FTC, NoMi and opting out

The U.S. Federal Trade Commission (FTC) settled charges with Nomi Technologies over it’s opt-out policy on April 23rd. Nomi’s business is putting devices in retail stores that track MAC addresses.  A MAC unique MAC address is associated with every device that can use WiFi –it is the key to communicating with your device (cell phone, tablet, laptop, etc.) as opposed to someone elses device.  Nomi apparently performs a hash ‘encryption’ on this (which is still unique, just not usable for WiFi communications) and tracks your presence near or in participating retail stores world wide.

The question the FTC was addressing is does Nomi adhere to it’s privacy policy, which indicates you can opt out in store, and would know what stores are using the technology. Nomi’s privacy policy (as of April 24) indicates they will never collect any personally identifiable information without a consumer’s explicit opt in — of course since you do not know where they are active, nor that they even exist it would appear that they have no consumer’s opting in.  Read that again closely — “personally identifiable information” … it is a MAC address, not your name, and at least one dissenting FTC commissioner asserted that “It is important to note that, as a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out.”  In other words, as long as Nomi is not selling something to the public, they should have no-holds-barred ability to use your private data anyway they like. The second dissenting commissioner asserts “Nomi does not track individual consumers – that is, Nomi’s technology records whether individuals are unique or repeat visitors, but it does not identify them.” Somehow this commissioner assumes that the unique hash code for a MAC address that can be used to distinguish if a visitor is a repeat, is less of a individual identifier than the initial MAC address (which he notes is not stored.) This is sort of like saying your social security number backwards (a simplistic hash) is not an identifier whereas the number in normal order is.  Clearly the data is a unique identifier and is stored.  Nomi offers the service (according to their web site) to “increase customer engagement by delivering highly relevant mobile campaigns in real time through your mobile app” So, with the data the store (at it’s option) chooses to collect from customers (presumably by their opting in via downloading an app) is the point where your name, address, and credit card information are tied into the hashed MAC address.  Both dissenting commissioners somehow feel that consumers are quite nicely covered by the ability to go to the web site of a company you never heard of, and enter all of your device MAC addresses (which you no doubt have memorized) to opt-out of a collecting data about you that you do not know is being collected for purposes that even that company does not know (since it is the retailer that actually makes use of the data.)  There may be a need to educate some of the folks at the FTC.

If you want to opt out of this one (of many possible) vendors of individual tracking devices you can do so at http://www.nomi.com/homepage/privacy/ .Good Luck.

 

Leave a Reply