Skip to main content

Big Brother is Watching You (Shop For Pants): Mobile analytics firms implement code of conduct for tracking customers while they shop

Written by Jake Romero

If you’ve ever dealt with that pushy salesperson at Bed, Bath & Beyond who won’t take your word for it that you’re just browsing and not ready to commit to a high-end home espresso machine, you know that being followed around at a retail store can be unsettling and intrusive. “Unsettling” and “intrusive” are also the words that Senator Charles Schumer used to describe using mobile phones to track customer movement, a practice that an increasing number of retail outlets are beginning to implement. In response to an increase in scrutiny over the past few months, companies that enable tracking of customers through Wi-Fi enabled smartphones have published a code of conduct help bolster transparency and customer data security.

In March the New York Times profiled Euclid Analytics, which collects mobile location analytics (“MLA”) data for approximately 100 customers, including Nordstrom and Home Depot. According to Euclid’s CEO Will Smith, in some cities between 40% and 60% of users can be tracked in this manner. The information provided can include how long the customer was in the store, which parts of the store the customer visited or whether you walked by the store but declined to go in.

In July, Senator Schumer authored a letter to Federal Trade Commission Chairwoman Edith Ramirez, asking that the FTC investigate the practice of consumer tracking as an unfair and deceptive trade practice if a retailer fails “to notify shoppers that their movements are being tracked in a store or to give them an opportunity to opt out” of being tracked.

Now, in an effort to calm concerns and avoid potential onerous regulations, 8 of the 10 major MLA firms have agreed to abide by a code of conduct. The Code of Conduct will place restrictions on MLA firms, as well as the retailers who use their services. Except in certain cases where data is aggregated or not unique to the individual, companies that utilize MLA technology will be required to notify consumers that their data is being collected, and provide information about the use of the information and the company collecting it. MLA companies will be required to either limit data collection to non-unique or aggregated data, promptly de-identify personal data or obtain the consumer’s prior consent. Although the Code does not require consumers to opt-in to MLA tracking, MLA companies who collect unique or personal data will be required to allow consumers to opt-out through a central site that will be effective across all participating MLA companies. Additional restrictions in the Code further limit the use, transfer and retention of MLA data.

Although the Code is a voluntary framework, its widespread adoption could help to establish an industry standard that would help regulators like the FTC distinguish the collection and use practices of non-adopting firms as an unfair practice. In the meantime, with these guidelines in place you can focus on more important things when using your mobile device in a mall --- like whether the mall has a fountain.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.