Federal Register, Volume 80 Issue 84 (Friday, May 1, 2015)

[Federal Register Volume 80, Number 84 (Friday, May 1, 2015)]
[Notices]
[Pages 24923-24929]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-10154]

=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 132 3251]

Nomi Technologies, Inc.; Analysis of Proposed Consent Order To
Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed Consent Agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis to Aid Public Comment

[[Page 24924]]

describes both the allegations in the draft complaint and the terms of
the consent order--embodied in the consent agreement--that would settle
these allegations.

DATES: Comments must be received on or before May 25, 2015.

ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/nomitechconsent online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``Nomi Technologies,
Inc.,--Consent Agreement; File No. 132 3251'' on your comment and file
your comment online at https://ftcpublic.commentworks.com/ftc/nomitechconsent by following the instructions on the web-based form. If
you prefer to file your comment on paper, write ``Nomi Technologies,
Inc.,--Consent Agreement; File No. 132 3251'' on your comment and on
the envelope, and mail your comment to the following address: Federal
Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW.,
Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment
to the following address: Federal Trade Commission, Office of the
Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite
5610 (Annex D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Amanda Koulousias (202-326-3334) or
Jacqueline Connor (202-326-2844), Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement, and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for April 23, 2015), on the World Wide Web at:
http://www.ftc.gov/os/actions.shtm.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before May 25, 2015.
Write ``Nomi Technologies, Inc.,--Consent Agreement; File No. 132
3251'' on your comment. Your comment--including your name and your
state--will be placed on the public record of this proceeding,
including, to the extent practicable, on the public Commission Web
site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of
discretion, the Commission tries to remove individuals' home contact
information from comments before placing them on the Commission Web
site.
Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, like anyone's Social Security number,
date of birth, driver's license number or other state identification
number or foreign country equivalent, passport number, financial
account number, or credit or debit card number. You are also solely
responsible for making sure that your comment does not include any
sensitive health information, like medical records or other
individually identifiable health information. In addition, do not
include any ``[t]rade secret or any commercial or financial information
which . . . is privileged or confidential,'' as discussed in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you have to follow the procedure explained
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept
confidential only if the FTC General Counsel, in his or her sole
discretion, grants your request in accordance with the law and the
public interest.
---------------------------------------------------------------------------

\1\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/nomitechconsent by following the instructions on the web-based
form. If this Notice appears at http://www.regulations.gov/#!home, you
also may file a comment through that Web site.
If you file your comment on paper, write ``Nomi Technologies,
Inc.,--Consent Agreement; File No. 132 3251'' on your comment and on
the envelope, and mail your comment to the following address: Federal
Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW.,
Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment
to the following address: Federal Trade Commission, Office of the
Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite
5610 (Annex D), Washington, DC 20024. If possible, submit your paper
comment to the Commission by courier or overnight service.
Visit the Commission Web site at http://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before May 25, 2015. You can find more information,
including routine uses permitted by the Privacy Act, in the
Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

Analysis of Proposed Consent Order To Aid Public Comment

The Federal Trade Commission has accepted, subject to final
approval, a consent order applicable to Nomi Technologies, Inc.
(``Nomi'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
Nomi uses mobile device tracking technology to provide analytics
services to brick and mortar retailers through its ``Listen'' service.
Nomi has been collecting information from consumers' mobile devices to
provide the Listen service since January 2013. Nomi places sensors in
its clients' retail locations that detect the media access control
(``MAC'') address broadcast by a mobile device when it searches for
WiFi networks. A MAC address is a 12-digit identifier that is unique to
a particular device. Alternatively, in some instances Nomi collects MAC
addresses through its clients' existing WiFi access points. In addition
to the MAC address, Nomi

[[Page 24925]]

also collects the following information about each mobile device that
comes within range of its sensors or its clients' WiFi access points:
The mobile device's signal strength; the mobile device's manufacturer
(derived from the MAC address); the location of the sensor or WiFi
access point observing the mobile device; and the date and time the
mobile device is observed.
Nomi cryptographically hashes the MAC addresses it observes prior
to storing them on its servers. Hashing obfuscates the MAC address, but
the result is still a persistent unique identifier for that mobile
device. Each time a MAC address is run through the same hash function,
the resulting identifier will be the same. For example, if MAC address
1A:2B:3C:4D:5E:6F is run through Nomi's hash function on ten different
occasions, the resulting identifier will be the same each time. As a
result, while Nomi does not store the MAC address, it does store a
persistent unique identifier for each mobile device. Nomi collected
information about approximately nine million unique mobile devices
between January 2013 and September 2013.
Nomi uses the information it collects to provide analytics reports
to its clients about aggregate customer traffic patterns such as: The
percentage of consumers merely passing by the store versus entering the
store; the average duration of consumers' visits; types of mobile
devices used by consumers visiting a location; the percentage of repeat
customers within a given time period; and the number of customers that
have also visited another location within the client's chain. Through
October 22, 2013, Nomi's Listen service had approximately 45 clients.
Some of these clients deployed the service in multiple locations within
their chains.
Nomi has not published, or otherwise made available to consumers, a
list of the retailers that use or used the Listen service. Nomi does
not require its clients to post disclosures or otherwise notify
consumers that they use the Listen service. Through October 22, 2013,
most, if not all, of Nomi's clients did not post any disclosure, or
otherwise notify consumers, regarding their use of the Listen service.
From at least November 2012, until October 22, 2013, Nomi
disseminated or caused to be disseminated privacy policies on its Web
site, nomi.com or getnomi.com, which included the following statement:

Nomi pledges to. . . . Always allow consumers to opt out of
Nomi's service on its Web site as well as at any retailer using
Nomi's technology.

