The Hard Rock Hotel and Casino in Las Vegas may have secretly harvested its patrons’ mobile phone data for marketing purposes, according to a former digital marketing researcher who claims to have worked on the campaign.
As the world comes to grips with revelations about a scandalous relationship between data harvesters Cambridge Analytica and Facebook, a story about previous marketing practices at the Hard Rock is raising questions about how casinos view and handle the customer data that enters their properties.
Amid intense scrutiny into how companies obtain and use social media data, some penitent digital marketers are now ’fessing up about their invasive practices. In a recent article in The Verge, Alexandra Samuel, a former executive for a cloud-based customer intelligence platform, writes about tactics similar to Cambridge Analytica’s that she contends have long been commonplace in digital marketing endeavors.
In her story, Samuel interviews Mary Hodder, a Silicon Valley technologist and privacy expert who tells of work for a company called Apisphere that used location data for ad targeting. And one of the clients she recalls most vividly from 2008 and 2009 was the Hard Rock in Las Vegas, whose ad targeting strategy seemed ethically questionable to say the least.
“They wanted to put wands in the ceiling to collect the IMEI [identification] numbers of every phone that went by,” Hodder said, “map everywhere they went in the casino or on the property, and map them in the hallways up to their rooms.”
Hard Rock officials declined to comment about these allegations when reached by Casino.org. Samuel’s article does not give details about how long the practice went on at the Hard Rock, or what it’s results were, or if it continues.
Hodder just recalled the excitement her company and the Hard Rock shared about the project without giving much of a second thought to privacy concerns.
“Then they could do a reverse lookup on IMEI numbers because there are companies that aggregate [these identifying] numbers,” Hodder said, “and as soon as they figured out who the person was, they could send them offers, text them offers, and the people had not opted in. So they were basically just intercepting your phone, and figuring out how to send messages to you in one form or another.”
Apisphere, a California-based company that described itself as a “geo-enabled mobility platform, enabling organizations to mobilize business processes with continuous location capabilities,” appears to have closed in 2012.
Is It Legal?
The collection and use, or misuse, of personal data in the US is governed by a complex patchwork of state and federal laws that can occasionally contradict one another.
The Federal Trade Commission Act has long prohibited “unfair or deceptive practices” in business and this has been applied to digital data security. The FTC has brought action against many companies for the misuse of private information and is currently understood to be investigating Facebook over the Cambridge Analytica affair.
But perhaps even more relevant here is the Telephone Consumer Protection Act. Enacted in 1991, this law gives the Federal Communications Commission regulatory authority over telemarketing activities. It requires companies to obtain “prior express written consent” from consumers before targeting them with marketing via telephone.
The law was updated in 2012 and 2015 to address new mobile technology and robocalls, and in 2016 to include robotexts.
Previous Hard Rock Data Breaches
The Hard Rock, owned by Toronto-based Brookfield Asset Management and operated by Warner Gaming in Las Vegas, is no stranger to controversy over compromised customer data.
In 2014 and 2015, it was found that customer credit cards were being “scraped” at different bars, restaurants, and retail shops at the casino, allowing criminals to steal identities and run up fraudulent charges.
Then a year later, in June 2016, the casino admitted that it had discovered malware on its card processing system, and warned customers that their financial details may have been stolen, and in addition to credit card data, the malware also may have been harvesting customers’ names, phone numbers, and email addresses.