While online “tracking” using cookies, web beacons, and similar technologies has captured the attention of regulators and the plaintiffs’ bar over the last decade, recent articles in Forbes and the New York Times make clear that offline tracking is also evolving. Using technological methods beyond the traditional loyalty program, this new offline tracking has potential privacy implications.
The New York Times and other news organizations have devoted attention to offline tracking in shopping malls and other retail contexts, in which merchants attempt to get a better understanding of the traffic in their stores, consumers’ reactions to the display of merchandise and other shopping behaviors. This post focuses on airports (increasingly a shopping venue, as well as transportation hub). It appears that a number of airports have adopted offline tracking systems to enable the airport to understand passenger patterns and trends, improve capacity management, provide real-time information about the airport (e.g., wait times at security lines) and understand retail behavior. These systems detect Bluetooth or WiFi signals emitted from smartphones and tablets to track passengers within the airport. The systems do not “pair” with the device, and thus the only data that they collect is the unique device identifier (UDID). One of the providers of these systems has informed me that their sensors use a one-way hash of the UDID, converting it at the sensor level to a string of numbers that would be difficult to convert back to the original UDID.
These systems assist airports in their efforts to be more efficient and more passenger-centric, and they provide a great example of how “big data” can lead to societal benefits and enhanced customer engagement. But they also raise privacy issues that might not fit neatly into the notice-and-choice framework that (notwithstanding the FTC’s recent efforts) still is the predominant model of privacy protection in the U.S.
In my own travels, I can’t recall seeing any notices at airports informing passengers that such tracking was taking place; nor have my inquiries yielded any examples of disclosures being made. But what kind of disclosure, if any, is required? And if a disclosure were made, how could it be made to passengers without alarming them? (The New York Times article on retail tracking suggests that such notices can lead to negative consumer reactions.)
A notice where the data is being collected — i.e., in the airport itself — would better match current privacy best practices and regulatory guidance. The notice could be made more effective through the development of an industry standard icon that indicates that tracking is taking place (e.g., something like my illustration above). For airports, the adoption of such a symbol could be achieved through an organization like the Airports Council International. Airports could post the tracking icon signs throughout the airport, in a way similar to the notices informing passengers of free WiFi. Passengers seeing the tracking notices would then have the option of switching off their WiFi and Bluetooth signals and/or visiting the airport’s website to learn more about the data collection, use and security measures being used at the airport.
Also difficult is the question of whether passengers even have privacy rights in this information that is collected by airports. For example, whether the UDID is “personal data” or “personally identifiable information”—typically the touchstone for legal privacy protection—is debatable. Clearly the UDID on its own would not fall within the definitions of various privacy and data security statutes, such as the “personally identifiable information” definitions under State data security and breach notice laws in the U.S. However, in the online context, the collection and use of persistent identifiers such as static IP addresses and cookie IDs has been the subject of much controversy regarding tracking, and these offline tracking efforts might be said to replicate exactly the kind of tracking of consumers that takes place online. The undisclosed use and disclosure of a smart phone’s UDID has proven controversial, for example, in the public outcry and litigation associated with app developers’ transmission of UDIDs to owners of third-party advertising companies. Moreover, the FTC indicated in its 2012 privacy report that it will apply the same principles to online and offline practices.
Analysis of the privacy issues raised by airport tracking requires an understanding of what organizational measures are being used to keep the UDID tracking data truly non-personally identifiable and what data combinations, usage and sharing practices the airports and system providers are involved in. For example, if the UDID tracking data is being associated with other passenger data, then the tracking data could identify patterns of behavior by an identified passenger. Airports have apps, loyalty programs, video cameras, and WiFi service logins, so there is definitely the potential for the combination of the tracking data with other data sets held by an airport. There also would be opportunities for sharing the data with others, such as retailers, airlines and hotels, which would raise additional privacy issues.
However, if the UDID tracking data is subject to technical measures to protect the data, is not combined with other data sets and is only being used internally within the airport by a select team of data scientists, then this would support arguments that the collection and use of the data may presents little privacy risk.
* * *
So there is no simple answer on what privacy protections are required, but it is certainly something that should be analyzed by airports employing offline tracking.
There are many potential benefits from offline tracking, and perhaps one day consumers will expect that such tracking is happening as a default wherever we may choose to drive, shop or fly. But until such time as offline tracking becomes an accepted universal practice, it would be prudent for businesses, like airports, to give careful consideration to what privacy practices are appropriate and effective.