Nomi provided, and continues to provide, an opt out on its Web site
for consumers who do not want Nomi to store observations of their
mobile device. In order to opt out of the Listen service on Nomi's Web
site, consumers were required to provide Nomi with all of their mobile
devices' MAC addresses, without knowing whether they would ever shop at
a retail location using the Listen service. Once a consumer has entered
the MAC address of their device into Nomi's Web site opt out, Nomi adds
it to a blacklist of MAC addresses for which information will not be
stored. Consumers who did not opt out on Nomi's Web site and instead
wanted to make the opt out decision at retail locations were unable to
do so, despite the explicit promise in Nomi's privacy policies.
Consumers were not provided any means to opt out at retail locations
and were unaware that the service was even being used.
The Commission's complaint alleges that Nomi's privacy policy
represented that: (1) Consumers could opt out of Nomi's Listen service
at retail locations using this service, and (2) that consumers would be
given notice when a retail location was utilizing Nomi's Listen
service. The complaint alleges that Nomi violated Section 5 of the
Federal Trade Commission Act by misleading consumers because, contrary
to its representations, Nomi did not provide an opt-out mechanism at
its clients' retail locations and neither Nomi nor its clients
disclosed to consumers that Nomi's Listen service was being used at a
retail location.
The proposed order contains provisions designed to prevent Nomi
from engaging in the future in practices similar to those alleged in
the complaint. Part I of the proposed order prohibits Nomi from
misrepresenting: (A) The options through which, or the extent to which,
consumers can exercise control over the collection, use, disclosure, or
sharing of information collected from or about them or their computers
or devices, or (B) the extent to which consumers will be provided
notice about how data from or about a particular consumer, computer, or
device is collected, used, disclosed, or shared.
Parts II through VI of the proposed order are reporting and
compliance provisions. Part II requires Nomi to retain documents
relating to its compliance with the order. The order requires that all
of the documents be retained for a five-year period. Part III requires
dissemination of the order now and in the future to all current and
future subsidiaries, principals, officers, directors, and managers, and
to persons with responsibilities relating to the subject matter of the
order. Part IV ensures notification to the FTC of changes in corporate
status. Part V mandates that Nomi submit a compliance report to the FTC
within 90 days, and periodically thereafter as requested. Part VI is a
provision ``sunsetting'' the order after twenty (20) years, with
certain exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed complaint or order or to modify the
order's terms in any way.

By direction of the Commission, Commissioners Ohlhausen and
Wright dissenting.
Donald S. Clark,
Secretary.

Statement of Chairwoman Ramirez, Commissioner Brill, and Commissioner
McSweeny

We write to express our support for the complaint and proposed
consent order in this case.
Nomi Technologies, Inc. is a provider of technology services that
allow retailers to track consumers' movements around their stores by
detecting the media access control (``MAC'') addresses broadcast by the
WiFi interface on consumers' mobile devices.\1\ Services like Nomi's
benefit businesses and consumers. For example, they enable retailers to
improve store layouts and reduce customer wait times.
---------------------------------------------------------------------------

\1\ Although Nomi took steps to obscure the MAC addresses it
collected by cryptographically hashing them, hashing generates a
unique number that can be used to identify a device throughout its
lifetime and is a process that can easily be ``reversed'' to reveal
the original MAC address. See, e.g., Jonathan Mayer, Questionable
Crypto in Retail Analytics, March 19, 2014, http://webpolicy.org/2014/03/19/questionable-crypto-in-retail-analytics/ (describing
successful efforts in ``reversing the hash'' to identify the
original MAC address).
---------------------------------------------------------------------------

At the same time, Nomi's service, and others like it, raise privacy
concerns because they rely on the collection and use of consumers'
precise location data. Indeed, Nomi sought to assure consumers that its
practices were privacy-protecting, declaring in its privacy policy that
``privacy is our first priority.'' A core element of Nomi's assurance
was its promise that consumers could opt out of Nomi's service through
its Web site ``as well as at any retailer using Nomi's technology.''
Thus, Nomi made a specific and express promise to consumers about how,
when, and where they could opt out of the location tracking services
that the company provided to its clients.

