For better or worse, we’re used to being tracked online. We’re sharing data—in that loose way where “sharing” means doing something that somehow adds another data point to a server somewhere—all the time. And retailers have been in the data-gathering game for a long time. The more they can collect about customers, the better they can advertise, tweak the environment, and convince you to buy things. When it comes to tracking shoppers, online stores like Amazon have an advantage, but physical businesses—like department stores and supermarkets—are trying to keep up. And in the process they’re amping up their customer surveillance.
Consider one of the companies, Euclid, that offers in-store tracking services. Euclid—a venture-backed startup that describes itself as “Google Analytics for the physical world”— uses small sensors installed in their client’s stores to track the signals from Wi-Fi enabled smartphones. Through this signal they collect the location of your phone in and around the store, your device’s unique MAC address, and the manufacturer code (Apple, Samsung, Motorola, etc.).
They then use the data to provide reports to clients containing information based on a variety of metrics: “capture rate” (how successful window displays are at pulling people into the store); number of customers inside the store; customer visit duration and frequency; customer location within the store; people who walk by the store without coming in; and the amount of foot traffic around the store. As Megan Garber at the Atlantic explains, physical retailers might also know much more about you—including personal info like age, gender, and mood—by using different services and surveillance technologies. “Through video of your movements through the store, and images of your facial expressions as you do that moving, and facial recognition software that analyzes those expressions, stores are attempting to recreate in the physical world the paths of digital breadcrumbs customers leave as they explore websites,” she writes.
And one firm, NEC IT Solutions, is using facial recognition tools to help salespeople in upscale stores spot celebrities and other VIPs if they walk through the door. That way the rich and famous are never mistreated.
Euclid is only one among many companies that offer tracking and analytics to brick-and-mortar stores that are trying to keep up with and surpass their digital competitors. These companies have had to deal with some criticism from concerned shoppers. Last May, for instance, the department store Nordstrom canceled their use of Euclid after receiving negative feedback triggered by signs the store installed alerting people to the tracking.
Several of these in-store tracking companies are trying to head off complaints and legal troubles by creating a set of “best practices.” To accomplish this they announced—in a joint statement released last Tuesday—that they would be working with the Future of Privacy Forum, a research and advocacy group. The goal is to ensure that the technologies are “subject to privacy controls and are used responsibly to improve the consumer shopping experience.”
The Future of Privacy Forum is primarily underwritten by corporate money, much of which originates from the tech sector—Facebook and Google are listed. Companies that use in-store tracking services, such as Nordstrom and other big box department stores, are also supporters. Euclid, too, is a donor. FPF is, in a way, attempting to occupy a hybrid space between independent advocacy and industry groups. Jules Polonetsky, director of FPF, told me that they “are often more optimistic about the positive values of smart data use than some [advocacy groups] who may be more skeptical of industry promises.” However, Polonetsky says that FPF champions some positions, like Do Not Track, that many of their donors do not agree with. So, it’s easy to see why the in-store trackers would choose to work with a sympathetic, but credible, group like FPF as their go-to source for privacy consulting
But can this type of self-regulation actually protect consumer privacy and make our personal data secure? History suggests that we should be skeptical. The title of a 2005 report from the Electronic Privacy Information Center says it all: “Privacy Self Regulation: A Decade of Disappointment.” An FTC report from last year also pointed out the numerous failings of privacy self-regulation.
“Self-regulation in its purest form is a recipe for disaster. There are simply too many incentives to violate privacy interests and too little transparency to know what’s going on,” says Woodrow Hartzog, a privacy lawyer at Samford University and affiliate scholar with Stanford’s Center for Internet and Society. Perhaps FPF and the tracking companies will do a great job of drafting up a best practices document. However, Hartzog believes robust privacy protections will require a “patchwork of regulation, [consumer] education, and organizational responsibility.” In the mean time, going out to shop might not be all that private of an activity, even if you do stick to cash.