consent Agreement; File No. 132 3251’’ on your comment and file your comment online at https:// ftcpublic.commentworks.com/ftc/ nomitechconsent by following the instructions on the web-based form. If you prefer to file your comment on paper, write ‘‘Nomi Technologies, Inc.,—Consent Agreement; File No. 132 3251’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Amanda Koulousias (202–326–3334) or Jacqueline Connor (202–326–2844), Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for April 23, 2015), on the World Wide Web at: https://www.ftc.gov/ os/actions.shtm. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before May 25, 2015. Write ‘‘Nomi Technologies, Inc.,—Consent Agreement; File No. 132 3251’’ on your VerDate Sep<11>2014 18:14 Apr 30, 2015 Jkt 235001 comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at https://www.ftc.gov/os/ publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals’ home contact information from comments before placing them on the Commission Web site. Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone’s Social Security number, date of birth, driver’s license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any ‘‘[t]rade secret or any commercial or financial information which . . . is privileged or confidential,’’ as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).1 Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ nomitechconsent by following the instructions on the web-based form. If this Notice appears at https://www. regulations.gov/#!home, you also may file a comment through that Web site. 1 In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c), 16 CFR 4.9(c). PO 00000 Frm 00033 Fmt 4703 Sfmt 4703 If you file your comment on paper, write ‘‘Nomi Technologies, Inc.,— Consent Agreement; File No. 132 3251’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC– 5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Visit the Commission Web site at https://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before May 25, 2015. You can find more information, including routine uses permitted by the Privacy Act, in the Commission’s privacy policy, at https:// www.ftc.gov/ftc/privacy.htm. Analysis of Proposed Consent Order To Aid Public Comment The Federal Trade Commission has accepted, subject to final approval, a consent order applicable to Nomi Technologies, Inc. (‘‘Nomi’’). The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement and the comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the agreement’s proposed order. Nomi uses mobile device tracking technology to provide analytics services to brick and mortar retailers through its ‘‘Listen’’ service. Nomi has been collecting information from consumers’ mobile devices to provide the Listen service since January 2013. Nomi places sensors in its clients’ retail locations that detect the media access control (‘‘MAC’’) address broadcast by a mobile device when it searches for WiFi networks. A MAC address is a 12-digit identifier that is unique to a particular device. Alternatively, in some instances Nomi collects MAC addresses through its clients’ existing WiFi access points. In addition to the MAC address, Nomi E:\FR\FM\01MYN1.SGM 01MYN1 mstockstill on DSK4VPTVN1PROD with NOTICES Federal Register / Vol. 80, No. 84 / Friday, May 1, 2015 / Notices also collects the following information about each mobile device that comes within range of its sensors or its clients’ WiFi access points: The mobile device’s signal strength; the mobile device’s manufacturer (derived from the MAC address); the location of the sensor or WiFi access point observing the mobile device; and the date and time the mobile device is observed. Nomi cryptographically hashes the MAC addresses it observes prior to storing them on its servers. Hashing obfuscates the MAC address, but the result is still a persistent unique identifier for that mobile device. Each time a MAC address is run through the same hash function, the resulting identifier will be the same. For example, if MAC address 1A:2B:3C:4D:5E:6F is run through Nomi’s hash function on ten different occasions, the resulting identifier will be the same each time. As a result, while Nomi does not store the MAC address, it does store a persistent unique identifier for each mobile device. Nomi collected information about approximately nine million unique mobile devices between January 2013 and September 2013. Nomi uses the information it collects to provide analytics reports to its clients about aggregate customer traffic patterns such as: The percentage of consumers merely passing by the store versus entering the store; the average duration of consumers’ visits; types of mobile devices used by consumers visiting a location; the percentage of repeat customers within a given time period; and the number of customers that have also visited another location within the client’s chain. Through October 22, 2013, Nomi’s Listen service had approximately 45 clients. Some of these clients deployed the service in multiple locations within their chains. Nomi has not published, or otherwise made available to consumers, a list of the retailers that use or used the Listen service. Nomi does not require its clients to post disclosures or otherwise notify consumers that they use the Listen service. Through October 22, 2013, most, if not all, of Nomi’s clients did not post any disclosure, or otherwise notify consumers, regarding their use of the Listen service. From at least November 2012, until October 22, 2013, Nomi disseminated or caused to be disseminated privacy policies on its Web site, nomi.com or getnomi.com, which included the following statement: Nomi pledges to. . . . Always allow consumers to opt out of Nomi’s service on its Web site as well as at any retailer using Nomi’s technology. VerDate Sep<11>2014 18:14 Apr 30, 2015 Jkt 235001 Nomi provided, and continues to provide, an opt out on its Web site for consumers who do not want Nomi to store observations of their mobile device. In order to opt out of the Listen service on Nomi’s Web site, consumers were required to provide Nomi with all of their mobile devices’ MAC addresses, without knowing whether they would ever shop at a retail location using the Listen service. Once a consumer has entered the MAC address of their device into Nomi’s Web site opt out, Nomi adds it to a blacklist of MAC addresses for which information will not be stored. Consumers who did not opt out on Nomi’s Web site and instead wanted to make the opt out decision at retail locations were unable to do so, despite the explicit promise in Nomi’s privacy policies. Consumers were not provided any means to opt out at retail locations and were unaware that the service was even being used. The Commission’s complaint alleges that Nomi’s privacy policy represented that: (1) Consumers could opt out of Nomi’s Listen service at retail locations using this service, and (2) that consumers would be given notice when a retail location was utilizing Nomi’s Listen service. The complaint alleges that Nomi violated Section 5 of the Federal Trade Commission Act by misleading consumers because, contrary to its representations, Nomi did not provide an opt-out mechanism at its clients’ retail locations and neither Nomi nor its clients disclosed to consumers that Nomi’s Listen service was being used at a retail location. The proposed order contains provisions designed to prevent Nomi from engaging in the future in practices similar to those alleged in the complaint. Part I of the proposed order prohibits Nomi from misrepresenting: (A) The options through which, or the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or (B) the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared. Parts II through VI of the proposed order are reporting and compliance provisions. Part II requires Nomi to retain documents relating to its compliance with the order. The order requires that all of the documents be retained for a five-year period. Part III requires dissemination of the order now and in the future to all current and future subsidiaries, principals, officers, directors, and managers, and to persons PO 00000 Frm 00034 Fmt 4703 Sfmt 4703 24925 with responsibilities relating to the subject matter of the order. Part IV ensures notification to the FTC of changes in corporate status. Part V mandates that Nomi submit a compliance report to the FTC within 90 days, and periodically thereafter as requested. Part VI is a provision ‘‘sunsetting’’ the order after twenty (20) years, with certain exceptions. The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the proposed complaint or order or to modify the order’s terms in any way. By direction of the Commission, Commissioners Ohlhausen and Wright dissenting. Donald S. Clark, Secretary. Statement of Chairwoman Ramirez, Commissioner Brill, and Commissioner McSweeny We write to express our support for the complaint and proposed consent order in this case. Nomi Technologies, Inc. is a provider of technology services that allow retailers to track consumers’ movements around their stores by detecting the media access control (‘‘MAC’’) addresses broadcast by the WiFi interface on consumers’ mobile devices.1 Services like Nomi’s benefit businesses and consumers. For example, they enable retailers to improve store layouts and reduce customer wait times. At the same time, Nomi’s service, and others like it, raise privacy concerns because they rely on the collection and use of consumers’ precise location data. Indeed, Nomi sought to assure consumers that its practices were privacy-protecting, declaring in its privacy policy that ‘‘privacy is our first priority.’’ A core element of Nomi’s assurance was its promise that consumers could opt out of Nomi’s service through its Web site ‘‘as well as at any retailer using Nomi’s technology.’’ Thus, Nomi made a specific and express promise to consumers about how, when, and where they could opt out of the location tracking services that the company provided to its clients. 