[[Page 24926]]

As the Commission alleges in its complaint, however, this express
promise was false. At no time during the nearly year-long period that
Nomi made this promise to consumers did Nomi provide an in-store opt
out at the retailers using its service. Moreover, the express promise
of an in-store opt out necessarily makes a second, implied promise:
That retailers using Nomi's service would notify consumers that the
service was in use. This promise was also false. Nomi did not require
its clients to provide such a notice. To our knowledge, no retailer
provided such a notice on its own.
The proposed order includes carefully-tailored relief designed to
prevent similar violations in the future. Specifically, it prohibits
Nomi from making future misrepresentations about the notice and choices
that will be provided to consumers about the collection and use of
their information.
Nevertheless, Commissioner Wright argues in his dissent that Nomi's
express promise to provide an in-store opt-out was not material because
a Web site opt-out was available, and that, in any event, the
Commission should not have brought this action because it will deter
industry from adopting business practices that benefit consumers. In a
separate statement, Commissioner Ohlhausen dissents on grounds of
prosecutorial discretion. This statement addresses both dissents'
arguments.

I. Nomi's Express Opt-Out Promise Was False and Material, and Therefore
Deceptive

According to the Commission's Deception Policy Statement, a
deceptive representation, omission, or practice is one that is material
and likely to mislead a consumer acting reasonably under the
circumstances. ``The basic question [with respect to materiality] is
whether the act or practice is likely to affect the consumer's conduct
or decision with respect to the product or service.'' \2\ Furthermore,
the Commission presumes that an express claim is material,\3\ as is
``information pertaining to the central characteristics of the product
or service.'' \4\
---------------------------------------------------------------------------

\2\ Deception Policy Statement Sec. I.
\3\ Deception Policy Statement Sec. IV.
\4\ Id.
---------------------------------------------------------------------------

Importantly, Section 5 case law makes clear that ``[m]ateriality is
not a test of the effectiveness of the communication in reaching large
numbers of consumers. It is a test of the likely effect of the claim on
the conduct of a consumer who has been reached and deceived.'' \5\
Consumers who read the Nomi privacy statement would likely have been
privacy-sensitive, and claims about how and when they could opt out
would likely have especially mattered to them. Some of those consumers
could reasonably have decided not to share their MAC address with an
unfamiliar company in order to opt out of tracking, as the Web site-
based opt-out required. Instead, those consumers may reasonably have
decided to wait to see if stores they patronized actually used Nomi's
services and opt out then. Or they may have decided that they would
simply not patronize stores that use Nomi's services, so that they
could effectively ``vote with their feet'' rather than exercising the
opt-out choice. Or consumers may simply have found it inconvenient to
opt out at the moment they were viewing Nomi's privacy policy, and
decided to opt out later.
---------------------------------------------------------------------------

\5\ In the Matter of Novartis, 1999 FTC LEXIS 63 *38 (May 27,
1999).
---------------------------------------------------------------------------

These choices were rendered illusory because of Nomi's alleged
failure to ensure that its client retailers provide any signs or opt-
outs at stores. Further, consumers visiting stores that used Nomi's
services would have reasonably concluded, in the absence of signage and
the promised opt-outs, that these stores did not use Nomi's services.
Nomi's express representations regarding how consumers may opt out of
its location tracking services go to the very heart of consumers'
ability to make decisions about whether to participate in these
services. Thus, we have ample reason to believe that Nomi's opt-out
representations were material.
In his dissent, Commissioner Wright points to certain evidence
that, in his view, rebuts the notion that a consumer who viewed Nomi's
privacy policy would ``bypass the easier and immediate route (the
online opt out) in favor of waiting'' to opt out at a retail
location.\6\ According to Commissioner Wright, because consumers who
viewed Nomi's privacy policy opted out at a higher rate (3.8%) than
what is reported for a certain method of opting out of online
behavioral advertising (less than 1%),\7\ this shows that consumers who
wanted to opt out of tracking were able to do so--and therefore, the
representation that consumers could opt out at an individual retailer
was not material. We do not believe the 3.8% opt-out rate provides
reliable evidence to rebut the presumption of materiality.
---------------------------------------------------------------------------

\6\ Statement of Commissioner Wright at 4.
\7\ Id. at 3 & n.15.
---------------------------------------------------------------------------

The benchmark against which Commissioner Wright measures the Nomi
opt-out rate--the purported opt out rate for online behavioral
advertising--is neither directly comparable to, nor provides meaningful
information about, consumers' likely motivations in deciding whether to
opt-out of Nomi's Listen service. The difference in opt-out rates could
simply mean that the practice of location tracking is much more
material to consumers than behavioral advertising, and for that reason
a much higher number of consumers exercised the Web site opt out.
Indeed, recent studies have shown that consumers are concerned about
offline retail tracking and tracking that occurs over time,\8\ as took
place here. These relative opt-out rates could just as easily imply
that many more than 3.8% of consumers were interested in opting out of
Nomi's retail tracking, and that the consumers who did not opt out on
the Web site were relying on their ability to opt out in stores, as
promised by Nomi.
---------------------------------------------------------------------------

