While online “tracking” using cookies, web beacons, and similar technologies has captured the attention of regulators and the plaintiffs’ bar over the last decade, recent articles in Forbes and the New York Times make clear that offline tracking is also evolving. Using technological methods beyond the traditional loyalty program, this new offline tracking has potential privacy implications.
The New York Times and other news organizations have devoted attention to offline tracking in shopping malls and other retail contexts, in which merchants attempt to get a better understanding of the traffic in their stores, consumers’ reactions to the display of merchandise and other shopping behaviors. This post focuses on airports (increasingly a shopping venue, as well as transportation hub). It appears that a number of airports have adopted offline tracking systems to enable the airport to understand passenger patterns and trends, improve capacity management, provide real-time information about the airport (e.g., wait times at security lines) and understand retail behavior. These systems detect Bluetooth or WiFi signals emitted from smartphones and tablets to track passengers within the airport. The systems do not “pair” with the device, and thus the only data that they collect is the unique device identifier (UDID). One of the providers of these systems has informed me that their sensors use a one-way hash of the UDID, converting it at the sensor level to a string of numbers that would be difficult to convert back to the original UDID.