The tech companies signing onto the new self-regulatory code track users' physical movements by their phones' Media Access Control (MAC) address -- 12-digit identifiers assigned to any device that's capable of connecting to the Web. The tech companies then offer aggregated information about shoppers to stores, which use the data for analytics. For instance, store managers can glean traffic patterns from the data, and then adjust staffing. Companies currently can't track people who turn off their WiFi and Bluetooth capabilities.
Consumers also can opt out of the location tracking by some tech companies by entering their MAC address at a site operated by the company.
But the new code of conduct calls for a one-stop opt-out site, where consumers can enter their MAC address and decline to be tracked in stores. Companies signing on to the new code include Euclid, iInside, Mexia Interactive, SOLOMO, Radius Networks, Brickstream and Turnstyle Solutions.
The self-regulatory code also requires the analytics companies to take steps to make sure the information can't be linked to an individual, such as replacing the original MAC address with a new string of characters. The new rules require opt-in consent before analytics companies link personal information to device identifiers, and before anyone contacts consumers based on the location-analytics data.
Sen. Chuck Schumer (D-N.Y.) and the think tank Future of Privacy Forum helped to forge the new code, announced on Tuesday.
Euclid, which is one of the larger location tracking companies, came under scrutiny earlier this year after reports surfaced that the company tracks consumers in Nordstrom and Home Depot. Sen. Al Franken (D-Minn.) specifically criticized Euclid for its opt-out approach, stating that such a system “doesn't meet the standard of privacy Americans should be able to count on.”
In general, privacy advocates say that location tracking should require opt-in consent.
But Jules Polonetsky, executive director and co-chair of the Future of Privacy Forum, says that an opt-in approach wouldn't draw enough people for analytics companies to reach meaningful conclusions. “It's hard for policy makers to understand that analytics is not an opt-in business,” he says.