New ICO Guidance on WiFi Location analytics

Who: The Information Commissioner’s Office (“ICO”)

Where: UK

When: 16 February 2016

Law stated as at: 7 March 2016

What happened: The ICO has published new guidance explaining how organisations can use location analytics information collected via wi-fi in compliance with the Data Protection Act 1998 (“DPA”).  The guidance applies to all operators of wi-fi networks such as retailers, employers, leisure and entertainment venues and managers of transport hubs.

Wi-fi network operators are able to identify individuals by using their unique phone identifier called a media access control address (“MAC”).  The MAC is contained in probes that search automatically for a wi-fi network when a phone’s wi-fi settlings are turned on.  The location of the signal transmitted can then be used to track the behaviour of individuals based on where the phone is in relation to the wi-fi access point.  If the individual is identifiable from the MAC or other information in possession of the wi-fi network operator, then the operator will be processing personal data (even if the name of the individual is unknown).

The ICO’s guidance has 8 key messages for organisations using wi-fi location analytics:

1. Privacy Impact assessments (“PIA”) – carry out a PIA to consider how the processing could affect privacy.
2. Privacy by design – be clear about the rationale for the data processing so that privacy-friendly compliance can be achieved.
3. Fairness – be transparent about the data processing by giving individuals notice of the purpose of the data processing, any proposed data sharing and the data controller’s identity.  The guidance suggests providing notices at building/store access points; reminders in locations where data is collected; and notices on websites and wi-fi sign-up pages.  It also suggests explaining to individuals how they can control the collection of their personal data, for example by turning off wi-fi settings.
4. Anonymisation – consider anonymising the MAC so that individuals are not identifiable.  This would be possible, for example, if a retailer only wanted to analyse footfall within a store or a train station operator wanted to analyse traffic flow as the identify of individuals is not essential for these purposes.
5. Boundaries – set boundaries for the data collection to ensure all affected individuals are aware of it and to reduce privacy intrusion.
6. Retention – do not store personal data for longer than is necessary for the purpose for which it was collected.
7. Control – give individuals the opportunity to opt-out of the data collection. The guidance suggests offering physical solutions at building/store access points in the form of technology that can read a phone’s MAC and then suggest opt-in/opt-out options to the individual, offering opt-out choices online via privacy policies, wi-fi sign-up pages and on an organisation’s website; and the placement of prominent privacy notices.
8. Sub-contracting – ensure that appropriate data processing obligations are flowed down to sub-contractors involved in the data collection and processing.

A full copy of the ICO’s guidance can be found here. Further information can be found the International Working Group on Data Protection in Telecommunication’s non-binding Working Paper on Location Tracking from Communications of Mobile Devices which was published in October last year.

Why this matters: 

Wi-fi location analytics has been likened to the bricks and mortar equivalent of cookies that measure a consumer’s behaviour online.  For example, in a retail context, organisations can use the wi-fi location analytics to measure footfall and time spent in store, analyse an individual’s interests in offers or particular goods, send marketing messages (if the individual has opted-in), identify repeat shoppers and evaluate the success of marketing campaigns.  If the information is combined with other surveillance technologies, such as CCTV, or pooled with third party data, then retailers can start to build a broader consumer profile leading to more effective analysis of trends and consumer marketing.

Wi-fi location tracking raises particular data protection issues because it often takes place invisibly although it can be used in ways that are very intrusive.  For example, if an individual is present in a location and its phone wi-fi settings are switched on, then the phone will attempt to connect to the wi-fi network, identifying the presence of the individual automatically without the individual having made an active choice.  There are also practical barriers towards data protection compliance in this scenario in terms of bringing the wi-fi location analytics to the consumer’s attention in a public space and in a way that does not adversely affect the consumer experience.

The points that the ICO raises in the guidance are not new, but instead highlight the application of existing data privacy principles and best practice so that wi-fi location analytics can be used in a way that is compliant with the DPA.  This is important to increase the transparency and accountability of organisations using this technology and to ensure that individual privacy and choice is respected as wi-fi location monitoring increases.