1 Although Nomi took steps to obscure the MAC addresses it collected by cryptographically hashing them, hashing generates a unique number that can be used to identify a device throughout its lifetime and is a process that can easily be ‘‘reversed’’ to reveal the original MAC address. See, e.g., Jonathan Mayer, Questionable Crypto in Retail Analytics, March 19, 2014, https://webpolicy.org/2014/03/19/ questionable-crypto-in-retail-analytics/ (describing successful efforts in ‘‘reversing the hash’’ to identify the original MAC address). E:\FR\FM\01MYN1.SGM 01MYN1 24926 Federal Register / Vol. 80, No. 84 / Friday, May 1, 2015 / Notices As the Commission alleges in its complaint, however, this express promise was false. At no time during the nearly year-long period that Nomi made this promise to consumers did Nomi provide an in-store opt out at the retailers using its service. Moreover, the express promise of an in-store opt out necessarily makes a second, implied promise: That retailers using Nomi’s service would notify consumers that the service was in use. This promise was also false. Nomi did not require its clients to provide such a notice. To our knowledge, no retailer provided such a notice on its own. The proposed order includes carefully-tailored relief designed to prevent similar violations in the future. Specifically, it prohibits Nomi from making future misrepresentations about the notice and choices that will be provided to consumers about the collection and use of their information. Nevertheless, Commissioner Wright argues in his dissent that Nomi’s express promise to provide an in-store opt-out was not material because a Web site opt-out was available, and that, in any event, the Commission should not have brought this action because it will deter industry from adopting business practices that benefit consumers. In a separate statement, Commissioner Ohlhausen dissents on grounds of prosecutorial discretion. This statement addresses both dissents’ arguments. mstockstill on DSK4VPTVN1PROD with NOTICES I. Nomi’s Express Opt-Out Promise Was False and Material, and Therefore Deceptive According to the Commission’s Deception Policy Statement, a deceptive representation, omission, or practice is one that is material and likely to mislead a consumer acting reasonably under the circumstances. ‘‘The basic question [with respect to materiality] is whether the act or practice is likely to affect the consumer’s conduct or decision with respect to the product or service.’’ 2 Furthermore, the Commission presumes that an express claim is material,3 as is ‘‘information pertaining to the central characteristics of the product or service.’’ 4 Importantly, Section 5 case law makes clear that ‘‘[m]ateriality is not a test of the effectiveness of the communication in reaching large numbers of consumers. It is a test of the likely effect of the claim on the conduct of a consumer who has been reached and deceived.’’ 5 2 Deception 3 Deception Policy Statement § I. Policy Statement § IV. Consumers who read the Nomi privacy statement would likely have been privacy-sensitive, and claims about how and when they could opt out would likely have especially mattered to them. Some of those consumers could reasonably have decided not to share their MAC address with an unfamiliar company in order to opt out of tracking, as the Web site-based opt-out required. Instead, those consumers may reasonably have decided to wait to see if stores they patronized actually used Nomi’s services and opt out then. Or they may have decided that they would simply not patronize stores that use Nomi’s services, so that they could effectively ‘‘vote with their feet’’ rather than exercising the opt-out choice. Or consumers may simply have found it inconvenient to opt out at the moment they were viewing Nomi’s privacy policy, and decided to opt out later. These choices were rendered illusory because of Nomi’s alleged failure to ensure that its client retailers provide any signs or opt-outs at stores. Further, consumers visiting stores that used Nomi’s services would have reasonably concluded, in the absence of signage and the promised opt-outs, that these stores did not use Nomi’s services. Nomi’s express representations regarding how consumers may opt out of its location tracking services go to the very heart of consumers’ ability to make decisions about whether to participate in these services. Thus, we have ample reason to believe that Nomi’s opt-out representations were material. In his dissent, Commissioner Wright points to certain evidence that, in his view, rebuts the notion that a consumer who viewed Nomi’s privacy policy would ‘‘bypass the easier and immediate route (the online opt out) in favor of waiting’’ to opt out at a retail location.6 According to Commissioner Wright, because consumers who viewed Nomi’s privacy policy opted out at a higher rate (3.8%) than what is reported for a certain method of opting out of online behavioral advertising (less than 1%),7 this shows that consumers who wanted to opt out of tracking were able to do so—and therefore, the representation that consumers could opt out at an individual retailer was not material. We do not believe the 3.8% opt-out rate provides reliable evidence to rebut the presumption of materiality. The benchmark against which Commissioner Wright measures the Nomi opt-out rate—the purported opt out rate for online behavioral advertising—is neither directly 4 Id. 5 In the Matter of Novartis, 1999 FTC LEXIS 63 *38 (May 27, 1999). VerDate Sep<11>2014 18:14 Apr 30, 2015 Jkt 235001 6 Statement 7 Id. PO 00000 of Commissioner Wright at 4. at 3 & n.15. Frm 00035 Fmt 4703 Sfmt 4703 comparable to, nor provides meaningful information about, consumers’ likely motivations in deciding whether to optout of Nomi’s Listen service. The difference in opt-out rates could simply mean that the practice of location tracking is much more material to consumers than behavioral advertising, and for that reason a much higher number of consumers exercised the Web site opt out. Indeed, recent studies have shown that consumers are concerned about offline retail tracking and tracking that occurs over time,8 as took place here. These relative opt-out rates could just as easily imply that many more than 3.8% of consumers were interested in opting out of Nomi’s retail tracking, and that the consumers who did not opt out on the Web site were relying on their ability to opt out in stores, as promised by Nomi. In short, the 3.8% opt-out rate for Nomi’s Web site opt-out, along with the comparison to opt-out rates in other contexts, is simply insufficient evidence to evaluate what choices the other 96.2% of visitors to the Web site intended to make, given the promises Nomi made to them about their options. Commissioner Wright is simply speculating when he extrapolates from the available data his conclusion that instore opt-out rates would have been so low as to render the in-store option immaterial. Such inconclusive evidence fails to rebut any presumption of materiality that we might apply to Nomi’s statements. II. The Proposed Order Contains Appropriate and Meaningful Relief The Commission’s acceptance of the consent agreement is appropriate in light of both Nomi’s alleged deception and the relief in the proposed order. The proposed order addresses the underlying deception in an appropriately tailored way. It prohibits Nomi from misrepresenting the options that consumers have to exercise control over information that Nomi collects, uses, discloses, or shares about them or their devices.9 It also prohibits Nomi from misrepresenting the extent to 8 See New Study: Consumers Overwhelmingly Reject In-store Tracking by Retailers, OpinionLab, March 27, 2014 https://www.opinionlab.com/press_ release/new-study-consumers-overwhelminglyreject-in-store-tracking-by-retailers/ (44% of survey respondents indicated that they would be less likely to shop at a store that uses in-store mobile device tracking); Spring Privacy Series: Mobile Device Tracking Seminar, available at https://www.ftc.gov/ system/files/documents/public_events/182251/ 140219mobiledevicetranscript.pdf; Remarks of Ilana Westerman, Create with Context, at 47–48; 50 (stating that a study of 4600 Americans showed that consumers are reluctant to give up their location histories). 9 Order § I. E:\FR\FM\01MYN1.SGM 01MYN1 Federal Register / Vol. 80, No. 84 / Friday, May 1, 2015 / Notices which consumers will be notified about such choices.10 Nomi may be subject to civil penalties if it violates either of these prohibitions. While the consent order does not require that Nomi provide in-store notice when a store uses its services or offer an in-store opt out, that was not the Commission’s goal in bringing this case. This case is simply about ensuring that when companies promise consumers the ability to make choices, they follow through on those promises. The relief in the order is therefore directly tied to the deceptive practices alleged in the complaint.11 The order will also serve to deter other companies from making similar false promises and encourage them to periodically review the statements they make to consumers to ensure that they are accurate and up-to-date. In their dissents, however, Commissioners Wright and Ohlhausen argue that the Commission should have declined to take action in this case. Commissioner Ohlhausen views this action as ‘‘encourag[ing] companies to do only the bare minimum on privacy, ultimately leaving consumers worse off.’’ 12 Similarly, Commissioner Wright argues that the action against Nomi ‘‘sends a dangerous message to firms weighing the costs and benefits of voluntarily providing information and choice to consumers.’’ 13 The Commission encourages companies to provide privacy choices to consumers, but it also must take action in appropriate cases to stop companies from providing false choices. Our action today does just that. Indeed, this case is very similar to prior Commission cases involving allegedly deceptive opt outs.14 We do not believe that any of mstockstill on DSK4VPTVN1PROD with NOTICES 10 Id. 11 After arguing primarily that Nomi did not violate Section 5, Commissioner Wright argues in the alternative that the proposed order is too narrow. See Statement of Commissioner Wright at 4 (stating that ‘‘the proposed consent order does nothing to alleviate such harm [from retail location tracking]’’ because it does not require Nomi to offer, and provide notice of, an in-store opt out). This argument is based on a misunderstanding of the injury at issue in this case. Here, the injury to consumers was Nomi’s allegedly false and material statement of the opt-out choices available to consumers. The proposed order prohibits Nomi from making such representations and thereby addresses the underlying consumer injury. 12 Statement of Commissioner Ohlhausen. 13 Statement of Commissioner Wright at 4. 