Last week, the Federal Trade Commission held the first of its three spring workshops, focused on mobile device tracking.  Mobile tracking has gained increasing attention in recent years, as some brick and mortar retailers have begun tracking the signals emitted from customer smartphones in an effort to better understand shopping habits and patterns.  For instance, the data collected can help retailers learn how long a customer spends in their store, the path the customer takes through the store, how long the customer dwells in each area, and whether the customer is new or returning, among other information.

But the practice also has raised privacy concerns.  In recent months, the industry has responded to those concerns by creating a code of conduct and by announcing that customers can opt-out of such tracking.  The FTC workshop marked the agency’s first foray into the specifics of the technology.  We provide four key takeaways after the jump.

1.  The FTC is Still Getting To Know This Technology

The two-hour workshop began with a presentation by Ashkan Soltani, an independent researcher and consultant who provided an overview of the devices that track a user’s location.  As he explained, smartphones have a series of antennae that can be used to track location, including GPS, Wifi, bluetooth, and GSM signals.  Each has a persistent unique ID, and retailers can track the IDs of devices that come into their store to learn the location habits of shoppers. While bluetooth tracking is the most accurate, Soltani said that most retailers use Wifi tracking because it is easier and more cost effective to track as compared with other sources.

Soltani also outlined a series of concerns raised by collecting data from these signals, which are heightened because in many cases the collection can be invisible to the consumer absent notice.  Currently, there is no way for a company to know if it is tracking a device that belongs to an adult, or one that belongs to a child, Soltani said.  There also are no clear standards on data retention, which can become an issue when law enforcement or private litigants—he cited divorce attorneys as one example—become interested in the data collected. 

2.  Notice And Choice Are Important….

Throughout the workshop, the FTC attorneys focused on how mobile device tracking fits into the agency’s privacy by design framework, including providing notice to customers.  At first, agency attorneys asked if there was “something unique” about the practice that required notice.  But as the discussion continued, FTC representatives focused on how retailers can provide transparency about their analytics practices, how retailers can notify customers of the tracking, and precisely where the signs that provide notice in a retail store can or should be placed.  

Mallory Duncan, Senior Vice President and General Counsel of the National Retail Federation, suggested that signs notifying consumers of mobile device tracking may not be necessary because customers generally already are aware that retail stores monitor their behavior for certain purposes, such as theft prevention.  He and others stressed that all retailers have an incentive to preserve the trust of their customers, but Duncan said that requiring the retailer to put up signs was “a bridge too far,” he said.  Other panelists suggested at least some retailers are willing to use signs to notify consumers of tracking, including stressing that the new industry code of conduct requires retailers to provide notice via signs, and that the industry just announced an opt-out to provide choice.  Glenn Tinley, founder of Mexia, said that his company’s clients—which include airports and shopping malls—are adding signs notifying consumers of mobile device tracking alongside existing signs notifying customers of codes of conduct and other issues.

The FTC also asked about data retention practices.  Stores typically maintain data for some period of time, which allows them to determine a customer who walks through the doors is a first-time visitor or a repeat shopper.  There was no clear consensus among the panelists on how long that data is or should be retained.  James Riesenbach, CEO of iInside, said that the turnover of mobile devices is so frequent that there is a limited lifespan of use for the data, which may lessen these concerns.

3.  … But Bigger Concerns May Lie Ahead

For now, most retailers receive aggregate reports from analytics companies, which do not provide information to the retailers about individual shoppers.  However, one of the biggest concerns that Soltani identified in his presentation was “convergence” of information obtained through mobile device tracking with information obtained through other sources.

Retailers are currently collecting information in a relatively non-invasive way for a relatively non-invasive purpose, said Seth Schoen, Senior Staff Technologist at the Electronic Frontier  Foundation.  But he noted that other companies may want to combine a customer’s location information with other information they have on a customer, such as information they know through the user of loyalty cards or other means.  That provides a highly detailed picture of an individual shopper, something Schoen identified as a “big picture and long term” issue.

4.  Solutions May Go Beyond Retailers, To Tech Industry

Schoen argued the real issue is not the retailers who want to use this data, but the technology companies that agreed to include persistent device identifiers in phones in the first place.  Those identifiers can be beneficial to consumers—who are likely to want the shorter check-out lines and easier access to some shopping information that tracking information can help provide—but there is no way to change them for now.  Schoen argued phones should come with a “change my Mac ID” button, to make the identifier less persistent.  In addition, Schoen suggested mobile device applications should be prevented from reading unique device IDs, to ensure users information remains private. 

Other panelists encouraged the FTC to stick closer to the issue at hand.  Riesenbach urged the agency to separate out “what is theoretically possible” from “what is practical and market-driven today.”  If retailers engage in tracking in a way that violates the trust of their customers, they will “be punished by the market more than anything else,” he said.