\8\ See New Study: Consumers Overwhelmingly Reject In-store
Tracking by Retailers, OpinionLab, March 27, 2014 http://www.opinionlab.com/press_release/new-study-consumers-overwhelmingly-reject-in-store-tracking-by-retailers/ (44% of survey respondents
indicated that they would be less likely to shop at a store that
uses in-store mobile device tracking); Spring Privacy Series: Mobile
Device Tracking Seminar, available at http://www.ftc.gov/system/files/documents/public_events/182251/140219mobiledevicetranscript.pdf; Remarks of Ilana Westerman, Create
with Context, at 47-48; 50 (stating that a study of 4600 Americans
showed that consumers are reluctant to give up their location
histories).
---------------------------------------------------------------------------

In short, the 3.8% opt-out rate for Nomi's Web site opt-out, along
with the comparison to opt-out rates in other contexts, is simply
insufficient evidence to evaluate what choices the other 96.2% of
visitors to the Web site intended to make, given the promises Nomi made
to them about their options. Commissioner Wright is simply speculating
when he extrapolates from the available data his conclusion that in-
store opt-out rates would have been so low as to render the in-store
option immaterial. Such inconclusive evidence fails to rebut any
presumption of materiality that we might apply to Nomi's statements.

II. The Proposed Order Contains Appropriate and Meaningful Relief

The Commission's acceptance of the consent agreement is appropriate
in light of both Nomi's alleged deception and the relief in the
proposed order. The proposed order addresses the underlying deception
in an appropriately tailored way. It prohibits Nomi from
misrepresenting the options that consumers have to exercise control
over information that Nomi collects, uses, discloses, or shares about
them or their devices.\9\ It also prohibits Nomi from misrepresenting
the extent to

[[Page 24927]]

which consumers will be notified about such choices.\10\ Nomi may be
subject to civil penalties if it violates either of these prohibitions.
While the consent order does not require that Nomi provide in-store
notice when a store uses its services or offer an in-store opt out,
that was not the Commission's goal in bringing this case. This case is
simply about ensuring that when companies promise consumers the ability
to make choices, they follow through on those promises. The relief in
the order is therefore directly tied to the deceptive practices alleged
in the complaint.\11\ The order will also serve to deter other
companies from making similar false promises and encourage them to
periodically review the statements they make to consumers to ensure
that they are accurate and up-to-date.
---------------------------------------------------------------------------

\9\ Order Sec. I.
\10\ Id.
\11\ After arguing primarily that Nomi did not violate Section
5, Commissioner Wright argues in the alternative that the proposed
order is too narrow. See Statement of Commissioner Wright at 4
(stating that ``the proposed consent order does nothing to alleviate
such harm [from retail location tracking]'' because it does not
require Nomi to offer, and provide notice of, an in-store opt out).
This argument is based on a misunderstanding of the injury at issue
in this case. Here, the injury to consumers was Nomi's allegedly
false and material statement of the opt-out choices available to
consumers. The proposed order prohibits Nomi from making such
representations and thereby addresses the underlying consumer
injury.
---------------------------------------------------------------------------

In their dissents, however, Commissioners Wright and Ohlhausen
argue that the Commission should have declined to take action in this
case. Commissioner Ohlhausen views this action as ``encourag[ing]
companies to do only the bare minimum on privacy, ultimately leaving
consumers worse off.'' \12\ Similarly, Commissioner Wright argues that
the action against Nomi ``sends a dangerous message to firms weighing
the costs and benefits of voluntarily providing information and choice
to consumers.'' \13\
---------------------------------------------------------------------------

\12\ Statement of Commissioner Ohlhausen.
\13\ Statement of Commissioner Wright at 4.
---------------------------------------------------------------------------

The Commission encourages companies to provide privacy choices to
consumers, but it also must take action in appropriate cases to stop
companies from providing false choices. Our action today does just
that. Indeed, this case is very similar to prior Commission cases
involving allegedly deceptive opt outs.\14\ We do not believe that any
of these actions--including the one announced today--have deterred or
will deter companies from providing truthful choices. To the contrary,
companies are voluntarily adopting enforceable privacy commitments in
the retail location tracking space \15\ and in other areas.\16\
---------------------------------------------------------------------------

