clock menu more-arrow no yes mobile

Filed under:

Why you see online ads for stuff you buy in the real world

Facebook isn’t following you around the mall, but the stores might be.

Shoppers purchase items at Toys R Us store in New York City on December 24, 2015.
Kena Betancur/Getty Images
Sara Morrison is a senior Vox reporter who has covered data privacy, antitrust, and Big Tech’s power over us all for the site since 2019.
Open Sourced logo

Stop me if you’ve heard this before: You go to a store, browse its wares, consider or even make a purchase, and then go home, only to find a bunch of ads from that very store — perhaps of the very item you bought — following you around the internet. Or maybe you have several emails from that store filling your inbox, urging you to buy more stuff. How did your offline shopping habits make it into your online life? Well, it turns out those brick-and-mortar stores are getting as good at tracking you as their online rivals. And it all starts with your phone.

Through your mobile device that you have on you at all times, including as you walk past or through a store, businesses can potentially see which of their products you prefer, which websites you visit, demographic information like your gender and age, your location, and much more — and they have the ability to do some of these things without asking for your consent or telling you what they’re doing it at all.

Here’s what you should know before you download a store’s app or log on to the free wifi offered at the mall.

What you’re really opting in to when you use free wifi and stores’ mobile apps

These days, many retailers offer free in-store wifi and shopping apps. Free wifi can be a convenient way to access the internet without using your cell phone’s data; depending on your carrier and plan, you may be preserving a precious resource.

And mobile apps often offer users exclusive deals on a business’ products or allow them to order items before they set foot in a store. But you might not be aware of what you might be giving away when you take advantage of these services: by using them, you have also opted into what’s called “active tracking.”

You usually can only access in-store wifi through a “captive portal,” which is a page that pops up when you first try to connect. Usually, it asks you to submit personal information, like an email address, and then to agree to terms and conditions before letting you access the internet.

The thing is, when you log into wifi through a business’s captive portal, you aren’t just giving the business whatever personal information you submitted at the portal page. You’re also attaching that information to a set of data the store collects from you, and you’re granting the store permission to use that data in ways you may not realize. (And if you used a social media profile like Facebook to log into the service, you may have given the business everything from your full name to your employer.)

For instance, your wifi connection can give stores location information as specific as how much time you spent staring longingly at those shoes you can’t afford before giving up and heading for the clearance rack. Stores will know which websites you browsed while you were connected to their service, and they can install cookies on your browser to track you around the internet long after you’ve left the store.

“They can see which sites you’re connecting to and when, and use that information to build a profile about your behavior,” Bennett Cyphers, a technologist for the Electronic Frontier Foundation, told Recode. “Browsing history can be used to guess at demographics — age, income, race, religion, political leaning. … This data can be used to target ads or sold to data brokers [or] combined with other data streams.”

People use their smartphones as they wait in line for a Uniqlo clothing store to open on Fifth Avenue in New York City on September 22, 2017.
Robert Alexander/Getty Images

Your offline activities in a store are important, too: Retailers can send that data to services like LiveRamp to match it with your online identity, allowing retailers to place ads for those shoes that you couldn’t afford all over the internet.

If you’re using a business’s mobile app, you’re giving it even more information. Target’s app encourages users to provide personal information about themselves, make shopping lists, scan item barcodes to see if there are any deals available, and redeem those deals by scanning the app’s barcode at the register. Macy’s app lets you upload a photo of your face to “try on” beauty products. H&M’s app lets you upload photos of clothing you like and then matches them with similar H&M offerings.

But these apps may also be tracking you in less obvious ways. As the New York Times noted last June, many retailers deploy Bluetooth “beacons” throughout stores. If you have the store’s app installed on your device, the beacons send it signals. The app then knows where in the store you are and sends you information (like coupons or store maps) specific to that location. But this also means the app can track your movements as you pass by the beacons. Depending on where and how the beacons are placed, your location can be measured in inches. Some device manufacturers have wised up to this practice; for instance, the iPhone’s newest operating system requires apps to get your permission to use Bluetooth.

This is all used to give businesses precise insights into their customers and to make it easier to market to them, both individually and in aggregate. It helps put brick-and-mortar businesses on a level playing field with their e-commerce rivals. And it may also help you, the customer.

Not only do you get the free wifi or the convenience of a mobile app, but you may also get coupons or notifications about sales on products you’re more likely to want. Maybe now you can afford those shoes after all.

“What companies like ours do is really allow brick-and-mortar venues to have the type of digital analytics that any online retailer, any website, has access to today,” Elizabeth Weddle, director of marketing for GoZone Wifi, a provider of captive portal and retail analytics services, told Recode.

You may have never heard about this kind of tracking before, but it’s not exactly a secret: Portals and apps typically have privacy policies that state what data they collect and what they do with that information. Some are more explicit than others. (For instance, H&M simply says that “non-personal data is used as [personal data] and in other ways as permitted by applicable laws, including combining non-personal data with personal data.”) But standing in the middle of the mall staring at tiny print on your phone before you log on to wifi probably isn’t something you, or anyone else, would bother to do. That’s why we’re breaking it down for you.