14 See U.S. v. Google Inc., No. CV 12–04177, (N.D. Cal. Nov. 16, 2012) (stipulated injunction) ($22.5 million settlement over Google’s allegedly deceptive opt out, which did not work on the Safari browser); Chitika, Inc., No. C–4324, (F.T.C. June 7, 2011) (consent order) available at https:// www.ftc.gov/enforcement/cases-proceedings/ 1023087/chitika-inc-matter (alleging that advertising network deceived consumers by not telling them that their opt out of behavioral advertising cookies would last only 10 days); U.S. VerDate Sep<11>2014 18:14 Apr 30, 2015 Jkt 235001 these actions—including the one announced today—have deterred or will deter companies from providing truthful choices. To the contrary, companies are voluntarily adopting enforceable privacy commitments in the retail location tracking space 15 and in other areas.16 * * * * * The application of Section 5 deception authority to express statements likely to affect a consumer’s choice of or conduct regarding a good or service is well established. For close to a year, Nomi claimed to offer two optout methods but in fact it provided only one. We believe this failure was material and that Nomi had a legal obligation to fulfill the promises it made to consumers. Dissenting Statement of Commissioner Maureen K. Ohlhausen Nomi Technologies Inc., a startup company, offered its retail merchant clients the ability to analyze aggregate data about consumer traffic in the merchants’ stores. Nomi provided this service by observing smartphone MAC addresses—a series of hexadecimal numbers that every WiFi-enabled device publicly broadcasts to any listening receiver. Nomi did not store this publicly broadcast information, but instead hashed the addresses and stored the hash. Nomi provided this service as a third party contractor; it had no direct relationship with consumers. At the time covered by the complaint, the majority of Nomi’s customers were trialing this startup service in a few stores, at most. It is important to note that, as a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out. Yet from the inception of the service, Search, Inc., No. C–4317 (Mar. 14, 2011) (consent order) available at https://www.ftc.gov/enforcement/ cases-proceedings/us-search-inc (alleging that a data broker deceived consumers by failing to disclose limitations of its opt out). 15 The Future of Privacy Forum has developed an entire self-regulatory code that requires industry members to provide such choices. See also Jan Lauren Boyles et al., Pew Internet Project, Privacy and Data Management on Mobile Devices 2 (2012), available at https://www.pewinternet.org/files/oldmedia/Files/Reports/2012/PIP_ MobilePrivacyManagement.pdf (reporting that 19% of consumers ‘‘turned off the location tracking feature on their cell phone because they were concerned that other individuals or companies could access that information) and Westerman, supra note 8, at 50–52 (describing sensitivity of location history, based on study of 4600 U.S. consumers). 16 See, e.g., Future of Privacy Forum, K–12 Student Privacy Pledge Announced (Oct. 7, 2014), available at https://www.futureofprivacy.org/2014/ 10/07/k-12-student-privacy-pledge-announced/. PO 00000 Frm 00036 Fmt 4703 Sfmt 4703 24927 Nomi offered all consumers the opportunity to opt out globally. For a time, Nomi’s privacy policy stated that Nomi ‘‘pledges to . . . Always allow consumers to opt out of Nomi’s service on its Web site as well as at any retailer using Nomi’s technology.’’ 1 As already noted, Nomi did offer a global opt out on its Web site. However, it appears that none of Nomi’s retail clients offered consumers the opportunity or ability to opt out. Thus, Nomi’s privacy policy was partly inaccurate. As Commissioner Wright points out, the evidence we have suggests that the privacy policy’s partially inaccurate statement harmed no consumers.2 I believe the FTC should not have brought a case against Nomi based on these facts and instead should have exercised its prosecutorial discretion, for two reasons. First, the Commission should use its limited resources to pursue cases that involve consumer harm. Second, and more importantly, we should not apply a de facto strict liability approach to a young company that attempted to go above and beyond its legal obligation to protect consumers but, in so doing, erred without benefiting itself. I fear that the majority’s decision in this case encourages companies to do only the bare minimum on privacy, ultimately leaving consumers worse off. For these reasons, I dissent. Dissenting Statement of Commissioner Joshua D. Wright Today, the Commission finds itself in the unfortunate position of trying to fix a problem that no longer exists by stretching a legal theory to fit the unwieldy facts before it. I dissent from the Commission’s decision to accept for public comment a consent order with Nomi Technologies, Inc. (Nomi) not only because it is inconsistent with a fair reading of the Commission’s Policy Statement on Deception, but also because even if the facts were to support a technical legal violation—which they do not—prosecutorial discretion would favor restraint. Nomi does not track individual consumers—that is, Nomi’s technology records whether individuals are unique or repeat visitors, but it does not identify them. Nomi provides analytics services based upon data collected from mobile device tracking technology to brick-and-mortar retailers through its 1 Complaint, Exhibit A (Nomi’s privacy policy from approximately Nov. 2012 until Jan. 2013) (emphasis added). 2 Dissenting Statement of Commissioner Joshua Wright at 2. E:\FR\FM\01MYN1.SGM 01MYN1 24928 Federal Register / Vol. 80, No. 84 / Friday, May 1, 2015 / Notices mstockstill on DSK4VPTVN1PROD with NOTICES ‘‘Listen’’ service.1 Nomi uses sensors placed in its clients’ retail locations or its clients’ existing WiFi access points to detect the media access control (MAC) address broadcast by a consumer’s mobile device when it searches for WiFi networks. Nomi passes MAC addresses through a cryptographic hash function before collection and creates a persistent unique identifier for the mobile device.2 Nomi does not ‘‘unhash’’ this identifier to retrieve the MAC addresses and Nomi does not store the MAC addresses of the mobile devices. In addition to creating this unique persistent identifier, Nomi collects the device manufacturer information, the device’s signal strength, and the date, time and locating sensor of the mobile device. This information is then used to provide analytics to Nomi’s clients. For example, even without knowing the identity of those visiting their stores, the data provided by Nomi’s Listen service can generate potentially valuable insights about aggregate in-store consumer traffic patterns, such as the average duration of customers’ visits, the percentage of repeat customers, or the percentage of consumers that pass by a store rather than entering it. These insights, in turn, allow retailers to measure how different retail promotions, product offerings, displays, and services impact consumers. In short, these insights help retailers optimize consumers’ shopping experiences,3 inform staffing coverage for their stores, and improve store layouts. The Commission’s complaint focuses upon a single statement in Nomi’s privacy policy. Specifically, Nomi’s privacy policy states that ‘‘Nomi pledges to . . . Always allow consumers to opt out of Nomi’s service on its Web site as well as at any retailer using Nomi’s technology.’’ 4 Count I of the complaint alleges Nomi represented in its privacy 1 In the Matter of Nomi Technologies, Inc., FTC File No. 132–3251, Compl. ¶ 3 (Apr. 23, 2015). 2 For more information on cryptographic hashing, see Rob Sobers, The Definitive Guide to Cryptographic Hash Functions (Part I), Varonis (Aug. 2, 2012), https://blog.varonis.com/thedefinitive-guide-to-cryptographic-hash-functionspart-1/. 3 See, e.g., Alyson Shontell, It Took Only 13 Days for Former Salesforce Execs to Raise $3 Million for Their Startup, Nomi, Business Insider (Feb. 11, 2013), https://www.businessinsider.com/formersalesforce-and-buddy-media-executives-raise-3million-nomi-2013-2 (‘‘The moment you open Amazon.com, your entire retail experience is personalized, down to the promotions you see and the products you are pushed. That’s because ecommerce is a data-driven industry, and Web sites know a lot about customers who stumble on to their Web sites. Physical stores however, where 90% of all retail purchases still occur, know nothing about the customers who walk in their doors.’’). 4 Compl. ¶ 12. VerDate Sep<11>2014 18:14 Apr 30, 2015 Jkt 235001 policy that consumers could opt out of its Listen service at retail locations using the service, but did not in fact provide a retail level opt out. Count II relies upon this same representation to allege a second deceptive practice—that the failure to provide the opt out in the first instance also implies a failure to provide notice to consumers that a specific retailer would be using the Listen service.5 The Commission’s decision to issue a complaint and accept a consent order for public comment in this matter is problematic for both legal and policy reasons. Section 5(b) of the FTC Act requires us, before issuing any complaint, to establish ‘‘reason to believe that [a violation has occurred]’’ and that an enforcement action would ‘‘be to the interest of the public.’’ 6 While the Act does not set forth a separate standard for accepting a consent decree, I believe that threshold should be at least as high as for bringing the initial complaint. The Commission has not met the relatively low ‘‘reason to believe’’ bar because its complaint does not meet the basic requirements of the Commission’s 1983 Deception Policy Statement. Further, the complaint and proposed settlement risk significant harm to consumers by deterring industry participants from adopting business practices that benefit consumers. The fundamental failure of the Commission’s complaint is that the evidence simply does not support the allegation that Nomi’s representation about an opportunity to opt out of the Listen service at the retail level—in light of the immediate and easily accessible opt out available on the Web page itself—was material to consumers. This failure alone is fatal. A representation simply cannot be deceptive under the long-standing FTC Policy Statement on Deception in the absence of materiality.7 The Policy Statement on Deception highlights the centrality of the materiality inquiry, observing that the ‘‘basic question is whether the act or practice is likely to affect the consumer’s conduct or decision with regard to a product or service.’’ 8 The materiality inquiry is critical because the Commission’s construct of ‘‘deception’’ uses materiality as an evidentiary proxy for consumer injury: ‘‘[i]njury exists if consumers would have chosen differently but for the deception. If different choices are likely, the claim is material, and injury is likely as well.’’ 9 This is a critical point. Deception causes consumer harm because it influences consumer behavior—that is, the deceptive statement is one that is not merely misleading in the abstract but one that causes cause consumers to make choices to their detriment that they would not have otherwise made. This essential link between materiality and consumer injury ensures the Commission’s deception authority is employed to deter only conduct that is likely to harm consumers and does not chill business conduct that makes consumers better off. This link also unifies the Commission’s two foundational consumer protection authorities— deception and unfairness—by tethering them to consumer injury. The Commission does not explain how it finds the materiality requirement satisfied; presumably it does so upon the assumption that ‘‘express statements’’ are presumptively material.10 However, that presumption was never intended to substitute for common sense, evidence, or analysis. Indeed, the Policy Statement on Deception acknowledges the ‘‘Commission will always consider relevant and competent evidence offered to rebut presumptions of materiality.’’ 