\14\ See U.S. v. Google Inc., No. CV 12-04177, (N.D. Cal. Nov.
16, 2012) (stipulated injunction) ($22.5 million settlement over
Google's allegedly deceptive opt out, which did not work on the
Safari browser); Chitika, Inc., No. C-4324, (F.T.C. June 7, 2011)
(consent order) available at http://www.ftc.gov/enforcement/cases-proceedings/1023087/chitika-inc-matter (alleging that advertising
network deceived consumers by not telling them that their opt out of
behavioral advertising cookies would last only 10 days); U.S.
Search, Inc., No. C-4317 (Mar. 14, 2011) (consent order) available
at http://www.ftc.gov/enforcement/cases-proceedings/us-search-inc
(alleging that a data broker deceived consumers by failing to
disclose limitations of its opt out).
\15\ The Future of Privacy Forum has developed an entire self-
regulatory code that requires industry members to provide such
choices. See also Jan Lauren Boyles et al., Pew Internet Project,
Privacy and Data Management on Mobile Devices 2 (2012), available at
http://www.pewinternet.org/files/old-media/Files/Reports/2012/PIP_MobilePrivacyManagement.pdf (reporting that 19% of consumers
``turned off the location tracking feature on their cell phone
because they were concerned that other individuals or companies
could access that information) and Westerman, supra note 8, at 50-52
(describing sensitivity of location history, based on study of 4600
U.S. consumers).
\16\ See, e.g., Future of Privacy Forum, K-12 Student Privacy
Pledge Announced (Oct. 7, 2014), available at http://www.futureofprivacy.org/2014/10/07/k-12-student-privacy-pledge-announced/.
---------------------------------------------------------------------------

* * * * *
The application of Section 5 deception authority to express
statements likely to affect a consumer's choice of or conduct regarding
a good or service is well established. For close to a year, Nomi
claimed to offer two opt-out methods but in fact it provided only one.
We believe this failure was material and that Nomi had a legal
obligation to fulfill the promises it made to consumers.

Dissenting Statement of Commissioner Maureen K. Ohlhausen

Nomi Technologies Inc., a startup company, offered its retail
merchant clients the ability to analyze aggregate data about consumer
traffic in the merchants' stores. Nomi provided this service by
observing smartphone MAC addresses--a series of hexadecimal numbers
that every WiFi-enabled device publicly broadcasts to any listening
receiver. Nomi did not store this publicly broadcast information, but
instead hashed the addresses and stored the hash. Nomi provided this
service as a third party contractor; it had no direct relationship with
consumers. At the time covered by the complaint, the majority of Nomi's
customers were trialing this startup service in a few stores, at most.
It is important to note that, as a third party contractor
collecting no personally identifiable information, Nomi had no
obligation to offer consumers an opt out. Yet from the inception of the
service, Nomi offered all consumers the opportunity to opt out
globally.
For a time, Nomi's privacy policy stated that Nomi ``pledges to . .
. Always allow consumers to opt out of Nomi's service on its Web site
as well as at any retailer using Nomi's technology.'' \1\ As already
noted, Nomi did offer a global opt out on its Web site. However, it
appears that none of Nomi's retail clients offered consumers the
opportunity or ability to opt out. Thus, Nomi's privacy policy was
partly inaccurate. As Commissioner Wright points out, the evidence we
have suggests that the privacy policy's partially inaccurate statement
harmed no consumers.\2\
---------------------------------------------------------------------------

\1\ Complaint, Exhibit A (Nomi's privacy policy from
approximately Nov. 2012 until Jan. 2013) (emphasis added).
\2\ Dissenting Statement of Commissioner Joshua Wright at 2.
---------------------------------------------------------------------------

I believe the FTC should not have brought a case against Nomi based
on these facts and instead should have exercised its prosecutorial
discretion, for two reasons. First, the Commission should use its
limited resources to pursue cases that involve consumer harm. Second,
and more importantly, we should not apply a de facto strict liability
approach to a young company that attempted to go above and beyond its
legal obligation to protect consumers but, in so doing, erred without
benefiting itself. I fear that the majority's decision in this case
encourages companies to do only the bare minimum on privacy, ultimately
leaving consumers worse off.
For these reasons, I dissent.

Dissenting Statement of Commissioner Joshua D. Wright

Today, the Commission finds itself in the unfortunate position of
trying to fix a problem that no longer exists by stretching a legal
theory to fit the unwieldy facts before it. I dissent from the
Commission's decision to accept for public comment a consent order with
Nomi Technologies, Inc. (Nomi) not only because it is inconsistent with
a fair reading of the Commission's Policy Statement on Deception, but
also because even if the facts were to support a technical legal
violation--which they do not--prosecutorial discretion would favor
restraint.
Nomi does not track individual consumers--that is, Nomi's
technology records whether individuals are unique or repeat visitors,
but it does not identify them. Nomi provides analytics services based
upon data collected from mobile device tracking technology to brick-
and-mortar retailers through its

[[Page 24928]]

``Listen'' service.\1\ Nomi uses sensors placed in its clients' retail
locations or its clients' existing WiFi access points to detect the
media access control (MAC) address broadcast by a consumer's mobile
device when it searches for WiFi networks. Nomi passes MAC addresses
through a cryptographic hash function before collection and creates a
persistent unique identifier for the mobile device.\2\ Nomi does not
``unhash'' this identifier to retrieve the MAC addresses and Nomi does
not store the MAC addresses of the mobile devices. In addition to
creating this unique persistent identifier, Nomi collects the device
manufacturer information, the device's signal strength, and the date,
time and locating sensor of the mobile device. This information is then
used to provide analytics to Nomi's clients. For example, even without
knowing the identity of those visiting their stores, the data provided
by Nomi's Listen service can generate potentially valuable insights
about aggregate in-store consumer traffic patterns, such as the average
duration of customers' visits, the percentage of repeat customers, or
the percentage of consumers that pass by a store rather than entering
it. These insights, in turn, allow retailers to measure how different
retail promotions, product offerings, displays, and services impact
consumers. In short, these insights help retailers optimize consumers'
shopping experiences,\3\ inform staffing coverage for their stores, and
improve store layouts.
---------------------------------------------------------------------------

