Location tracking players commit to privacy code of conduct

The FPF’s new code was developed with Senator Charles Schumer, who became interested in location tracking – particularly in the retail space – in November 2011, when reports surfaced of trials of this technology in several shopping malls in the US.

Schumer initially called on company’s to only track consumers who had opted in, however he modified his position “to require that retailers give shoppers a clear and obvious opportunity to ‘opt out’ before tracking them”.

At the signing of the code of conduct this week, Schumer said: “There is still much more work to be done and I will continue to push for privacy rights to be respected and strengthened, but this represents real progress and I thank the Future Privacy Forum and these tech companies for their hard work hammering out this agreement.”

Each of the companies that have signed up to the code use mobile device Wi-Fi or Bluetooth MAC addresses to monitor people’s movements within a given location and to develop aggregate reports for retailers based on this data.

The companies have defended their practices as privacy-compliant; Euclid, in particular, was forced to respond after Senator Al Franken objected to the opt-out nature of the company’s tracking system. Euclid CEO Will Smith explained that the firm provides a permanent opt-out process for consumers; that it never receives any information relating to names, addresses, phone numbers or emails; that it doesn’t share information on individual devices; and that no data is linked to specific individuals. It also committed to require clients to post signage alerting customers when tracking is taking place and to inform them of how to opt-out.

Smith said this week: “Privacy has always been a priority as we’ve designed and built our services, and we have been working diligently with FPF to release best practices for the retail analytics industry as a whole.”

Under the FPF code, companies that collect data through this technology must limit how the information is used and shared and how long it may be retained. The code mandates that companies de-identify the data and explain in their privacy policy how they do so. Companies are required to get opt-in consent when personal information is collected, or when a consumer will be contacted. The code calls for opt-out consent where the information collected is not personal. In addition, this data cannot be collected or used in an adverse manner for employment, healthcare or insurance purposes.