11 Here, the Commission failed to discharge its commitment to duly consider relevant and competent evidence that squarely rebuts the presumption that Nomi’s failure to implement an additional, retail-level opt out was material to consumers. In other words, the Commission neglects to take into account evidence demonstrating consumers would not ‘‘have chosen differently’’ but for the allegedly deceptive representation. Nomi represented that consumers could opt out on its Web site as well as in the store where the Listen service was being utilized. Nomi did offer a fully functional and operational global opt out from the Listen service on its Web site.12 Thus, the only remaining 9 Id. at 183. POM Wonderful LLC, 2013 FTC LEXIS 6, *121 (2013); Novartis Corp., 127 F.T.C. 580, 686 (1999); American Home Prods., 98 F.T.C. 136, 368 (1981). 11 FTC Policy Statement on Deception, 103 F.T.C. at 182 n.47. 12 As such, the facts of this case are distinguishable from the cases cited for support by the majority in its statement. In the Matter of Nomi Technologies, Inc., FTC File No. 132–3251, Statement of Chairwoman Ramirez, Commissioner 10 See 5 Compl. ¶ 16–17. U.S.C. 45(b). 7 Fed. Trade Comm’n, Policy Statement on Deception (1983), appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 175, 182 (1984) [hereinafter FTC Policy Statement on Deception], available at https://www.ftc.gov/public-statements/1983/10/ftcpolicy-statement-deception. 8 FTC Policy Statement on Deception, 103 F.T.C. at 175. 6 15 PO 00000 Frm 00037 Fmt 4703 Sfmt 4703 E:\FR\FM\01MYN1.SGM 01MYN1 Federal Register / Vol. 80, No. 84 / Friday, May 1, 2015 / Notices mstockstill on DSK4VPTVN1PROD with NOTICES potential issue is whether Nomi’s failure to offer the represented in-store opt out renders the statement in its privacy policy deceptive. The evidence strongly implies that specific representation was not material and therefore not deceptive. Nomi’s ‘‘tracking’’ of users was widely publicized in a story that appeared on the front page of The New York Times,13 a publication with a daily reach of nearly 1.9 million readers.14 Most likely due to this publicity, Nomi’s Web site received 3,840 unique visitors during the relevant timeframe and received 146 opt outs—an opt-out rate of 3.8% of site visitors. This opt-out rate is significantly higher than the opt-out rate for other online activities.15 This high rate, relative to Web site visitors, likely reflects the ease of a mechanism that was immediately and quickly available to consumers at the time they may have been reading the privacy policy. The Commission’s reliance upon a presumption of materiality as to the additional representation of the availability of an in-store opt out is dubious in light of evidence of the optout rate for the Web page mechanism. Actual evidence of consumer behavior indicates that consumers that were interested in opting out of the Listen service took their first opportunity to do so. To presume the materiality of a representation in a privacy policy concerning the availability of an additional, in-store opt-out mechanism requires one to accept the proposition that the privacy-sensitive consumer would be more likely to bypass the easier and immediate route (the online Brill, and Commissioner McSweeny 5 n.14 (Apr. 23, 2015). 13 Stephanie Clifford & Quentin Hardy, Attention, Shoppers: Store is Tracking Your Cell, New York Times (July 14, 2013), https://www.nytimes.com/ 2013/07/15/business/attention-shopper-stores-aretracking-your-cell.html?pagewanted=all&_r=0. 14 The Associated Press, Top 10 Newspapers by Circulation: Wall Street Journal Leads Weekday Circulation, Huffington Post (Apr. 30, 2013), https://www.huffingtonpost.com/2013/05/01/ newspaper-circulation-top-10_n_3188612.html. 15 In perhaps the most comparable circumstance—Do Not Track mechanisms—the optout rate is extremely low. See, e.g., Jack Marshall, The Do Not Track Era, Digiday (Feb. 27, 2012), https://digiday.com/platforms/advertising-in-the-donot-track-era/ (‘‘[a]ccording to data from Evidon, which facilitates the serving of those icons, someone clicks and goes through the opt-out process once for every 10,000 ad impressions served’’); Matthew Creamer, Despite Digital Privacy Uproar, Consumers are Not Opting Out, Advertising Age (May 31, 2011), https://adage.com/article/ digital/digital-privacy-uproar-consumers-opting/ 227828/ (‘‘Evidon, which has the longest set of data, is seeing click-through of 0.005% with only 2% opting out from 30 billion impressions’’). See also Richard Beaumont, Cookie Opt-Out Stats Revealed, The Cookie Collective (Feb. 19, 2014), https:// www.cookielaw.org/blog/2014/2/19/cookie-opt-outstatistics-revealed/. VerDate Sep<11>2014 18:14 Apr 30, 2015 Jkt 235001 opt out) in favor of waiting until she had the opportunity to opt out in a physical location. Here, we can easily dispense with shortcut presumptions meant to aid the analysis of consumer harm rather than substitute for it. The data allow us to know with an acceptable level of precision how many consumers—3.8% of them—reached the privacy policy, read it, and made the decision to opt out when presented with that immediate choice. The Commission’s complaint instead adopts an approach that places legal form over substance, is inconsistent with the available data, and defies common sense. The Commission’s approach here is problematic for another reason. To the extent there is consumer injury when consumers are offered an opt out from tracking that cannot be effectuated, or that more generally, consumers are uncomfortable with such tracking and it should be disclosed to them, the proposed consent order does nothing to alleviate such harm and will, instead, likely exacerbate it. Nomi has removed its representation about a retail level opt-out mechanism from its privacy policy. The proposed consent order does not require Nomi to offer such a mechanism, nor does it require Nomi to disclose the tracking in retail locations.16 It is unlikely that Nomi could agree to such a condition any case—Nomi contracts with retailers and has no control over the retailers’ premises. The order does not—and cannot—compel retailers to disclose the tracking technology. Even assuming arguendo Nomi’s privacy policy statement is deceptive under the Deception Policy Statement, the FTC would better serve consumers by declining to take action against Nomi. The analytical failings of the Commission’s approach are not harmless error. Rather, aggressive prosecution of this sort will inevitably deter industry participants like Nomi from engaging in voluntary practices that promote consumer choice and transparency—the very principles that lie at the heart of the Commission’s consumer protection mission.17 Nomi was under no legal obligation to post a privacy policy, describe its practices to consumers, or to offer an opt-out 16 In the Matter of Nomi Technologies, Inc., FTC File No. 132–3251, Proposed Consent Order Part I (Apr. 23, 2015). 17 In addition, Nomi arguably offered a product that was more privacy-protective than other, more intrusive methods that retailers currently employ, such as video cameras. See Clifford & Hardy, supra note 14 (‘‘Cameras have become so sophisticated, with sharper lenses and data-processing, that companies can analyze what shoppers are looking at, and even what their mood is.’’). PO 00000 Frm 00038 Fmt 4703 Sfmt 9990 24929 mechanism. To penalize a company for such a minor shortcoming—particularly when there is no evidence the misrepresentation harmed consumers— sends a dangerous message to firms weighing the costs and benefits of voluntarily providing information and choice to consumers. Finally, market forces already appear to be responding to consumer preferences related to tracking technology. For example, in response to potential consumer discomfort some retailers have discontinued or changed the methods by which they track visitors to their physical stores.18 Technological innovation has also responded to incentives to provide a better consumer experience, including a Bluetooth technology that provides not only an opt-in choice for consumers,19 but also gives retailers the opportunity to provide their consumers with a more robust shopping experience.20 Notably, Nomi itself has responded to these market changes and no longer offers the MAC address tracking technology to any retailer other than its legacy customers. Accordingly, I dissent from the issuance of this complaint and the acceptance of a consent decree for public comment. [FR Doc. 2015–10154 Filed 4–30–15; 8:45 am] BILLING CODE 6750–01–P 18 See, e.g., Amy Hollyfield, Philz to Stop Tracking Customers via Smartphones, ABC 7 News (May 29, 2014), https://abc7news.com/business/ philz-to-stop-tracking-customers-via-smartphones/ 83943/; Peter Cohan, How Nordstrom Uses WiFi to Spy On Shoppers, Forbes (May 9, 2013), https:// www.forbes.com/sites/petercohan/2013/05/09/hownordstrom-and-home-depot-use-wifi-to-spy-onshoppers/. 19 See, e.g., Siraj Datoo, High Street Shops are Studying Shopper Behaviour by Tracking Their Smartphones or Movement, The Guardian (Oct. 3, 2013), https://www.theguardian.com/news/datablog/ 2013/oct/03/analytics-amazon-retailers-physicalcookies-high-street (‘‘If customers create accounts on the wireless network—something millions have done—they first have to accept terms and conditions that opts them in to having their movements monitored when inside the stores’’); Jess Bolluyt, What’s So Bad About In-Store Tracking?, The Cheat Sheet (Nov. 27, 2014), https:// www.cheatsheet.com/technology/whats-so-badabout-in-store-tracking.html/?a=viewall (‘‘customers have to turn on Bluetooth, accept location services, and opt in to receive notifications’’). 20 See, e.g., Greg Petro, How Proximity Marketing Is Driving Retail Sales, Forbes (Oct. 8, 2014), https://www.forbes.com/sites/gregpetro/2014/10/08/ how-proximity-marketing-is-driving-retail-sales/ (‘‘[This will] allow Macy’s to send personalized department-level deals, discounts, recommendations and rewards to customers who opt-in to receive the offers’’); Datoo, supra note 20 (after opting in, ‘‘[u]sers can then add their loyalty card numbers to receive personalised recommendations.’’). E:\FR\FM\01MYN1.SGM 01MYN1