\1\ In the Matter of Nomi Technologies, Inc., FTC File No. 132-
3251, Compl. ] 3 (Apr. 23, 2015).
\2\ For more information on cryptographic hashing, see Rob
Sobers, The Definitive Guide to Cryptographic Hash Functions (Part
I), Varonis (Aug. 2, 2012), http://blog.varonis.com/the-definitive-guide-to-cryptographic-hash-functions-part-1/.
\3\ See, e.g., Alyson Shontell, It Took Only 13 Days for Former
Salesforce Execs to Raise $3 Million for Their Startup, Nomi,
Business Insider (Feb. 11, 2013), http://www.businessinsider.com/former-salesforce-and-buddy-media-executives-raise-3-million-nomi-2013-2 (``The moment you open Amazon.com, your entire retail
experience is personalized, down to the promotions you see and the
products you are pushed. That's because e-commerce is a data-driven
industry, and Web sites know a lot about customers who stumble on to
their Web sites. Physical stores however, where 90% of all retail
purchases still occur, know nothing about the customers who walk in
their doors.'').
---------------------------------------------------------------------------

The Commission's complaint focuses upon a single statement in
Nomi's privacy policy. Specifically, Nomi's privacy policy states that
``Nomi pledges to . . . Always allow consumers to opt out of Nomi's
service on its Web site as well as at any retailer using Nomi's
technology.'' \4\ Count I of the complaint alleges Nomi represented in
its privacy policy that consumers could opt out of its Listen service
at retail locations using the service, but did not in fact provide a
retail level opt out. Count II relies upon this same representation to
allege a second deceptive practice--that the failure to provide the opt
out in the first instance also implies a failure to provide notice to
consumers that a specific retailer would be using the Listen
service.\5\
---------------------------------------------------------------------------

\4\ Compl. ] 12.
\5\ Compl. ] 16-17.
---------------------------------------------------------------------------

The Commission's decision to issue a complaint and accept a consent
order for public comment in this matter is problematic for both legal
and policy reasons. Section 5(b) of the FTC Act requires us, before
issuing any complaint, to establish ``reason to believe that [a
violation has occurred]'' and that an enforcement action would ``be to
the interest of the public.'' \6\ While the Act does not set forth a
separate standard for accepting a consent decree, I believe that
threshold should be at least as high as for bringing the initial
complaint. The Commission has not met the relatively low ``reason to
believe'' bar because its complaint does not meet the basic
requirements of the Commission's 1983 Deception Policy Statement.
Further, the complaint and proposed settlement risk significant harm to
consumers by deterring industry participants from adopting business
practices that benefit consumers.
---------------------------------------------------------------------------

\6\ 15 U.S.C. 45(b).
---------------------------------------------------------------------------

The fundamental failure of the Commission's complaint is that the
evidence simply does not support the allegation that Nomi's
representation about an opportunity to opt out of the Listen service at
the retail level--in light of the immediate and easily accessible opt
out available on the Web page itself--was material to consumers. This
failure alone is fatal. A representation simply cannot be deceptive
under the long-standing FTC Policy Statement on Deception in the
absence of materiality.\7\ The Policy Statement on Deception highlights
the centrality of the materiality inquiry, observing that the ``basic
question is whether the act or practice is likely to affect the
consumer's conduct or decision with regard to a product or service.''
\8\ The materiality inquiry is critical because the Commission's
construct of ``deception'' uses materiality as an evidentiary proxy for
consumer injury: ``[i]njury exists if consumers would have chosen
differently but for the deception. If different choices are likely, the
claim is material, and injury is likely as well.'' \9\ This is a
critical point. Deception causes consumer harm because it influences
consumer behavior--that is, the deceptive statement is one that is not
merely misleading in the abstract but one that causes cause consumers
to make choices to their detriment that they would not have otherwise
made. This essential link between materiality and consumer injury
ensures the Commission's deception authority is employed to deter only
conduct that is likely to harm consumers and does not chill business
conduct that makes consumers better off. This link also unifies the
Commission's two foundational consumer protection authorities--
deception and unfairness--by tethering them to consumer injury.
---------------------------------------------------------------------------

\7\ Fed. Trade Comm'n, Policy Statement on Deception (1983),
appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 175, 182 (1984)
[hereinafter FTC Policy Statement on Deception], available at
https://www.ftc.gov/public-statements/1983/10/ftc-policy-statement-deception.
\8\ FTC Policy Statement on Deception, 103 F.T.C. at 175.
\9\ Id. at 183.
---------------------------------------------------------------------------

