By Joseph Titlebaum
Chief Legal and Privacy Officer

As a longtime corporate general counsel, I have long thought that the “golden rule” of compliance is a simple thought: “Say What You Do and Do What You Say.” It is practically a palindrome. And it was the failure to follow this simple maxim that lead to one promising tech start-up’s April 23 settlement with the FTC.

The problem was simply that the company’s privacy policy inaccurately promised certain methods to opt out of the company’s tracking services – which methods were not all in fact available. It is this failure to live up to the promises made to the public that the FTC finds most objectionable – and should serve as a reminder that that inaccurate privacy policies can lead to expensive investigations and potential governmental liability.

Some factual background: Nomi Technologies, an interesting New York-based tech start up (full disclosure: friends work there), provides a technology that allows brick-and-mortar retailers to track how customers travel through their stores by tracking a hashed version of the Media Access Control (MAC) identifier of customers’ mobile devices. Nomi does not track personally identifiable information relating to consumers, and only shares aggregated data with its retail store clients. The information provided is valuable to retailers – and consumers – as it enables retailers to better understand consumer behavior and create a retail environment more responsive to consumer needs.

The FTC’s complaint against Nomi related to Nomi’s privacy policy: Nomi had stated that consumers could “opt out” of being tracked by Nomi either by (1) indicating on the Nomi Website or (2) opting out at the retail establishment.

However, no retail establishment that used Nomi technology told members of the public that they were being tracked by Nomi or the establishment, and no retail establishments provided any means to opt out of tracking by Nomi.

Nomi’s primary error was stating in its privacy policy that there were two ways to opt out – when in fact there was only one. This error was compounded by Nomi’s implying that consumers would be told by retail establishments when they were being tracked – when in fact no such warning was ever provided.

In its settlement, NOMI agreed to fix the problem and not do it again.

Beyond Nomi’s failure to have an accurate privacy policy, Nomi was found responsible for the inactions of its clients – the retail establishments that did not provide the notification and opt-out opportunity for consumers. This is a lesson for all of us. Most companies believe their privacy policies are correct, but many may be actually exposed to this sort of “third party” or “vendor” risk. Do you know who you are sharing data with? Are you relying on your business partners to behave in a certain way? This third-party risk is a concern– and it is this risk that tripped up Nomi, just as it is this sort of risk that was at the root of Target’s problems with its recent data breach issue.

Two commissioners were sympathetic with Nomi being a start-up and dissented to the settlement, believing that the case should not have been brought at all. One commissioner objected on the grounds that the error in the privacy policy was immaterial, and both on the grounds that prosecutorial discretion weighs against bringing the case, because the bringing of allegations discourages companies from saying more than the bare minimum in their privacy policies.

But, the majority of commissioners while noting the dissent’s concerns, were moved by Nomi’s failure to follow its own privacy policy. Simply put, the entire matter is a straightforward example the failure to follow the golden rule of compliance: Nomi did not remember to “say what you do and do what you say”. And the FTC decided to make an example as a warning to the rest of us.