Now Stores Must Tell You How They’re Tracking Your Every Move

To anyone with eyes in their kneecaps, the notice outside gadget retailer B8ta’s glossy store next to San Francisco’s new NBA arena is obvious. “We care about your privacy,” the small plaque proclaims, offering a web address and QR code.

Anyone curious and limber enough to bend down and follow these pointers is taken to the retailer’s online privacy policy, which discloses that stepping inside the store puts you in range of technology that automatically collects personal information. That includes “smartphone detectors” and Wi-Fi routers that note the location and unique identifiers of your phone, and cameras equipped with software that estimates your age and gender.

B8ta added the signage to its six California stores and expanded its online privacy policy late last year as it prepared to comply with a new state law that took effect this month called the California Consumer Privacy Act. The law requires businesses to disclose what personal information they collect from consumers at or before the time it is collected. It gives state residents the right to request data collected about them be deleted and to forbid a business from selling it.

CCPA’s most visible effect has been a plague of website popups on California residents. But the law also applies to offline data collection. B8ta’s new signs and disclosures show how the CCPA might shed more light on the way brick and mortar businesses use Wi-Fi routers and other in-store sensors to try and match the customer analytics and tracking of online retailers and ad networks.

California legislators rushed to pass CCPA in 2018 to head off a stricter ballot initiative on privacy whose sponsors had collected more than 600,000 signatures. In the process, a provision allowing citizens to sue for violations was removed, leaving the state attorney general as the sole enforcer. But CCPA is in some ways broader than GDPR, the influential European Union privacy law that came into force in 2018.

The notice required by the California Consumer Privacy Act, at knee height, at a B8ta outlet in San Francisco.

Photograph: Lauryn Hill

California’s law defines personal information more liberally, to include data about a household, which GDPR does not, for example. CCPA also requires companies to disclose details of how they sell personal data and allow consumers to opt out of any sales, using a broad definition of “sell” that includes trading data for anything of value.

Mary Stone Ross, a lawyer and former CIA analyst who coauthored the initiative that led to CCPA, says it was partly inspired by research on use of in-store tracking by retailers. “It was very clear that in order for the CCPA to be effective, it had to cover all collection of all information, not just online collection,” she says.

The law that took effect January 1 says businesses must “inform” consumers that they are collecting personal information “at or before the point of collection.” The attorney general’s draft regulations, due to be finalized in time for enforcement to begin in July, suggests physical premises distribute paper notices or display “prominent signage” with a web link.

B8ta declined to explain how it reasoned that knee-high notices might inform customers or count as “prominent.” The company’s stores, which resemble Apple stores, feature quirky consumer gadgets such as an e-ink typewriter alongside products from names like Asus and Google. The retailer’s pitch to lure new partners cites its stores’ ability to provide live data on how customers engage or linger near products on display.

Other companies collecting data from customers in stores have taken different approaches to disclosure.

One patron of Brazilian steakhouse Fogo De Chão received a printed CCPA notice when he visited the chain’s San Francisco restaurant in early January. It informed him that the company collects personal information during purchases and reservations, uses security cameras, and mentions the restaurant’s guest Wi-Fi. That, too, according to the company’s updated online policy, collects personal information.

When department store Macy’s updated its privacy policy to comply with CCPA, it added a surprising disclosure—facial recognition may be used on customers for “security and fraud detection purposes.” The company also said that it uses Wi-Fi routers to track where shoppers linger and beacons that “map nearby Bluetooth-enabled devices, much in the same way radar works,” and sells consumer data, including device and network information.

Inside the Macy’s store in San Francisco’s Union Square this week, the cameras—potentially using facial recognition—were obvious, but no privacy notices were visible, even at knee level. The company did not respond to multiple requests for comment.

California’s new privacy regime could help reveal how use of facial recognition is spreading in stores and other semipublic places as the technology becomes more accessible. Lowe’s says it previously tested the technology in three stores, but ultimately decided not to use it.

Peter Trepp, CEO of facial recognition provider FaceFirst, declined to say whether he is telling retail customers to post notices in California informing shoppers their faces might be analyzed. The company claims to work with airports, sports teams, and Fortune 500 retailers, who use the software to alert staff when shoplifters known to a store return.

“It’s still a new law and hasn’t really been tested yet,” Trepp says of CCPA. The company or its customers already post notices in places where local laws require it, he says, but declines to specify them. “We err on the side of providing notification if we need to,” Trepp says.

Joseph Turow, a professor at the University of Pennsylvania, welcomes the idea of making in-store data collection more transparent. His 2017 book on the topic, The Aisles Have Eyes, helped convince Ross that California’s privacy law should apply to offline as well as online data collection.

But Turow questions whether paper slips or notices with QR codes will spur much response from consumers. In national surveys of attitudes to privacy and marketing he has carried out, Americans say they want more control over data collected on them, but also believe that they don’t have any control.

“There’s a feeling of resignation about data collection,” Turow says. “People think it’s just the way of the world in the 21st century.” CCPA warnings, he says, could end up like California’s ubiquitous Prop 65 notices, affixed to buildings, cars, phone chargers, and countless other products to warn that they contain chemicals “known to the State of California to cause cancer.”

Ross, who coauthored the initiative that became CCPA, laughs a little nervously at the comparison—it’s something she has worried about. But she argues that the fact CCPA allows consumers to tell companies to delete, or not to sell, their data makes notices prompted by the law more actionable. “We didn’t want to just freak people out. We wanted to give people tools to do something about collection,” she says. “They can’t stop the collection of data, but maybe the next law will.”

More Great WIRED Stories

Read More