The Commission does not explain how it finds the materiality
requirement satisfied; presumably it does so upon the assumption that
``express statements'' are presumptively material.\10\ However, that
presumption was never intended to substitute for common sense,
evidence, or analysis. Indeed, the Policy Statement on Deception
acknowledges the ``Commission will always consider relevant and
competent evidence offered to rebut presumptions of materiality.'' \11\
Here, the Commission failed to discharge its commitment to duly
consider relevant and competent evidence that squarely rebuts the
presumption that Nomi's failure to implement an additional, retail-
level opt out was material to consumers. In other words, the Commission
neglects to take into account evidence demonstrating consumers would
not ``have chosen differently'' but for the allegedly deceptive
representation.
---------------------------------------------------------------------------

\10\ See POM Wonderful LLC, 2013 FTC LEXIS 6, *121 (2013);
Novartis Corp., 127 F.T.C. 580, 686 (1999); American Home Prods., 98
F.T.C. 136, 368 (1981).
\11\ FTC Policy Statement on Deception, 103 F.T.C. at 182 n.47.
---------------------------------------------------------------------------

Nomi represented that consumers could opt out on its Web site as
well as in the store where the Listen service was being utilized. Nomi
did offer a fully functional and operational global opt out from the
Listen service on its Web site.\12\ Thus, the only remaining

[[Page 24929]]

potential issue is whether Nomi's failure to offer the represented in-
store opt out renders the statement in its privacy policy deceptive.
The evidence strongly implies that specific representation was not
material and therefore not deceptive. Nomi's ``tracking'' of users was
widely publicized in a story that appeared on the front page of The New
York Times,\13\ a publication with a daily reach of nearly 1.9 million
readers.\14\ Most likely due to this publicity, Nomi's Web site
received 3,840 unique visitors during the relevant timeframe and
received 146 opt outs--an opt-out rate of 3.8% of site visitors. This
opt-out rate is significantly higher than the opt-out rate for other
online activities.\15\ This high rate, relative to Web site visitors,
likely reflects the ease of a mechanism that was immediately and
quickly available to consumers at the time they may have been reading
the privacy policy.
---------------------------------------------------------------------------

\12\ As such, the facts of this case are distinguishable from
the cases cited for support by the majority in its statement. In the
Matter of Nomi Technologies, Inc., FTC File No. 132-3251, Statement
of Chairwoman Ramirez, Commissioner Brill, and Commissioner McSweeny
5 n.14 (Apr. 23, 2015).
\13\ Stephanie Clifford & Quentin Hardy, Attention, Shoppers:
Store is Tracking Your Cell, New York Times (July 14, 2013), http://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html?pagewanted=all&_r=0.
\14\ The Associated Press, Top 10 Newspapers by Circulation:
Wall Street Journal Leads Weekday Circulation, Huffington Post (Apr.
30, 2013), http://www.huffingtonpost.com/2013/05/01/newspaper-circulation-top-10_n_3188612.html.
\15\ In perhaps the most comparable circumstance--Do Not Track
mechanisms--the opt-out rate is extremely low. See, e.g., Jack
Marshall, The Do Not Track Era, Digiday (Feb. 27, 2012), http://digiday.com/platforms/advertising-in-the-do-not-track-era/
(``[a]ccording to data from Evidon, which facilitates the serving of
those icons, someone clicks and goes through the opt-out process
once for every 10,000 ad impressions served''); Matthew Creamer,
Despite Digital Privacy Uproar, Consumers are Not Opting Out,
Advertising Age (May 31, 2011), http://adage.com/article/digital/digital-privacy-uproar-consumers-opting/227828/ (``Evidon, which has
the longest set of data, is seeing click-through of 0.005% with only
2% opting out from 30 billion impressions''). See also Richard
Beaumont, Cookie Opt-Out Stats Revealed, The Cookie Collective (Feb.
19, 2014), http://www.cookielaw.org/blog/2014/2/19/cookie-opt-out-statistics-revealed/.
---------------------------------------------------------------------------

