Skip to Content

Privacy & Data

Privacy Concerns Arise with Mobile Tracking in Stores

/ G.S. Hans

The FTC began its Spring Privacy Workshop series last week with a panel discussion on mobile device tracking in retail stores. While many panel members emphasized the benefits to consumers that can result from stores’ tracking of individual smartphones and other networked devices, we have concerns about consumer privacy, including consent requirements, retention and use provisions, and data security. We hope that the FTC will take into account these considerations as it grapples with the regulation and enforcement issues that arise from retail device tracking.

First, a brief overview of how stores can currently track your devices. Mobile devices that have WiFi or Bluetooth enabled broadcast a unique number called a MAC address while searching for area WiFi networks or Bluetooth devices. Stores can monitor what MAC addresses are being broadcasted within a specific area at a particular moment, and create a profile that contains location and duration data. Using analytics software, stores can see what a particular device (and its owner) did over time, as well as see general customer browsing trends and traffic patterns. An example of a possible benefit to consumers would be a customer who frequents the baking supply aisle in a grocery store could, over time, receive coupons for brown sugar or flour. Beyond this, tracking could help with fraud prevention and deter shoplifting.

During the workshop, business representatives argued for a gradual approach to instituting privacy protections (though they asserted that they take consumer privacy and security seriously). However, we think such an approach could easily lead to the institutionalization of subpar tracking policies across the retail sector. Retail tracking allows businesses to create highly granular and comprehensive location records for individual customers, and given the sensitivity of location data, we think affirmative consent is required from consumers before stores create individual, long-term location profiles. For short-term analytics uses, opt-out consent might be justified (for example, if retailers de-identify data at the device level after each store visit). However, retaining data that could track users over multiple visits to a particular store – or between different stores – would surprise most consumers, and should only be done with their permission.

Technical solutions could help provide a way forward. The design of smartphones and other mobile devices to actively search for available WiFi networks is what enables mobile device tracking by retailers. The store picks up the active search request from the phone and collects its MAC address. But active searching for WiFi networks was never intended to be used to track an individual device over time. FTC Chief Technologist Latanya Sweeney has suggested that device manufacturers could switch to a passive probing standard, which would allow devices to wait for WiFi networks to send out a beacon (rather than constantly transmit a MAC address). This would allow the device to accumulate a list of local WiFi networks, rather than give a WiFi network the ability to create a database of devices that pass through the network.

Absent a technical solution, better consumer notification will be necessary. Customers may not even be aware what a store collects from their phones, tablets, or wearable devices. Moreover, if stores actively probe for devices without notifying consumers, personally identifying information (such as a MAC address) could be collected from consumers without their knowledge or ability to avoid the practice. Without adequate notice and consent provisions, customers who don’t approve of what a particular store does won’t be able to “vote with their feet” and choose another business with better practices.

The Future of Privacy Forum recently introduced a Mobile Location Analytics Code of Conduct in order to encourage businesses to proactively protect individual privacy and security. The FPF Code uses the Fair Information Practice Principles as an organizing principle to protect consumer privacy and security – an approach we have long endorsed. Beyond this, we support defining a specific data retention period, instead of letting stores simply set out a retention policy of their choosing, We would also argue for stronger de-personalization of MAC address data beyond hashing (a cryptographic technique that creates a shorter reference to the original address). As Ed Felten, a Princeton computer science professor who formerly served as the FTC’s Chief Technologist, noted, merely hashing a unique identifier is not sufficient to make it anonymous.

In order to create strong consumer protections around device tracking, retailers will need to carefully evaluate the potential costs and benefits to both stores and customers, and the appropriate way to inform consumers of those costs and benefits. While adoption of the FPF Code would be an encouraging first step, allowing retailers to take a “wait and see” approach to protecting privacy could make subpar practices a fait accompli. CDT will be filing comments with the FTC to encourage the agency to take an active role in evaluating mobile device tracking practices and ensure that businesses take steps now to protect individual privacy.

Related Reading

White document on black background.

CDT Files Comments with DOJ in Response to Advance Notice of Proposed Rulemaking on Bulk Sale of Data
White document on black background.

CDT’s Matt Scherer Testifies Before Connecticut Senate’s General Law Committee on Senate Bill 2, An Act Concerning Artificial Intelligence
Samir Jain Testimony for House Committee. White document on black background.

CDT VP of Policy Samir Jain Testimony Before U.S. House Energy & Commerce Committee on “Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights”