It's not just surveillance cameras watching you in a store. Retailers are also tracking shoppers' physical movements through their cellphone to analyze and share their buying habits.

Indeed, reports have emerged over the years of large brick-and-mortar retailers installing sensors to trace and share consumers' movements in their stores.

While it's a growing practice in U.S. retail, lawyers say there are few laws governing the process, which in turn can pose significant privacy and potentially civil liberties concerns.

For instance, although all states have a data breach notification law, if movement-tracking data is breached, companies aren't required to notify data subjects or regulators.

"All these laws describe things a little different. If the only thing that was impacted was geolocation data or MAC [media access control] address, it generally wouldn't result in having to notify individuals of a data breach," said Jeffer Mangels Butler & Mitchell partner Robert Braun.

However, as public discourse over the data companies collect and share intensifies, Braun said laws are slowly evolving to include such movement-related data in new definitions of personal information.

"Under the California Consumer Privacy Act (CCPA), they specifically call out this type of data as personal information and it becomes subject to disclosure notice. Other laws that are either pending or are being discussed do the same thing," Braun said.

CCPA aside, retailers leveraging sensors to track consumers' footprints through their cellphones can still be held accountable for misuse of such data by federal and state regulators, lawyers warned.

Drinker Biddle & Reath partner Justin Kay noted traditional consumer protection statutes could apply to the collection of consumers' movements in stores if the collection is a "deceptive practice" under the Federal Trade Commission Act or state-level consumer protection authorities. One example Kay gave was if a company announced it wasn't collecting precise geolocation, but it actually was. Such an action could be deemed a violation of the FTC Act or face scrutiny by a state's consumer protection regulator, Kay said.

Companies could also face regulatory consequences for Children's Online Privacy Protection Act (COPPA) Rule violations for geolocation data regarding minors, Kay added.

Although there is a lack of regulations specifically governing the collecting and sharing of such physical movements, some say the civil liberties concerns from such practices are only compounding.

Sarah St. Vincent, a lawyer and founding director of Cornell Tech's Computer Security Clinic for Victims of Intimate Partner Violence, called the current regulatory landscape for movement-tracking "legally a Wild West."

Although she did note the U.S. Supreme Court's 2018 decision in Carpenter v. United States, which restricted the police's power to obtain historical cell-site location information, was a positive step for data privacy. But there still remains "a very large gray area around real-time tracking and entities that aren't law enforcement," she said.

St. Vincent added, "We are left in a situation where retailers, employers [and] abusive partners can track your movements and there's few, if any restrictions on that.'"

She said such movement tracking should be regulated for the potential life-altering implications it can have on data subjects.

"Privacy violations or the problems that arise from it don't leave a perfect paper trail." She added, "I think it's very possible someone [could] be harassed or stopped and an infringement of civil liberties are not necessarily documented. … Secret surveillance is supposed to be secret, and if things are going wrong, we wouldn't know."