The Commission's reliance upon a presumption of materiality as to
the additional representation of the availability of an in-store opt
out is dubious in light of evidence of the opt-out rate for the Web
page mechanism. Actual evidence of consumer behavior indicates that
consumers that were interested in opting out of the Listen service took
their first opportunity to do so. To presume the materiality of a
representation in a privacy policy concerning the availability of an
additional, in-store opt-out mechanism requires one to accept the
proposition that the privacy-sensitive consumer would be more likely to
bypass the easier and immediate route (the online opt out) in favor of
waiting until she had the opportunity to opt out in a physical
location. Here, we can easily dispense with shortcut presumptions meant
to aid the analysis of consumer harm rather than substitute for it. The
data allow us to know with an acceptable level of precision how many
consumers--3.8% of them--reached the privacy policy, read it, and made
the decision to opt out when presented with that immediate choice. The
Commission's complaint instead adopts an approach that places legal
form over substance, is inconsistent with the available data, and
defies common sense.
The Commission's approach here is problematic for another reason.
To the extent there is consumer injury when consumers are offered an
opt out from tracking that cannot be effectuated, or that more
generally, consumers are uncomfortable with such tracking and it should
be disclosed to them, the proposed consent order does nothing to
alleviate such harm and will, instead, likely exacerbate it. Nomi has
removed its representation about a retail level opt-out mechanism from
its privacy policy. The proposed consent order does not require Nomi to
offer such a mechanism, nor does it require Nomi to disclose the
tracking in retail locations.\16\ It is unlikely that Nomi could agree
to such a condition any case--Nomi contracts with retailers and has no
control over the retailers' premises. The order does not--and cannot--
compel retailers to disclose the tracking technology.
---------------------------------------------------------------------------

\16\ In the Matter of Nomi Technologies, Inc., FTC File No. 132-
3251, Proposed Consent Order Part I (Apr. 23, 2015).
---------------------------------------------------------------------------

Even assuming arguendo Nomi's privacy policy statement is deceptive
under the Deception Policy Statement, the FTC would better serve
consumers by declining to take action against Nomi. The analytical
failings of the Commission's approach are not harmless error. Rather,
aggressive prosecution of this sort will inevitably deter industry
participants like Nomi from engaging in voluntary practices that
promote consumer choice and transparency--the very principles that lie
at the heart of the Commission's consumer protection mission.\17\ Nomi
was under no legal obligation to post a privacy policy, describe its
practices to consumers, or to offer an opt-out mechanism. To penalize a
company for such a minor shortcoming--particularly when there is no
evidence the misrepresentation harmed consumers--sends a dangerous
message to firms weighing the costs and benefits of voluntarily
providing information and choice to consumers.
---------------------------------------------------------------------------

\17\ In addition, Nomi arguably offered a product that was more
privacy-protective than other, more intrusive methods that retailers
currently employ, such as video cameras. See Clifford & Hardy, supra
note 14 (``Cameras have become so sophisticated, with sharper lenses
and data-processing, that companies can analyze what shoppers are
looking at, and even what their mood is.'').
---------------------------------------------------------------------------

Finally, market forces already appear to be responding to consumer
preferences related to tracking technology. For example, in response to
potential consumer discomfort some retailers have discontinued or
changed the methods by which they track visitors to their physical
stores.\18\ Technological innovation has also responded to incentives
to provide a better consumer experience, including a Bluetooth
technology that provides not only an opt-in choice for consumers,\19\
but also gives retailers the opportunity to provide their consumers
with a more robust shopping experience.\20\ Notably, Nomi itself has
responded to these market changes and no longer offers the MAC address
tracking technology to any retailer other than its legacy customers.
---------------------------------------------------------------------------

\18\ See, e.g., Amy Hollyfield, Philz to Stop Tracking Customers
via Smartphones, ABC 7 News (May 29, 2014), http://abc7news.com/business/philz-to-stop-tracking-customers-via-smartphones/83943/;
Peter Cohan, How Nordstrom Uses WiFi to Spy On Shoppers, Forbes (May
9, 2013), http://www.forbes.com/sites/petercohan/2013/05/09/how-nordstrom-and-home-depot-use-wifi-to-spy-on-shoppers/.
\19\ See, e.g., Siraj Datoo, High Street Shops are Studying
Shopper Behaviour by Tracking Their Smartphones or Movement, The
Guardian (Oct. 3, 2013), http://www.theguardian.com/news/datablog/2013/oct/03/analytics-amazon-retailers-physical-cookies-high-street
(``If customers create accounts on the wireless network--something
millions have done--they first have to accept terms and conditions
that opts them in to having their movements monitored when inside
the stores''); Jess Bolluyt, What's So Bad About In-Store Tracking?,
The Cheat Sheet (Nov. 27, 2014), http://www.cheatsheet.com/technology/whats-so-bad-about-in-store-tracking.html/?a=viewall
(``customers have to turn on Bluetooth, accept location services,
and opt in to receive notifications'').
\20\ See, e.g., Greg Petro, How Proximity Marketing Is Driving
Retail Sales, Forbes (Oct. 8, 2014), http://www.forbes.com/sites/gregpetro/2014/10/08/how-proximity-marketing-is-driving-retail-sales/(``[This will] allow Macy's to send personalized department-
level deals, discounts, recommendations and rewards to customers who
opt-in to receive the offers''); Datoo, supra note 20 (after opting
in, ``[u]sers can then add their loyalty card numbers to receive
personalised recommendations.'').
---------------------------------------------------------------------------

Accordingly, I dissent from the issuance of this complaint and the
acceptance of a consent decree for public comment.

[FR Doc. 2015-10154 Filed 4-30-15; 8:45 am]
BILLING CODE 6750-01-P