FTC acts less like chief regulator, more like editor-in-chief

Just because you have a stick, that does not mean you should always use it to hit someone. This commonsense idea seems to have been lost on the Federal Trade Commission (FTC), which recently decided to bring and settle a case against Nomi Technologies, an in-store retail analytics company, for doing nothing more than including a single, incorrect statement in its privacy policy — an insignificant error that caused no harm to anyone.

Nomi is one of a handful of companies that have pioneered an innovative technique of using the wireless signals emitted by consumers’ phones to take a digital headcount of shoppers in retail stores. The company uses this information to offer insights to retailers about consumer traffic patterns, such as the duration of visits, number of repeat customers, and the percentage of consumers who passed by the store without entering it. Retailers can then use these insights to measure the effectiveness of product offerings, promotions, displays and the set-up of their stores. Consumers benefit because retailers use these insights to create better shopping experiences.

{mosads}In the eyes of the FTC, Nomi erred badly when it included a partially incorrect statement in its privacy policy about how consumers could opt out of data collection at retail locations — an option that Nomi was under no legal obligation to provide. For nine months, its privacy policy stated: “Nomi pledges to … always allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology” (emphasis added). This was Nomi’s mistake, because while its website offered consumers the ability to opt out of data collection at its retail partner locations, none of those retailers offered consumers a separate, in-store, opt-out mechanism. Therefore, due to what was probably a lawyer’s mistake in writing Nomi’s privacy policy, the FTC has chosen to take Nomi to the woodshed for making an inaccurate statement, despite the fact that it caused no material harm to consumers. It is worth emphasizing again that the FTC did not object to the tracking itself, only the false statement about the existence of a secondary opt-out mechanism.

Notably, the FTC has provided absolutely no evidence to suggest that any consumers were even affected. It is quite possible that this is a victimless crime. Only 3,840 consumers even downloaded Nomi’s privacy policy. Of that group, how many read the relevant portion of the policy, chose not to opt out of all tracking, visited at least one retail partner, carried a mobile phone and wanted to opt-out at a particular store? The population of potentially affected consumers is miniscule. And even if there were one or two consumers who met these criteria, the worst thing that could happen to them is that they were tracked without knowing — a practice that is entirely legal.

To settle the case, the FTC has proposed a 20-year consent decree. The FTC is not asking Nomi to pay any civil penalties. Instead, it simply requires Nomi to correctly represent its notice and choice policies in the future and to notify the FTC of any new policies, compliance failures and consumer complaints.

Regulators have to learn that innovation, by its very nature, involves risks and mistakes. Tech companies publish written policies describing their products and services, but due to the rapid pace of change, these descriptions can fall out of sync with the latest versions. While companies certainly should strive to keep these updated, in the race to innovate it is not surprising that occasionally something will get overlooked. They should not face punitive measures for actions that were taken in good faith and did not cause consumer harm.

To be clear, Nomi should not have made this mistake. But rather than bringing a case and settlement against the company, the FTC should have shown some regulatory restraint by simply notifying it and then following up to verify they corrected the problem. Instead, the FTC has done the equivalent of calling in the SWAT team to take down a driver for failing to signal. This is a waste of valuable agency resources that could be better spent pursuing cases involving actual consumer harms. Ironically, the FTC’s proposed settlement offers little value to consumers: It does not force Nomi to adopt an in-store opt-out mechanism, but rather allows the company to remove the line from its privacy policy listing that option.

On the plus side, some of the commissioners at the FTC seem to understand this is not the way to operate. In a rare occurrence for a case like this, the commission split 3-2 in its vote to issue the complaint and accept the proposed consent order. Commissioners Maureen Ohlhausen and Joshua Wright both issued dissenting statements stating that the FTC should have shown more restraint.

While the FTC’s proposed settlement terms are somewhat restrained, by formally taking action when there was no injury to consumers, the FTC is effectively encouraging companies to devote more resources on lawyers and less on delivering value to consumers, including privacy-enhancing technologies. After all, companies like Nomi would be better off providing no privacy guarantees to their consumers, because then they would not fall victim to gotcha-style regulatory enforcement actions.

Castro is the vice president for the Information Technology and Innovation Foundation (ITIF). McQuinn is a research assistant at ITIF.