Passive tracking: Watching you whether you like it or not

So, if you don’t want businesses to get to know you, you can just not sign up for their free wifi and not download their mobile apps, right? Wrong. Retailers also use wifi and Bluetooth sensors to track your mobile device (and, therefore, whoever is in possession of it: you) without you ever having signed in or asking for your permission to do so. This is called “passive tracking.”

Your device constantly sends out signals to detect wifi and Bluetooth connections around it. This is a good thing when you’re trying to connect to your wireless headphones or home router. But stores can install sensors that detect those signals and provide some basic information back to the store about your device.

Anything that connects to the internet has a Media Access Control (MAC) address, which is essentially a serial number unique to the device that can’t be changed. Store sensors, depending on where they are, can pick up your MAC address and use that to track your device’s location and movements.

Because the MAC address is connected to your device but not, directly, to you, it’s considered “non-personally identifiable information.” That said, it is possible to match a device’s MAC address with its owner’s identity by cross-matching it with information from other sources like data brokers. This information is a lot more personal than it might seem at first glance.

“It’s kind of like saying your driver’s license number isn’t necessarily personal information because it doesn’t refer to you by name,” Ashkan Soltani, a former Federal Trade Commission chief technologist who also worked on California’s upcoming Consumer Privacy Act, told Recode. “It’s robust enough to actually identify you.”

Most likely, the business isn’t doing this to spy on you, the individual. Passive tracking is about getting aggregate data, like which areas of the store are more popular than others, the busiest times of day in a location, or even how many people pass by the store without stepping inside. (Yes, you don’t even have to be a customer for a store to track you; you just have to be in range of one of its sensors.)

And, again, online stores behave similarly. It just might feel more invasive when your movements in the physical world are being tracked through a device in your pocket.

“If you knew someone was following you around from each store that you go to — just a random person following you around and recording what stores you go to — most people would be creeped out,” Soltani said.

Visitors walk through the luxury shopping mall at the Hudson Yards development on the West Side of Midtown Manhattan on March 18, 2019, in New York City.
Spencer Platt/Getty Images

Tracking your MAC address is also a way that stores can continue to actively track someone who opted into their wifi service even after they’ve logged out, simply by matching it with the MAC address associated with them when they signed up for the free wifi three weeks ago, or even at another of the retailer’s locations.

For example, GoGoGuest, which provides captive portal services to various businesses, says in its privacy policy that it can link a user’s MAC address — and all the information it gets from that address — to personal information provided by the device’s user, like an email address. And it may then combine that data with information about you that it gets from other sources, including third-party data brokers. (GoGoGuest’s CEO Jessica Valenzuela told Recode that it’s “rare” for the company to do this.)

Going off the retail grid

It’s important to keep in mind that just because retailers can track you doesn’t mean they are.

After reading a wifi portal or app’s terms and conditions and privacy policy, you may well think that the benefits of active tracking outweigh the downsides. If you don’t, opting out of active tracking is pretty simple: Don’t opt in. Don’t use the store’s wifi and don’t download and install its app.

Opting out of passive tracking is more complicated. The good news is that device manufacturers and even businesses have taken measures to preserve your privacy. Some retailers, like Nordstrom, stopped passive tracking after public outcry when the practice came to light (Nordstrom said the timing was coincidental).

Certain portal providers will anonymize your MAC address, preventing them from associating it with information you may have provided in previous or future visits. And some devices send out randomized MAC addresses, which means that neither the portal nor the client business should know the real number. But these measures aren’t foolproof, don’t prevent tracking entirely, and may not be offered by the store or your device.

You may also want to take advantage of opt-out service many stores and portal providers offer to prevent your MAC address from being tracked, passively or actively. Registering it with Smart Places, for instance, will opt you out of several providers in one fell swoop. But finding and registering your opt-out preferences for every single store you might walk past is all but impossible, not to mention more time-consuming and a lot less fun than the holiday shopping you’re there to do in the first place.

Turning your wifi and Bluetooth off is the best way to avoid retailer tracking, but it doesn’t mean you aren’t being tracked by someone else. As Quartz discovered last year, Google had the ability to track Android devices through Bluetooth beacons even when Bluetooth appeared to be off (you do need to have a store’s mobile app installed for it to track you this way). And cellular carriers like Verizon and T-Mobile sell “insights” to businesses based on your behavior on their networks. The insights are about groups of people rather than individuals (though these companies sold data about individuals up until very recently).

That leaves us with the only guaranteed way to truly opt out of being tracked through your mobile device: turn it off. For most of us, that’s not a realistic option. What helps is knowing what you can control — and using that information to think twice before you log on to a free wifi network or download yet another app.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.


A poster’s guide to who’s selling your data to train AI


The less-than-magical Willy Wonka event, briefly explained

Supreme Court

The Supreme Court appeared lost in a massive case about free speech online

View all stories in Technology

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.