Cwa-documentation: Possible major privacy issue with static device MAC addresses

What is missing

I'd like to see documentation for the low-level BLE frame contents, i.e. what exactly is sent over the air, including any packet headers. In particular, I'd like to know what device address is transmitted.

Best information I could find on this topic:

• https://microchipdeveloper.com/wireless:ble-link-layer-packet-types
• https://microchipdeveloper.com/wireless:ble-link-layer-address

Why should it be included

Quote from above link:

Since all BLE packets include a Device Address, it's possible to track the BLE device as it's moving and communicating, unless it changes its address periodically. BLE adds the ability to periodically change the address.

So I'm wondering if the address is periodically changed. If it is, please document it.

If it's not, there's a major privacy issue:
The scenario I'm thinking about are players who have the means to deploy lots of cheap bluetooth sniffer devices at public locations where many people pass by. It would be trivial to collect device addresses together with a timestamp and location of the sniffer and correleate those on a central server to generate movement profiles for each smartphone (and their owners) that got the app installed.
Examples for those players could be owners of franchises (e.g. station kiosks) or operators of public transport or anyone else willing to spend a few thousand € on this.