Agencies

[Federal Register Volume 80, Number 84 (Friday, May 1, 2015)]
[Notices]
[Pages 24923-24929]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-10154]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 132 3251]


Nomi Technologies, Inc.; Analysis of Proposed Consent Order To 
Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed Consent Agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis to Aid Public Comment

[[Page 24924]]

describes both the allegations in the draft complaint and the terms of 
the consent order--embodied in the consent agreement--that would settle 
these allegations.

DATES: Comments must be received on or before May 25, 2015.

ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/nomitechconsent online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Nomi Technologies, 
Inc.,--Consent Agreement; File No. 132 3251'' on your comment and file 
your comment online at https://ftcpublic.commentworks.com/ftc/nomitechconsent by following the instructions on the web-based form. If 
you prefer to file your comment on paper, write ``Nomi Technologies, 
Inc.,--Consent Agreement; File No. 132 3251'' on your comment and on 
the envelope, and mail your comment to the following address: Federal 
Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., 
Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment 
to the following address: Federal Trade Commission, Office of the 
Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 
5610 (Annex D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Amanda Koulousias (202-326-3334) or 
Jacqueline Connor (202-326-2844), Bureau of Consumer Protection, 600 
Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for April 23, 2015), on the World Wide Web at: 
https://www.ftc.gov/os/actions.shtm.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before May 25, 2015. 
Write ``Nomi Technologies, Inc.,--Consent Agreement; File No. 132 
3251'' on your comment. Your comment--including your name and your 
state--will be placed on the public record of this proceeding, 
including, to the extent practicable, on the public Commission Web 
site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of 
discretion, the Commission tries to remove individuals' home contact 
information from comments before placing them on the Commission Web 
site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment does not include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, do not 
include any ``[t]rade secret or any commercial or financial information 
which . . . is privileged or confidential,'' as discussed in Section 
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 
4.10(a)(2). In particular, do not include competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept 
confidential only if the FTC General Counsel, in his or her sole 
discretion, grants your request in accordance with the law and the 
public interest.
---------------------------------------------------------------------------

    \1\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/nomitechconsent by following the instructions on the web-based 
form. If this Notice appears at https://www.regulations.gov/#!home, you 
also may file a comment through that Web site.
    If you file your comment on paper, write ``Nomi Technologies, 
Inc.,--Consent Agreement; File No. 132 3251'' on your comment and on 
the envelope, and mail your comment to the following address: Federal 
Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., 
Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment 
to the following address: Federal Trade Commission, Office of the 
Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 
5610 (Annex D), Washington, DC 20024. If possible, submit your paper 
comment to the Commission by courier or overnight service.
    Visit the Commission Web site at https://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before May 25, 2015. You can find more information, 
including routine uses permitted by the Privacy Act, in the 
Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, a consent order applicable to Nomi Technologies, Inc. 
(``Nomi'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission will again review the 
agreement and the comments received, and will decide whether it should 
withdraw from the agreement and take appropriate action or make final 
the agreement's proposed order.
    Nomi uses mobile device tracking technology to provide analytics 
services to brick and mortar retailers through its ``Listen'' service. 
Nomi has been collecting information from consumers' mobile devices to 
provide the Listen service since January 2013. Nomi places sensors in 
its clients' retail locations that detect the media access control 
(``MAC'') address broadcast by a mobile device when it searches for 
WiFi networks. A MAC address is a 12-digit identifier that is unique to 
a particular device. Alternatively, in some instances Nomi collects MAC 
addresses through its clients' existing WiFi access points. In addition 
to the MAC address, Nomi

[[Page 24925]]

also collects the following information about each mobile device that 
comes within range of its sensors or its clients' WiFi access points: 
The mobile device's signal strength; the mobile device's manufacturer 
(derived from the MAC address); the location of the sensor or WiFi 
access point observing the mobile device; and the date and time the 
mobile device is observed.
    Nomi cryptographically hashes the MAC addresses it observes prior 
to storing them on its servers. Hashing obfuscates the MAC address, but 
the result is still a persistent unique identifier for that mobile 
device. Each time a MAC address is run through the same hash function, 
the resulting identifier will be the same. For example, if MAC address 
1A:2B:3C:4D:5E:6F is run through Nomi's hash function on ten different 
occasions, the resulting identifier will be the same each time. As a 
result, while Nomi does not store the MAC address, it does store a 
persistent unique identifier for each mobile device. Nomi collected 
information about approximately nine million unique mobile devices 
between January 2013 and September 2013.
    Nomi uses the information it collects to provide analytics reports 
to its clients about aggregate customer traffic patterns such as: The 
percentage of consumers merely passing by the store versus entering the 
store; the average duration of consumers' visits; types of mobile 
devices used by consumers visiting a location; the percentage of repeat 
customers within a given time period; and the number of customers that 
have also visited another location within the client's chain. Through 
October 22, 2013, Nomi's Listen service had approximately 45 clients. 
Some of these clients deployed the service in multiple locations within 
their chains.
    Nomi has not published, or otherwise made available to consumers, a 
list of the retailers that use or used the Listen service. Nomi does 
not require its clients to post disclosures or otherwise notify 
consumers that they use the Listen service. Through October 22, 2013, 
most, if not all, of Nomi's clients did not post any disclosure, or 
otherwise notify consumers, regarding their use of the Listen service.
    From at least November 2012, until October 22, 2013, Nomi 
disseminated or caused to be disseminated privacy policies on its Web 
site, nomi.com or getnomi.com, which included the following statement:

    Nomi pledges to. . . . Always allow consumers to opt out of 
Nomi's service on its Web site as well as at any retailer using 
Nomi's technology.

    Nomi provided, and continues to provide, an opt out on its Web site 
for consumers who do not want Nomi to store observations of their 
mobile device. In order to opt out of the Listen service on Nomi's Web 
site, consumers were required to provide Nomi with all of their mobile 
devices' MAC addresses, without knowing whether they would ever shop at 
a retail location using the Listen service. Once a consumer has entered 
the MAC address of their device into Nomi's Web site opt out, Nomi adds 
it to a blacklist of MAC addresses for which information will not be 
stored. Consumers who did not opt out on Nomi's Web site and instead 
wanted to make the opt out decision at retail locations were unable to 
do so, despite the explicit promise in Nomi's privacy policies. 
Consumers were not provided any means to opt out at retail locations 
and were unaware that the service was even being used.
    The Commission's complaint alleges that Nomi's privacy policy 
represented that: (1) Consumers could opt out of Nomi's Listen service 
at retail locations using this service, and (2) that consumers would be 
given notice when a retail location was utilizing Nomi's Listen 
service. The complaint alleges that Nomi violated Section 5 of the 
Federal Trade Commission Act by misleading consumers because, contrary 
to its representations, Nomi did not provide an opt-out mechanism at 
its clients' retail locations and neither Nomi nor its clients 
disclosed to consumers that Nomi's Listen service was being used at a 
retail location.
    The proposed order contains provisions designed to prevent Nomi 
from engaging in the future in practices similar to those alleged in 
the complaint. Part I of the proposed order prohibits Nomi from 
misrepresenting: (A) The options through which, or the extent to which, 
consumers can exercise control over the collection, use, disclosure, or 
sharing of information collected from or about them or their computers 
or devices, or (B) the extent to which consumers will be provided 
notice about how data from or about a particular consumer, computer, or 
device is collected, used, disclosed, or shared.
    Parts II through VI of the proposed order are reporting and 
compliance provisions. Part II requires Nomi to retain documents 
relating to its compliance with the order. The order requires that all 
of the documents be retained for a five-year period. Part III requires 
dissemination of the order now and in the future to all current and 
future subsidiaries, principals, officers, directors, and managers, and 
to persons with responsibilities relating to the subject matter of the 
order. Part IV ensures notification to the FTC of changes in corporate 
status. Part V mandates that Nomi submit a compliance report to the FTC 
within 90 days, and periodically thereafter as requested. Part VI is a 
provision ``sunsetting'' the order after twenty (20) years, with 
certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the proposed complaint or order or to modify the 
order's terms in any way.

    By direction of the Commission, Commissioners Ohlhausen and 
Wright dissenting.
Donald S. Clark,
Secretary.

Statement of Chairwoman Ramirez, Commissioner Brill, and Commissioner 
McSweeny

    We write to express our support for the complaint and proposed 
consent order in this case.
    Nomi Technologies, Inc. is a provider of technology services that 
allow retailers to track consumers' movements around their stores by 
detecting the media access control (``MAC'') addresses broadcast by the 
WiFi interface on consumers' mobile devices.\1\ Services like Nomi's 
benefit businesses and consumers. For example, they enable retailers to 
improve store layouts and reduce customer wait times.
---------------------------------------------------------------------------

    \1\ Although Nomi took steps to obscure the MAC addresses it 
collected by cryptographically hashing them, hashing generates a 
unique number that can be used to identify a device throughout its 
lifetime and is a process that can easily be ``reversed'' to reveal 
the original MAC address. See, e.g., Jonathan Mayer, Questionable 
Crypto in Retail Analytics, March 19, 2014, https://webpolicy.org/2014/03/19/questionable-crypto-in-retail-analytics/ (describing 
successful efforts in ``reversing the hash'' to identify the 
original MAC address).
---------------------------------------------------------------------------

    At the same time, Nomi's service, and others like it, raise privacy 
concerns because they rely on the collection and use of consumers' 
precise location data. Indeed, Nomi sought to assure consumers that its 
practices were privacy-protecting, declaring in its privacy policy that 
``privacy is our first priority.'' A core element of Nomi's assurance 
was its promise that consumers could opt out of Nomi's service through 
its Web site ``as well as at any retailer using Nomi's technology.'' 
Thus, Nomi made a specific and express promise to consumers about how, 
when, and where they could opt out of the location tracking services 
that the company provided to its clients.

[[Page 24926]]

    As the Commission alleges in its complaint, however, this express 
promise was false. At no time during the nearly year-long period that 
Nomi made this promise to consumers did Nomi provide an in-store opt 
out at the retailers using its service. Moreover, the express promise 
of an in-store opt out necessarily makes a second, implied promise: 
That retailers using Nomi's service would notify consumers that the 
service was in use. This promise was also false. Nomi did not require 
its clients to provide such a notice. To our knowledge, no retailer 
provided such a notice on its own.
    The proposed order includes carefully-tailored relief designed to 
prevent similar violations in the future. Specifically, it prohibits 
Nomi from making future misrepresentations about the notice and choices 
that will be provided to consumers about the collection and use of 
their information.
    Nevertheless, Commissioner Wright argues in his dissent that Nomi's 
express promise to provide an in-store opt-out was not material because 
a Web site opt-out was available, and that, in any event, the 
Commission should not have brought this action because it will deter 
industry from adopting business practices that benefit consumers. In a 
separate statement, Commissioner Ohlhausen dissents on grounds of 
prosecutorial discretion. This statement addresses both dissents' 
arguments.

