Where are you going and where have you been? No need to tell me, I already know.

With mobile phone privacy in the forefront of our minds, it was a bit disconcerting to hear that this holiday season (Black Friday through New Years) certain malls will be tracking shoppers’ phones. Right now, just two US malls have said they will be anonymously tracking visitor’s phones, the Promenade Temecula in Temecula, California and the wonderfully-named Short Pump Town Center in Richmond, Virginia.

A notice was posted at the Promenade stating that anonymous data will be collected using the signals from visitors’ mobile phones. The data will be anonymized and is collected using a number of “monitoring units” placed around the mall. The purpose of the data collection, according to both the mall’s signage and website is to “enhance the shopping experience,” something we’re not quite sure all the visitors will appreciate as much as the malls might hope…

The malls have “promised” no personal data will be collected, they are apparently just analyzing foot traffic patterns and “shopping behavior”. Correlations will be drawn to optimize mall layouts as well. Say there is a high positive correlation between people who enter and stay for long periods of time at the Promenade’s Bath & Body Works and Carl’s Jr., then why not put them at opposite sides of the mall so people have to walk past Pottery Barn to get from one to the next? That’s of course an oversimplification of what can be done with data like this, but it’s one way behavioral tracking data is used.

The malls are using what appears to be an off-the-shelf setup from Footpath Technology in order to track shoppers. All the data is processed and audited by FootPath, so a third party is handling your bahvioral data, not just the mall whose space you willfully (presumably) entered. Some of the information that FootPath can collect — for about $92,000/year for a 55,000 square foot mall — include but are not limited to:

overall number of visits
visit time
frequency of visits (per individual)
linkages between retailers
nationality of visitor
interactions between the mall and other areas (they would have to be FootPath clients)
So while the data is anonymous there is a lot of it being collected, enough that it wouldn’t be particularly difficult to pinpoint individuals. Not that FootPath or the malls would want to do this, but that’s not exactly a high bar to set when it comes to privacy. The malls have pointed out to CNN that they are not interested in individuals and they do not track purchases. It’s not clear if FootPath data is made available to the stores — who could then connect the data with purchases using a fairly standard business intelligence system — or third-party services.

FootPath’s privacy policy has some strongly worded sections about individual privacy, so while this is a bit scary you might want to leave your tinfoil hat at home (read: not leave your mobile phone in the car). Apparently it is possible to opt out from the tracking, you just need to turn off your phone.

Tracking users during their holiday over-spending and food court binging… Is nothing sacred any more?

More at CNN Money