Editorial Policy

Stores are tracking your every move via your cellphone

Kristin McGrath

October 25, 2013

As Black Friday of 2011 approached, two shopping malls (one in California and one in Virginia) announced plans to track holiday shoppers via their cellphone signals as they moved from store to store. The backlash from consumers was swift, and both malls canceled their plans. Score one for privacy, right?

Actually, probably not.

Since then, other businesses have quietly begun tracking their customers to keep tabs on the paths they take through their store, how much time they spend in the aisles and which displays cause them to linger. Any customer carrying a smartphone and using the store’s Wi-Fi can be tracked, regardless of whether they’re using the store’s shopping app.

If you’re already a fan of mobile payment applications and digital loyalty programs (which know when you’re inside a store and give you discounts based on your shopping habits), that news is probably worth no more than a shrug and a sigh of “big deal.” The information collected is generally anonymous, after all.

But if you’re creeped out and reaching for your tinfoil hat, here’s what you need to know about these stores’ surveillance programs — and how you can opt out of them.

How it works
The surveillance, which is completely legal, begins when you connect to the store’s Wi-Fi network. The surveillance system then stores your phone’s media access control (MAC) address, a unique identifier for your device. At that point, the store can track your phone (i.e., you) around the store. If you come back, the system recognizes your MAC address and therefore knows you’re a repeat customer.

Stores generally rely on third-party companies to set up their surveillance systems and collect the data. These companies also often provide video surveillance systems that follow customers’ paths via camera (which gives the store information such as gender and estimated age). You can get a better idea of how all this works by watching this video from the New York Times.

Who’s doing it?
A slew of retailers, including Home Depot and Family Dollar, are using cellphone-tracking (aka mobile location analysis) technology. According to the New York Times, smaller merchants (and even coffee shops) are as well. Copenhagen International Airport has been doing it for years. Nordstrom gave it a shot, but when it posted signs warning customers about its program, shoppers pushed back, and the store axed its tracking system.

A push for privacy
In October 2013, U.S. Senator Charles Schumer, along with several of the third-party tracking companies, created a “code of conduct” for mobile location analysis technology. The code applies only to companies that collect personally identifying information about shoppers — in other words, information that allows the store to know who you are and enables it to get in touch with you. Stores that are simply using phones’ Wi-Fi signals to track customers anonymously and immediately stripping identifying information from the data that is being stored are exempt.

According to the code, third-party companies that collect identifying data must:

  • Provide notice: This involves providing a detailed privacy policy on their websites. They must also “take reasonable steps” to ensure that the retailers using their technology post signs in their stores. As TechCrunch points out, this is a pretty big loophole, as nothing in the code of conduct requires merchants to notify customers: The third-party companies are only required to ask the stores nicely to do so.
  • Give a chance to opt out: Companies collecting data on behalf of stores must give customers a way to opt out. The centralized opt-out system isn’t live yet, but should be in a few months. Opting out will most likely involve calling a number or visiting a website, providing your phone’s MAC address and saying you don’t want it tracked. It will likely function similar to registering with the National Do Not Call Registry.

Again, the above code of conduct applies only to the collection of identifying information. If you’re uncomfortable with stores collecting anonymous information (or any kind of tracking in general), it will do little to protect you. Plus, the code does not stipulate any punishments for companies that fail to comply. Although several of them have opted in to the code of conduct, nothing is forcing other companies to do so.

What if I find this all super creepy?
If merchants collecting data on you makes your skin crawl, the tide is turning rapidly against you. In fact, online merchants have been collecting information on you for years, from what you buy to which sites you visit next. Yet those concerned about their privacy always had the option of visiting a store and paying in cash. These in-store tracking programs erode that privilege quite a bit for anyone carrying a Wi-Fi-enabled phone (and who doesn’t, these days?)

Still, you have options. Even before Sen. Schumer’s code of contact, third-party mobile location analysis companies have given customers the opportunity to opt out of monitoring. For example, Euclid (the company Nordstrom used) and Mexia Interactive (another monitoring company) both have Web pages that let consumers opt out by providing their MAC addresses. Both sites also contain detailed instructions for locating your MAC address. Of course, until the centralized opt-out site described in the code of conduct is up and running, you’d have to engage in game of opt-out Whac-A-Mole and tell all these companies (and there are many) that your MAC address is off-limits.

In the meantime, if you’re looking for a sure-fire way to shop anonymously, there’s an even simpler solution — disable your phone’s Wi-Fi when you hit the stores.