Under a new self-regulatory code released earlier this week, brick-and-mortar retailers that track customer in-store movements using mobile phone WiFi signals must disclose the practice to customers and allow them to opt out.

The code was created by the Future of Privacy Forum (FPF) and a group of mobile analytics companies.  It was announced jointly by the FPF and by Sen. Charles Schumer, who in July called on the Federal Trade Commission to require retailers to allow customers to opt-out of the tracking.   Sen. Schumer praised the code as a significant step forward, but noted there is “still much more work to be done.”

Tracking customer mobile phones has become increasingly popular among retailers, because it allows stores to gather analytics on the activities of shoppers as they move through their stores.  That data can be used to improve a store’s layout, adjust the timing of sales and discounts, and change staffing levels based on customer needs.  But the practice has drawn scrutiny from privacy advocates and from lawmakers.  Earlier this year, Sen. Al Franken asked one mobile analytics company to adopt an opt-in approach for its tracking program.

The code, available here, is aimed in large part at the mobile analytics companies that provide the tracking software.  Under the code:

  • Retailers are to display conspicuous signs, using a standard symbol or icon to indicate that they collect mobile location analytics data.  The sign also must indicate where customers can gain additional information about the practice.  It suggests the following model language: “To learn about use of customer location and your choices, visit www.smartstoreprivacy.com.”
  • The analytics company must provide a detailed privacy notice at its website describing the information it collects in-store and the services it provides.  That notice should be separate from, and in addition to, the notice describing information collected by the website itself.  The notice should include: (1) information collected, (2) steps taken to protect, de-identify, or de-personalize tracking identifiers and a statement of commitment to not re-identify data, (3) a data retention statement, (4) information about data sharing, including law enforcement access, (5) a description about whether data is provided to clients in individual or aggregate form, (6) a disclosure about appending additional data to any unique user profile, (7) how consumers can exercise any choices required under the code, (8) how consumers can contact the analytics company with privacy questions, and (9) a consumer-friendly description of how the technology works, or a link to such information.
  • Customers must also be allowed to opt-out of tracking.  Telling customers to turn off their mobile devices or to turn off their WiFi signals if they do not want to be tracked are not considered effective opt-out mechanisms.
  • The notice and choice requirements do not apply if the information collected is not unique to an individual device or user, or it is promptly aggregated.  However, these requirements do apply to analytics companies that collect and retain device-level information, even if they provide only aggregated data to retailers.
  • A customer’s affirmative consent is required if: (1) the analytics company will maintain personal information linked to a mobile device identifier, or (2) a customer will be contacted based on the analytic information.
  • Companies must limit the collection of data, limit the retention of data, and contractually require that third parties using the data adhere to the Code.  An industry-wide website will also be created to educate consumers how the analytic tracking works.