Keep Your Mobile Tracking Off the FTC's Radar

By Published on .

Credit: iStock
Most Popular

The advertising industry is at a crossroads. As consumers spend increasing time on their mobile devices playing games, texting friends, searching for information and devouring entertainment, advertisers have embraced, though struggled with, this new medium given the challenges presented by the small screen. But as important as reaching consumers on their mobile devices might be, the greater opportunity for advertisers might be learning more about their customers by tracking where they go and how much time they spend shopping.

Enter mobile tracking. But tread carefully.

Mobile tracking information can be incredibly valuable because it doesn't lie. But since this information reveals where consumers come and go, how much time they spend in various locations, and may be collected without the consumer's knowledge, lawmakers, regulators and privacy advocates consider this information to be even more sensitive than user-provided personally identifiable information and thus deserving of heightened scrutiny. Even mobile platforms such as Apple and Google acknowledge the sensitive nature of geo-location data and accordingly require apps to obtain a user's permission before collecting this information. Several trade groups have established best practices for geo-tracking and even consumer protection regulators like the Federal Trade Commission have chimed in on what their expectations are for companies in this ecosystem. But to date, there are no specific laws governing these practices.

In the absence of such laws, the FTC has brought several actions against mobile-tracking firms that the consumer protection agency has found to violate basic consumer privacy rights. In June, the FTC charged InMobi, an India-based mobile advertising company, with engaging in deceptive data collection practices and violating the Children's Online Privacy Protection Act. The FTC claimed that InMobi tracked hundreds of millions of consumers on their mobile devices without their knowledge. Worse, the FTC claimed that InMobi represented, in various forms, to advertisers and consumers that its advertising software would only track consumers' locations after they had opted in to such tracking and in accordance with their devices' privacy settings. To the contrary, the FTC found, InMobi tracked consumers' locations whether or not they opted in, and even where tracking permission was denied.

In some ways, the FTC's concern with InMobi rested primarily with the company's misrepresenting its data collection policies and practices, which is a garden-variety FTC deception case. FTC Lesson 101: If you make a public statement about your privacy policies and practices, ensure that it is accurate.

The FTC brought a similar case last year against a company called Nomi Technologies that uses sensors to follow consumers' mobile phone signals to detect individualized and aggregated traffic patterns through stores and malls. Nomi placed sensors in the stores of its retail clients, which, using Wi-Fi connections, allowed it to collect the 12-digit MAC addresses of mobile devices to track consumers' activities as they entered, browsed and left stores. The FTC charged Nomi with misrepresenting its data-collection practices by stating in its privacy policy that it would "always allow consumers to opt-out of Nomi's service on its website as well as at any retailer using Nomi's technology." But, as with InMobi, the FTC found that Nomi did not live up to its privacy policy, as the promised in-store opt-out mechanism was not available and consumers were not informed when the tracking was actually taking place.

According to the FTC, these deceptions enabled Nomi to collect information on roughly 9 million mobile devices and provide reports to retailers such as how long consumers stayed in a store, how many consumers passed by instead of entering, and how many repeat customers entered a store in a given period. In addition, although Nomi "hashed" (or anonymized) MAC addresses before storing them, the FTC noted that the hashing process resulted in an identifier that was unique to the consumer's mobile device and could be tracked over time.

Interestingly, when issuing the complaint and accepting the proposed consent order with the company, the FTC was not unified, with two commissioners dissenting. Notably, Commissioner Maureen Ohlhausen emphasized that Nomi was a start-up with limited funds as well as "a third-party contractor collecting no personally identifiable information," with no obligation to offer consumers an opt-out. She also agreed with then-Commissioner Joshua Wright that Nomi's privacy policy was "partly accurate," as the company did allow opt-outs on its website, and that no evidence existed of consumer harm. "A representation simply cannot be deceptive under the long-standing FTC Policy Statement on Deception in the absence of materiality," Mr. Wright wrote in his dissent.

Tracking technology will continue to grow exponentially, rendering today's privacy laws archaic and woefully inadequate. These technologies will allow advertisers to amass enormous amounts of data from various sources to form incredibly precise and detailed consumer profiles. And, if conducted in full transparency to consumers, it all can be accomplished legally. For mobile to continue to thrive as a next-generation communications medium, advertisers and the firms that develop and support these technologies need to take seriously their responsibility to treat consumers fairly. Otherwise, the only tracking they will know will be of them on the FTC's radar.