I. Nomi's Express Opt-Out Promise Was False and Material, and Therefore 
Deceptive

    According to the Commission's Deception Policy Statement, a 
deceptive representation, omission, or practice is one that is material 
and likely to mislead a consumer acting reasonably under the 
circumstances. ``The basic question [with respect to materiality] is 
whether the act or practice is likely to affect the consumer's conduct 
or decision with respect to the product or service.'' \2\ Furthermore, 
the Commission presumes that an express claim is material,\3\ as is 
``information pertaining to the central characteristics of the product 
or service.'' \4\
---------------------------------------------------------------------------

    \2\ Deception Policy Statement Sec.  I.
    \3\ Deception Policy Statement Sec.  IV.
    \4\ Id.
---------------------------------------------------------------------------

    Importantly, Section 5 case law makes clear that ``[m]ateriality is 
not a test of the effectiveness of the communication in reaching large 
numbers of consumers. It is a test of the likely effect of the claim on 
the conduct of a consumer who has been reached and deceived.'' \5\ 
Consumers who read the Nomi privacy statement would likely have been 
privacy-sensitive, and claims about how and when they could opt out 
would likely have especially mattered to them. Some of those consumers 
could reasonably have decided not to share their MAC address with an 
unfamiliar company in order to opt out of tracking, as the Web site-
based opt-out required. Instead, those consumers may reasonably have 
decided to wait to see if stores they patronized actually used Nomi's 
services and opt out then. Or they may have decided that they would 
simply not patronize stores that use Nomi's services, so that they 
could effectively ``vote with their feet'' rather than exercising the 
opt-out choice. Or consumers may simply have found it inconvenient to 
opt out at the moment they were viewing Nomi's privacy policy, and 
decided to opt out later.
---------------------------------------------------------------------------

    \5\ In the Matter of Novartis, 1999 FTC LEXIS 63 *38 (May 27, 
1999).
---------------------------------------------------------------------------

    These choices were rendered illusory because of Nomi's alleged 
failure to ensure that its client retailers provide any signs or opt-
outs at stores. Further, consumers visiting stores that used Nomi's 
services would have reasonably concluded, in the absence of signage and 
the promised opt-outs, that these stores did not use Nomi's services. 
Nomi's express representations regarding how consumers may opt out of 
its location tracking services go to the very heart of consumers' 
ability to make decisions about whether to participate in these 
services. Thus, we have ample reason to believe that Nomi's opt-out 
representations were material.
    In his dissent, Commissioner Wright points to certain evidence 
that, in his view, rebuts the notion that a consumer who viewed Nomi's 
privacy policy would ``bypass the easier and immediate route (the 
online opt out) in favor of waiting'' to opt out at a retail 
location.\6\ According to Commissioner Wright, because consumers who 
viewed Nomi's privacy policy opted out at a higher rate (3.8%) than 
what is reported for a certain method of opting out of online 
behavioral advertising (less than 1%),\7\ this shows that consumers who 
wanted to opt out of tracking were able to do so--and therefore, the 
representation that consumers could opt out at an individual retailer 
was not material. We do not believe the 3.8% opt-out rate provides 
reliable evidence to rebut the presumption of materiality.
---------------------------------------------------------------------------

    \6\ Statement of Commissioner Wright at 4.
    \7\ Id. at 3 & n.15.
---------------------------------------------------------------------------

    The benchmark against which Commissioner Wright measures the Nomi 
opt-out rate--the purported opt out rate for online behavioral 
advertising--is neither directly comparable to, nor provides meaningful 
information about, consumers' likely motivations in deciding whether to 
opt-out of Nomi's Listen service. The difference in opt-out rates could 
simply mean that the practice of location tracking is much more 
material to consumers than behavioral advertising, and for that reason 
a much higher number of consumers exercised the Web site opt out. 
Indeed, recent studies have shown that consumers are concerned about 
offline retail tracking and tracking that occurs over time,\8\ as took 
place here. These relative opt-out rates could just as easily imply 
that many more than 3.8% of consumers were interested in opting out of 
Nomi's retail tracking, and that the consumers who did not opt out on 
the Web site were relying on their ability to opt out in stores, as 
promised by Nomi.
---------------------------------------------------------------------------

    \8\ See New Study: Consumers Overwhelmingly Reject In-store 
Tracking by Retailers, OpinionLab, March 27, 2014 https://www.opinionlab.com/press_release/new-study-consumers-overwhelmingly-reject-in-store-tracking-by-retailers/ (44% of survey respondents 
indicated that they would be less likely to shop at a store that 
uses in-store mobile device tracking); Spring Privacy Series: Mobile 
Device Tracking Seminar, available at https://www.ftc.gov/system/files/documents/public_events/182251/140219mobiledevicetranscript.pdf; Remarks of Ilana Westerman, Create 
with Context, at 47-48; 50 (stating that a study of 4600 Americans 
showed that consumers are reluctant to give up their location 
histories).
---------------------------------------------------------------------------

    In short, the 3.8% opt-out rate for Nomi's Web site opt-out, along 
with the comparison to opt-out rates in other contexts, is simply 
insufficient evidence to evaluate what choices the other 96.2% of 
visitors to the Web site intended to make, given the promises Nomi made 
to them about their options. Commissioner Wright is simply speculating 
when he extrapolates from the available data his conclusion that in-
store opt-out rates would have been so low as to render the in-store 
option immaterial. Such inconclusive evidence fails to rebut any 
presumption of materiality that we might apply to Nomi's statements.

II. The Proposed Order Contains Appropriate and Meaningful Relief

    The Commission's acceptance of the consent agreement is appropriate 
in light of both Nomi's alleged deception and the relief in the 
proposed order. The proposed order addresses the underlying deception 
in an appropriately tailored way. It prohibits Nomi from 
misrepresenting the options that consumers have to exercise control 
over information that Nomi collects, uses, discloses, or shares about 
them or their devices.\9\ It also prohibits Nomi from misrepresenting 
the extent to

[[Page 24927]]

which consumers will be notified about such choices.\10\ Nomi may be 
subject to civil penalties if it violates either of these prohibitions. 
While the consent order does not require that Nomi provide in-store 
notice when a store uses its services or offer an in-store opt out, 
that was not the Commission's goal in bringing this case. This case is 
simply about ensuring that when companies promise consumers the ability 
to make choices, they follow through on those promises. The relief in 
the order is therefore directly tied to the deceptive practices alleged 
in the complaint.\11\ The order will also serve to deter other 
companies from making similar false promises and encourage them to 
periodically review the statements they make to consumers to ensure 
that they are accurate and up-to-date.
---------------------------------------------------------------------------

    \9\ Order Sec.  I.
    \10\ Id.
    \11\ After arguing primarily that Nomi did not violate Section 
5, Commissioner Wright argues in the alternative that the proposed 
order is too narrow. See Statement of Commissioner Wright at 4 
(stating that ``the proposed consent order does nothing to alleviate 
such harm [from retail location tracking]'' because it does not 
require Nomi to offer, and provide notice of, an in-store opt out). 
This argument is based on a misunderstanding of the injury at issue 
in this case. Here, the injury to consumers was Nomi's allegedly 
false and material statement of the opt-out choices available to 
consumers. The proposed order prohibits Nomi from making such 
representations and thereby addresses the underlying consumer 
injury.
---------------------------------------------------------------------------

    In their dissents, however, Commissioners Wright and Ohlhausen 
argue that the Commission should have declined to take action in this 
case. Commissioner Ohlhausen views this action as ``encourag[ing] 
companies to do only the bare minimum on privacy, ultimately leaving 
consumers worse off.'' \12\ Similarly, Commissioner Wright argues that 
the action against Nomi ``sends a dangerous message to firms weighing 
the costs and benefits of voluntarily providing information and choice 
to consumers.'' \13\
---------------------------------------------------------------------------

    \12\ Statement of Commissioner Ohlhausen.
    \13\ Statement of Commissioner Wright at 4.
---------------------------------------------------------------------------

    The Commission encourages companies to provide privacy choices to 
consumers, but it also must take action in appropriate cases to stop 
companies from providing false choices. Our action today does just 
that. Indeed, this case is very similar to prior Commission cases 
involving allegedly deceptive opt outs.\14\ We do not believe that any 
of these actions--including the one announced today--have deterred or 
will deter companies from providing truthful choices. To the contrary, 
companies are voluntarily adopting enforceable privacy commitments in 
the retail location tracking space \15\ and in other areas.\16\
---------------------------------------------------------------------------

    \14\ See U.S. v. Google Inc., No. CV 12-04177, (N.D. Cal. Nov. 
16, 2012) (stipulated injunction) ($22.5 million settlement over 
Google's allegedly deceptive opt out, which did not work on the 
Safari browser); Chitika, Inc., No. C-4324, (F.T.C. June 7, 2011) 
(consent order) available at https://www.ftc.gov/enforcement/cases-proceedings/1023087/chitika-inc-matter (alleging that advertising 
network deceived consumers by not telling them that their opt out of 
behavioral advertising cookies would last only 10 days); U.S. 
Search, Inc., No. C-4317 (Mar. 14, 2011) (consent order) available 
at https://www.ftc.gov/enforcement/cases-proceedings/us-search-inc 
(alleging that a data broker deceived consumers by failing to 
disclose limitations of its opt out).
    \15\ The Future of Privacy Forum has developed an entire self-
regulatory code that requires industry members to provide such 
choices. See also Jan Lauren Boyles et al., Pew Internet Project, 
Privacy and Data Management on Mobile Devices 2 (2012), available at 
https://www.pewinternet.org/files/old-media/Files/Reports/2012/PIP_MobilePrivacyManagement.pdf (reporting that 19% of consumers 
``turned off the location tracking feature on their cell phone 
because they were concerned that other individuals or companies 
could access that information) and Westerman, supra note 8, at 50-52 
(describing sensitivity of location history, based on study of 4600 
U.S. consumers).
    \16\ See, e.g., Future of Privacy Forum, K-12 Student Privacy 
Pledge Announced (Oct. 7, 2014), available at https://www.futureofprivacy.org/2014/10/07/k-12-student-privacy-pledge-announced/.
---------------------------------------------------------------------------

* * * * *
    The application of Section 5 deception authority to express 
statements likely to affect a consumer's choice of or conduct regarding 
a good or service is well established. For close to a year, Nomi 
claimed to offer two opt-out methods but in fact it provided only one. 
We believe this failure was material and that Nomi had a legal 
obligation to fulfill the promises it made to consumers.

