The vendor behind the trial, a U.K. firm called Path Intelligence, pledged that "no mobile phone usernames or numbers could be accessed" and that "all we do is log the movement of a phone around an area and aggregate this to provide trend data for businesses." But what if that phone-tracking data is linked with security cameras and/or POS systems? What if a mall representative called one of its retail residents and said, "We're now tracking a woman who has spent $980 in the last hour and she has just walked into your store. For a $300 fee, I'll tell you exactly where she's standing right now. Deal?"
The mall's trial will identify a person's "location within two meters," according to a report in Australia's Courier-Mail newspaper. The idea of tracking consumers via phones is not new, but this is the largest scale trial we have seen.
Mobile, in one form or another, is at the heart of—depending on your perspective—huge data-collection advances or huge privacy disasters. Typically, it's nice on its own. But when mobile data is layered on top of other real-time data sources, the new information potential grows exponentially. Consider the Carnegie-Mellon University study about mobile interacting with facial recognition or the plan to use mobile, security cameras, POS and license plates to create the perfect retail CRM system.
At its most innocuous, the systems could theoretically do little more than count shoppers and track their movement from store to store. But that's hardly going to motivate chains to pay a lot for such data. If, however, the system collected data about what these customers did in those stores and tracked each customer over time, this effort gets much more compelling.
There's not that much reason to know the customer's name, beyond "big spender 479" or "suspected shoplifter 1348." But if there's a POS tie-in, that customer will be identified the first time she buys anything with a payment card. And as CMU proved, a camera flashing a consumer's picture could also easily link everything to a name. The mall's mobile system, though, already has the activity history.
Speaking of shoplifting suspects, one of the less-credible threats that a retailer has historically had is banning a customer for life from the chain (typically after a shoplifting incident or allegation). It lacks credibility, however, because there's little practical way to enforce it—unless the shoplifter happens to be recognized. But the type of mobile tracking that the Australian mall is using could be a practical way to enforce such bans.
Professional shoplifters could always obtain a bunch of disposable phones and leave their real one at home, but mobile-phone tracking could still be much more effective than what exists today.
On the downside, the ease of this approach could fuel overzealous Loss Prevention agents. What if the LP agent gets nervous when watching a large group of teenage boys (say 12)? A surreptitious sweep could mark every mobile signal coming from that group as "potential shoplifter." An alert could go off every time any of those signals reappears in any cooperating mall or retailer. Imagine a No-Fly List for retailers, potentially triggered by one employee.
The privacy issue here is that most laws are focused on personally identifiable information, but PII should not be merely names, numbers and addresses. CRM files care about the actions and inclinations of a consumer. As long as a retailer knows that this consumer appears to be a 25-year-old who has purchased an awful lot of formal shoes and pants today—at top prices—and who is walking over to one of its store, where it sells formal shirts, that retailer happy. If the CRM system also says that this person has never been seen making a return and typically shops between 7 and 9 PM on Wednesdays and Fridays, the retailer is thrilled and really couldn't care less if her name is Sarah Smith, Helen Jones or Mata Hari.