That means the government will ask for—and Congress might insist on—extensive additional limits on using and even collecting such data. If a chain is going to collect specific geolocation data, the retailer needs to do more than inform those shoppers, said Peder Magee, an attorney in the FTC's division of Privacy and Identity Protection. "You need to ask for permission," he said.
Other than placing tempting geolocation info in the sensitive category and stressing that focusing on any one shopper—even if that shopper is never associated with a name—is also discouraged, the report was actually quite supportive of current retail CRM practices. Contrary to some reports, the FTC didn't propose that retailers delete data right after a transaction or that shoppers need to be able to see what data a retailer has about them.
The government report did come down heavily on data brokers—which is nothing new—but it acknowledged that retailers have a right to collect CRM data and that such chains should be exempt from additional hardships. "Companies do not need to provide choice before collecting and using consumers' data for practices that are consistent with the context of the transaction, consistent with the company's relationship with the consumer," which Magee said was referencing the typical retailer-shopper relationship.
"We treat differently the one-on-one relationships with a retailer. That's more transparent, obvious, intuitive," he said.
The report offered a few examples, referring to "choice" when it was referencing the obligation of a retailer to give shoppers the choice of whether or not such data can be captured. "The Commission has previously noted that online retailers and services such as Amazon.com and Netflix need not provide choice when making product recommendations based on prior purchases. Thus, if Amazon.com were to recommend a book related to health or financial issues based on a prior purchase on the site, it need not provide choice," the report said. "However, if a health Web site is designed to target people with particular medical conditions, that site should seek affirmative express consent when marketing to consumers."
The report also shared retailer concerns about the practical and pragmatic aspects of getting permission, especially in-store. Several people the commission staff talked with "discussed the offline retail context and noted that cashiers are typically unqualified to communicate privacy information or to discuss data collection and use practices with customers. One commenter further discussed the logistical problems with providing such information at the point of sale, citing consumer concerns about ease of transaction and in-store wait times."
The report also talked about "the impracticality of offering and obtaining advance consent in an offline mail context, such as a magazine subscription card or catalogue request that a consumer mails to a fulfillment center. In the online context, one commenter expressed concern that 'pop-up' choice mechanisms complicate or clutter the user experience, which could lead to choice 'fatigue.' Another commenter noted that where data collection occurs automatically, such as in the case of online behavioral advertising, obtaining consent before collection could be impractical."
The report stressed the need to give retailers a lot of flexibility to deal with privacy concerns in the context of their businesses."Rather than a rigid reliance on advance consent, commenters stated that companies should be able to provide choice before collection, close to the time of collection or a time that is convenient to the consumer. The precise method should depend upon context, the sensitivity of the data at issue and other factors," the report said. "In some contexts, however, it may be more practical to communicate choices at a later point. For example, in the case of an offline retailer, the choice might be offered close to the time of a sale, but in a manner that will not unduly interfere with the transaction. This could include communicating the choice mechanism through a sales receipt or on a prominent poster at the location where the transaction takes place. In such a case, there is likely to be a delay between when the data collection takes place and when the consumer is able to contact the company in order to exercise any choice options. Accordingly, the company should wait for a disclosed period of time before engaging in the practices for which choice is being offered. The Commission also encourages companies to examine the effectiveness of such choice mechanisms periodically to determine whether they are sufficiently prominent, effective and easy to use."
Beyond geolocation data, one other area that concerned the FTC was facial recognition systems in public places, such as at large shopping malls.
"The ability of facial recognition technology to identify consumers based solely on a photograph, create linkages between the offline and online world, and compile highly detailed dossiers of information, makes it especially important for companies using this technology to implement privacy by design concepts and robust choice and transparency policies," the report said. "Such practices should include reducing the amount of time consumer information is retained, adopting reasonable security measures and disclosing to consumers that the facial data they supply may be used to link them to information from third parties or publicly available sources."
The report then zeroed in on customized digital signage that is tied into mobile or facial recognition systems.
"For example, if a digital sign uses data enhancement to deliver targeted advertisements to viewers, it should immediately delete the data after the consumer has walked away. Likewise, if a kiosk is used to invite shoppers to register for a store loyalty program, the shopper should be informed that the photo taken by the kiosk camera and associated with the account may be combined with other data to market discounts and offers to the shopper. If a company received the data from other sources, it should disclose the sources to the consumer," the report said.
What's the significance of this FTC report? On the one hand, not much, given that these are merely guidelines with no enforcement muscle. But that's not realistic. First, as consumer groups try and push privacy limits, this FTC report—which seems to strike reasonable compromises between privacy advocates and retailers—is likely to be seen as an acceptable benchmark.
Of potentially greater concern are congressional efforts to pass retail-oriented privacy laws. Members of both parties might look to the report as a good starting point for legislation that would have enforcement powers. Also, even if no one follows these guidelines, the FTC itself certainly will take them seriously. If a chain is brought before the FTC for any matter, compliance with these guidelines would certainly be helpful.