 Dissenting Statement of Commissioner Maureen K. Ohlhausen

    Nomi Technologies Inc., a startup company, offered its retail 
merchant clients the ability to analyze aggregate data about consumer 
traffic in the merchants' stores. Nomi provided this service by 
observing smartphone MAC addresses--a series of hexadecimal numbers 
that every WiFi-enabled device publicly broadcasts to any listening 
receiver. Nomi did not store this publicly broadcast information, but 
instead hashed the addresses and stored the hash. Nomi provided this 
service as a third party contractor; it had no direct relationship with 
consumers. At the time covered by the complaint, the majority of Nomi's 
customers were trialing this startup service in a few stores, at most.
    It is important to note that, as a third party contractor 
collecting no personally identifiable information, Nomi had no 
obligation to offer consumers an opt out. Yet from the inception of the 
service, Nomi offered all consumers the opportunity to opt out 
globally.
    For a time, Nomi's privacy policy stated that Nomi ``pledges to . . 
. Always allow consumers to opt out of Nomi's service on its Web site 
as well as at any retailer using Nomi's technology.'' \1\ As already 
noted, Nomi did offer a global opt out on its Web site. However, it 
appears that none of Nomi's retail clients offered consumers the 
opportunity or ability to opt out. Thus, Nomi's privacy policy was 
partly inaccurate. As Commissioner Wright points out, the evidence we 
have suggests that the privacy policy's partially inaccurate statement 
harmed no consumers.\2\
---------------------------------------------------------------------------

    \1\ Complaint, Exhibit A (Nomi's privacy policy from 
approximately Nov. 2012 until Jan. 2013) (emphasis added).
    \2\ Dissenting Statement of Commissioner Joshua Wright at 2.
---------------------------------------------------------------------------

    I believe the FTC should not have brought a case against Nomi based 
on these facts and instead should have exercised its prosecutorial 
discretion, for two reasons. First, the Commission should use its 
limited resources to pursue cases that involve consumer harm. Second, 
and more importantly, we should not apply a de facto strict liability 
approach to a young company that attempted to go above and beyond its 
legal obligation to protect consumers but, in so doing, erred without 
benefiting itself. I fear that the majority's decision in this case 
encourages companies to do only the bare minimum on privacy, ultimately 
leaving consumers worse off.
    For these reasons, I dissent.

Dissenting Statement of Commissioner Joshua D. Wright

    Today, the Commission finds itself in the unfortunate position of 
trying to fix a problem that no longer exists by stretching a legal 
theory to fit the unwieldy facts before it. I dissent from the 
Commission's decision to accept for public comment a consent order with 
Nomi Technologies, Inc. (Nomi) not only because it is inconsistent with 
a fair reading of the Commission's Policy Statement on Deception, but 
also because even if the facts were to support a technical legal 
violation--which they do not--prosecutorial discretion would favor 
restraint.
    Nomi does not track individual consumers--that is, Nomi's 
technology records whether individuals are unique or repeat visitors, 
but it does not identify them. Nomi provides analytics services based 
upon data collected from mobile device tracking technology to brick-
and-mortar retailers through its

[[Page 24928]]

``Listen'' service.\1\ Nomi uses sensors placed in its clients' retail 
locations or its clients' existing WiFi access points to detect the 
media access control (MAC) address broadcast by a consumer's mobile 
device when it searches for WiFi networks. Nomi passes MAC addresses 
through a cryptographic hash function before collection and creates a 
persistent unique identifier for the mobile device.\2\ Nomi does not 
``unhash'' this identifier to retrieve the MAC addresses and Nomi does 
not store the MAC addresses of the mobile devices. In addition to 
creating this unique persistent identifier, Nomi collects the device 
manufacturer information, the device's signal strength, and the date, 
time and locating sensor of the mobile device. This information is then 
used to provide analytics to Nomi's clients. For example, even without 
knowing the identity of those visiting their stores, the data provided 
by Nomi's Listen service can generate potentially valuable insights 
about aggregate in-store consumer traffic patterns, such as the average 
duration of customers' visits, the percentage of repeat customers, or 
the percentage of consumers that pass by a store rather than entering 
it. These insights, in turn, allow retailers to measure how different 
retail promotions, product offerings, displays, and services impact 
consumers. In short, these insights help retailers optimize consumers' 
shopping experiences,\3\ inform staffing coverage for their stores, and 
improve store layouts.
---------------------------------------------------------------------------

    \1\ In the Matter of Nomi Technologies, Inc., FTC File No. 132-
3251, Compl. ] 3 (Apr. 23, 2015).
    \2\ For more information on cryptographic hashing, see Rob 
Sobers, The Definitive Guide to Cryptographic Hash Functions (Part 
I), Varonis (Aug. 2, 2012), https://blog.varonis.com/the-definitive-guide-to-cryptographic-hash-functions-part-1/.
    \3\ See, e.g., Alyson Shontell, It Took Only 13 Days for Former 
Salesforce Execs to Raise $3 Million for Their Startup, Nomi, 
Business Insider (Feb. 11, 2013), https://www.businessinsider.com/former-salesforce-and-buddy-media-executives-raise-3-million-nomi-2013-2 (``The moment you open Amazon.com, your entire retail 
experience is personalized, down to the promotions you see and the 
products you are pushed. That's because e-commerce is a data-driven 
industry, and Web sites know a lot about customers who stumble on to 
their Web sites. Physical stores however, where 90% of all retail 
purchases still occur, know nothing about the customers who walk in 
their doors.'').
---------------------------------------------------------------------------

    The Commission's complaint focuses upon a single statement in 
Nomi's privacy policy. Specifically, Nomi's privacy policy states that 
``Nomi pledges to . . . Always allow consumers to opt out of Nomi's 
service on its Web site as well as at any retailer using Nomi's 
technology.'' \4\ Count I of the complaint alleges Nomi represented in 
its privacy policy that consumers could opt out of its Listen service 
at retail locations using the service, but did not in fact provide a 
retail level opt out. Count II relies upon this same representation to 
allege a second deceptive practice--that the failure to provide the opt 
out in the first instance also implies a failure to provide notice to 
consumers that a specific retailer would be using the Listen 
service.\5\
---------------------------------------------------------------------------

    \4\ Compl. ] 12.
    \5\ Compl. ] 16-17.
---------------------------------------------------------------------------

    The Commission's decision to issue a complaint and accept a consent 
order for public comment in this matter is problematic for both legal 
and policy reasons. Section 5(b) of the FTC Act requires us, before 
issuing any complaint, to establish ``reason to believe that [a 
violation has occurred]'' and that an enforcement action would ``be to 
the interest of the public.'' \6\ While the Act does not set forth a 
separate standard for accepting a consent decree, I believe that 
threshold should be at least as high as for bringing the initial 
complaint. The Commission has not met the relatively low ``reason to 
believe'' bar because its complaint does not meet the basic 
requirements of the Commission's 1983 Deception Policy Statement. 
Further, the complaint and proposed settlement risk significant harm to 
consumers by deterring industry participants from adopting business 
practices that benefit consumers.
---------------------------------------------------------------------------

    \6\ 15 U.S.C. 45(b).
---------------------------------------------------------------------------

    The fundamental failure of the Commission's complaint is that the 
evidence simply does not support the allegation that Nomi's 
representation about an opportunity to opt out of the Listen service at 
the retail level--in light of the immediate and easily accessible opt 
out available on the Web page itself--was material to consumers. This 
failure alone is fatal. A representation simply cannot be deceptive 
under the long-standing FTC Policy Statement on Deception in the 
absence of materiality.\7\ The Policy Statement on Deception highlights 
the centrality of the materiality inquiry, observing that the ``basic 
question is whether the act or practice is likely to affect the 
consumer's conduct or decision with regard to a product or service.'' 
\8\ The materiality inquiry is critical because the Commission's 
construct of ``deception'' uses materiality as an evidentiary proxy for 
consumer injury: ``[i]njury exists if consumers would have chosen 
differently but for the deception. If different choices are likely, the 
claim is material, and injury is likely as well.'' \9\ This is a 
critical point. Deception causes consumer harm because it influences 
consumer behavior--that is, the deceptive statement is one that is not 
merely misleading in the abstract but one that causes cause consumers 
to make choices to their detriment that they would not have otherwise 
made. This essential link between materiality and consumer injury 
ensures the Commission's deception authority is employed to deter only 
conduct that is likely to harm consumers and does not chill business 
conduct that makes consumers better off. This link also unifies the 
Commission's two foundational consumer protection authorities--
deception and unfairness--by tethering them to consumer injury.
---------------------------------------------------------------------------

    \7\ Fed. Trade Comm'n, Policy Statement on Deception (1983), 
appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 175, 182 (1984) 
[hereinafter FTC Policy Statement on Deception], available at 
https://www.ftc.gov/public-statements/1983/10/ftc-policy-statement-deception.
    \8\ FTC Policy Statement on Deception, 103 F.T.C. at 175.
    \9\ Id. at 183.
---------------------------------------------------------------------------

