For several years, browser companies and privacy advocates have struggled to establish a universal "do not track" standard that would allow Internet users to click one button and opt-out of having their online histories tracked and used by companies, which use the information to offer personalized advertisements. But what's to stop companies from tracking our movements and activities in real life, especially now that they have access to cheap motion sensors, and now that many of us carry location-aware devices with us at all times in the form mobile phones? New York's Democratic Senator Chuck Schumer has answer to that: let the companies regulate themselves.
Earlier today, he announced a voluntary new "code of conduct" that governs how analytics companies can use the data they are increasingly collecting about our movements and activities through brick and mortar retail stores. Already, at least seven major retail analytics companies have signed on to the voluntary code: Euclid, iInside, Mexia Interactive, SOLOMO, Radius Networks, Brickstream and Turnstyle Solutions. Though the list contains no household names, the firms involved represent some of the leading providers of consumer movement and behavioral data to major retail chains and advertisers. For example, Euclid's website boasts that it "senses smartphones and lets you see how shoppers flow through your store, their visit duration, and return shopping patterns."
"lets you see how shoppers flow through your store."
In order to ensure that the data these companies are collecting is used properly, Schumer — who has been notoriously protective of New York consumers in the past, sometimes arguably to the extent of being overzealous — partnered with The Future of Privacy Forum, a self-described "DC think tank that seeks to advance responsible data practices." The code sounds pretty good when it comes to consumer privacy, at least on paper: it says that the companies should provide "clear, short, and standardized" privacy notices online and in retail stores explaining to customers what data they are collecting, and to collaborate on a single-stop website where customers can opt-out of having their phones used as behavioral tracking devices.
But there are some big caveats to how effective this code can be. First and foremost is that it is entirely voluntary and not legally binding, meaning companies can choose to disobey or skirt it any time, without any real repercussions for their business, other than bad PR. Secondly, the code expressly states that companies don't actually have to tell consumers that they are collecting any data about them as long as it is "anonymized," or stripped of any personally identifiable information (or used primarily in aggregate, with other shoppers' info). Finally, The Future of Privacy Forum, the main "advocacy group" group leading the charge to coordinate these standards, has been called out before for being little more than a front for the telecommunications industry. That's not to say the new code is doomed from the start, just that it's ultimately only as helpful to consumers as the companies backing it want it to be.