Tech Companies, App Developers Oppose FTC's Privacy Settlement With Nomi

Original Source 

Trade groups representing tech companies and app developers say they are opposed to the Federal Trade Commission's proposed consent decree with retail tracking firm Nomi Technologies, which allegedly misrepresented its privacy practices.

Nomi said in its former privacy policy that people could opt out of being tracked in retail environments by providing the company with their devices' 12-digit MAC addresses, according to the FTC. The company, which provides analytics services to retailers, also allegedly promised to allow consumers to opt out “at any retailer using Nomi’s technology.”

But Nomi didn't require its 45 retail clients to disclose whether they used the technology, and most of its clients didn't voluntarily do so, the FTC alleged in a complaint unveiled last month. The result was that consumers who might have chosen to opt out at retail locations weren't able to, according to the agency.

The company agreed to settle the FTC's charges by promising that it won't in the future misrepresent its policies. Nomi's current privacy policy no longer says that consumers can opt out at retail locations.

This week, trade groups including NetChoice (which counts Google, AOL, eBay, Facebook and Yahoo as members) and the Application Developers Alliance weighed in against the consent decree, arguing that the FTC's decision to prosecute Nomi could backfire.

“We worry this is action sending the wrong messages to businesses,” NetChoice says. “Even if you try to do the right thing, like providing broad consumer opt-out, the FTC will bring suit for even non-material errors in a privacy policy regardless of whether consumers were harmed by any misstatements.”

Commissioners Maureen Ohlhausen and Joshua Wright dissented from the decision to bring an enforcement action. Wright said that the inaccuracy in Nomi's privacy policy was “not material,” while Ohlhausen wrote that the majority's decision could encourage other companies to “do only the bare minimum on privacy,.”

But Commissioners Edith Ramirez, Julie Brill and Terrell McSweeny, who voted in favor of the decision, said that even though the FTC encourages companies to offer privacy choices, the agency “must take action in appropriate cases to stop companies from providing false choices.”

The Application Developers Alliance says in its filing that the inaccuracy in Nomi's privacy policy was “de minimis” and didn't harm consumers. “The Alliance believes that the penalty against Nomi is disproportionate and heavy-handed, and that its harshness may encourage companies to simplify their data practices and privacy policies to a degree that will always ensure their legality but will also transmit very little information to the consumer,” the organization writes.

“If this occurs then consumer information and consumer choices will diminish,” the developers' group says.

The U.S. Chamber of Commerce writes that the FTC should take a less aggressive approach with startups like Nomi. “Taking into consideration such factors as good faith efforts to comply with the law and allowing small entities to correct mistakes within a reasonable time frame regarding their privacy statements makes good policy sense,” the organization says.

Like other retail tracking companies, Nomi provides data about shoppers' traffic patterns, such as the percentage of people who enter a store after walking by it. Between January and October of 2013 (the time period covered by the FTC's complaint) Nomi gathered tracking data via 12-digit “media access control” (MAC) addresses -- identifiers that mobile devices broadcast when users turn on WiFi or Bluetooth.

Nomi attempted to anonymize the MAC addresses by replacing the actual series of characters with alternate, but persistent, identifiers, according to the FTC.

Last year, Apple moved to prevent tracking via MAC addresses by reconfiguring its software. Now, iOS 8's WiFi scanning uses random, locally administered MAC addresses, instead of the permanent MAC addresses.