    The Commission does not explain how it finds the materiality 
requirement satisfied; presumably it does so upon the assumption that 
``express statements'' are presumptively material.\10\ However, that 
presumption was never intended to substitute for common sense, 
evidence, or analysis. Indeed, the Policy Statement on Deception 
acknowledges the ``Commission will always consider relevant and 
competent evidence offered to rebut presumptions of materiality.'' \11\ 
Here, the Commission failed to discharge its commitment to duly 
consider relevant and competent evidence that squarely rebuts the 
presumption that Nomi's failure to implement an additional, retail-
level opt out was material to consumers. In other words, the Commission 
neglects to take into account evidence demonstrating consumers would 
not ``have chosen differently'' but for the allegedly deceptive 
representation.
---------------------------------------------------------------------------

    \10\ See POM Wonderful LLC, 2013 FTC LEXIS 6, *121 (2013); 
Novartis Corp., 127 F.T.C. 580, 686 (1999); American Home Prods., 98 
F.T.C. 136, 368 (1981).
    \11\ FTC Policy Statement on Deception, 103 F.T.C. at 182 n.47.
---------------------------------------------------------------------------

    Nomi represented that consumers could opt out on its Web site as 
well as in the store where the Listen service was being utilized. Nomi 
did offer a fully functional and operational global opt out from the 
Listen service on its Web site.\12\ Thus, the only remaining

[[Page 24929]]

potential issue is whether Nomi's failure to offer the represented in-
store opt out renders the statement in its privacy policy deceptive. 
The evidence strongly implies that specific representation was not 
material and therefore not deceptive. Nomi's ``tracking'' of users was 
widely publicized in a story that appeared on the front page of The New 
York Times,\13\ a publication with a daily reach of nearly 1.9 million 
readers.\14\ Most likely due to this publicity, Nomi's Web site 
received 3,840 unique visitors during the relevant timeframe and 
received 146 opt outs--an opt-out rate of 3.8% of site visitors. This 
opt-out rate is significantly higher than the opt-out rate for other 
online activities.\15\ This high rate, relative to Web site visitors, 
likely reflects the ease of a mechanism that was immediately and 
quickly available to consumers at the time they may have been reading 
the privacy policy.
---------------------------------------------------------------------------

    \12\ As such, the facts of this case are distinguishable from 
the cases cited for support by the majority in its statement. In the 
Matter of Nomi Technologies, Inc., FTC File No. 132-3251, Statement 
of Chairwoman Ramirez, Commissioner Brill, and Commissioner McSweeny 
5 n.14 (Apr. 23, 2015).
    \13\ Stephanie Clifford & Quentin Hardy, Attention, Shoppers: 
Store is Tracking Your Cell, New York Times (July 14, 2013), https://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html?pagewanted=all&_r=0.
    \14\ The Associated Press, Top 10 Newspapers by Circulation: 
Wall Street Journal Leads Weekday Circulation, Huffington Post (Apr. 
30, 2013), https://www.huffingtonpost.com/2013/05/01/newspaper-circulation-top-10_n_3188612.html.
    \15\ In perhaps the most comparable circumstance--Do Not Track 
mechanisms--the opt-out rate is extremely low. See, e.g., Jack 
Marshall, The Do Not Track Era, Digiday (Feb. 27, 2012), https://digiday.com/platforms/advertising-in-the-do-not-track-era/ 
(``[a]ccording to data from Evidon, which facilitates the serving of 
those icons, someone clicks and goes through the opt-out process 
once for every 10,000 ad impressions served''); Matthew Creamer, 
Despite Digital Privacy Uproar, Consumers are Not Opting Out, 
Advertising Age (May 31, 2011), https://adage.com/article/digital/digital-privacy-uproar-consumers-opting/227828/ (``Evidon, which has 
the longest set of data, is seeing click-through of 0.005% with only 
2% opting out from 30 billion impressions''). See also Richard 
Beaumont, Cookie Opt-Out Stats Revealed, The Cookie Collective (Feb. 
19, 2014), https://www.cookielaw.org/blog/2014/2/19/cookie-opt-out-statistics-revealed/.
---------------------------------------------------------------------------

    The Commission's reliance upon a presumption of materiality as to 
the additional representation of the availability of an in-store opt 
out is dubious in light of evidence of the opt-out rate for the Web 
page mechanism. Actual evidence of consumer behavior indicates that 
consumers that were interested in opting out of the Listen service took 
their first opportunity to do so. To presume the materiality of a 
representation in a privacy policy concerning the availability of an 
additional, in-store opt-out mechanism requires one to accept the 
proposition that the privacy-sensitive consumer would be more likely to 
bypass the easier and immediate route (the online opt out) in favor of 
waiting until she had the opportunity to opt out in a physical 
location. Here, we can easily dispense with shortcut presumptions meant 
to aid the analysis of consumer harm rather than substitute for it. The 
data allow us to know with an acceptable level of precision how many 
consumers--3.8% of them--reached the privacy policy, read it, and made 
the decision to opt out when presented with that immediate choice. The 
Commission's complaint instead adopts an approach that places legal 
form over substance, is inconsistent with the available data, and 
defies common sense.
    The Commission's approach here is problematic for another reason. 
To the extent there is consumer injury when consumers are offered an 
opt out from tracking that cannot be effectuated, or that more 
generally, consumers are uncomfortable with such tracking and it should 
be disclosed to them, the proposed consent order does nothing to 
alleviate such harm and will, instead, likely exacerbate it. Nomi has 
removed its representation about a retail level opt-out mechanism from 
its privacy policy. The proposed consent order does not require Nomi to 
offer such a mechanism, nor does it require Nomi to disclose the 
tracking in retail locations.\16\ It is unlikely that Nomi could agree 
to such a condition any case--Nomi contracts with retailers and has no 
control over the retailers' premises. The order does not--and cannot--
compel retailers to disclose the tracking technology.
---------------------------------------------------------------------------

    \16\ In the Matter of Nomi Technologies, Inc., FTC File No. 132-
3251, Proposed Consent Order Part I (Apr. 23, 2015).
---------------------------------------------------------------------------

    Even assuming arguendo Nomi's privacy policy statement is deceptive 
under the Deception Policy Statement, the FTC would better serve 
consumers by declining to take action against Nomi. The analytical 
failings of the Commission's approach are not harmless error. Rather, 
aggressive prosecution of this sort will inevitably deter industry 
participants like Nomi from engaging in voluntary practices that 
promote consumer choice and transparency--the very principles that lie 
at the heart of the Commission's consumer protection mission.\17\ Nomi 
was under no legal obligation to post a privacy policy, describe its 
practices to consumers, or to offer an opt-out mechanism. To penalize a 
company for such a minor shortcoming--particularly when there is no 
evidence the misrepresentation harmed consumers--sends a dangerous 
message to firms weighing the costs and benefits of voluntarily 
providing information and choice to consumers.
---------------------------------------------------------------------------

    \17\ In addition, Nomi arguably offered a product that was more 
privacy-protective than other, more intrusive methods that retailers 
currently employ, such as video cameras. See Clifford & Hardy, supra 
note 14 (``Cameras have become so sophisticated, with sharper lenses 
and data-processing, that companies can analyze what shoppers are 
looking at, and even what their mood is.'').
---------------------------------------------------------------------------

    Finally, market forces already appear to be responding to consumer 
preferences related to tracking technology. For example, in response to 
potential consumer discomfort some retailers have discontinued or 
changed the methods by which they track visitors to their physical 
stores.\18\ Technological innovation has also responded to incentives 
to provide a better consumer experience, including a Bluetooth 
technology that provides not only an opt-in choice for consumers,\19\ 
but also gives retailers the opportunity to provide their consumers 
with a more robust shopping experience.\20\ Notably, Nomi itself has 
responded to these market changes and no longer offers the MAC address 
tracking technology to any retailer other than its legacy customers.
---------------------------------------------------------------------------

    \18\ See, e.g., Amy Hollyfield, Philz to Stop Tracking Customers 
via Smartphones, ABC 7 News (May 29, 2014), https://abc7news.com/business/philz-to-stop-tracking-customers-via-smartphones/83943/; 
Peter Cohan, How Nordstrom Uses WiFi to Spy On Shoppers, Forbes (May 
9, 2013), https://www.forbes.com/sites/petercohan/2013/05/09/how-nordstrom-and-home-depot-use-wifi-to-spy-on-shoppers/.
    \19\ See, e.g., Siraj Datoo, High Street Shops are Studying 
Shopper Behaviour by Tracking Their Smartphones or Movement, The 
Guardian (Oct. 3, 2013), https://www.theguardian.com/news/datablog/2013/oct/03/analytics-amazon-retailers-physical-cookies-high-street 
(``If customers create accounts on the wireless network--something 
millions have done--they first have to accept terms and conditions 
that opts them in to having their movements monitored when inside 
the stores''); Jess Bolluyt, What's So Bad About In-Store Tracking?, 
The Cheat Sheet (Nov. 27, 2014), https://www.cheatsheet.com/technology/whats-so-bad-about-in-store-tracking.html/?a=viewall 
(``customers have to turn on Bluetooth, accept location services, 
and opt in to receive notifications'').
    \20\ See, e.g., Greg Petro, How Proximity Marketing Is Driving 
Retail Sales, Forbes (Oct. 8, 2014),  https://www.forbes.com/sites/gregpetro/2014/10/08/how-proximity-marketing-is-driving-retail-sales/(``[This will] allow Macy's to send personalized department-
level deals, discounts, recommendations and rewards to customers who 
opt-in to receive the offers''); Datoo, supra note 20 (after opting 
in, ``[u]sers can then add their loyalty card numbers to receive 
personalised recommendations.'').
---------------------------------------------------------------------------

    Accordingly, I dissent from the issuance of this complaint and the 
acceptance of a consent decree for public comment.

[FR Doc. 2015-10154 Filed 4-30-15; 8:45 am]
 BILLING CODE 6750-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.