Authored by James Clark
Earlier this month, the UK data protection authority, the Information Commissioner’s Officer (“ICO”), published guidance on safely processing personal data derived from Wi-Fi location analytics. This guidance is important not only to retail businesses who provide Wi-Fi networks to their customers, but also to companies who just provide Wi-Fi access solely to their employees. With most large organisations and businesses now providing Wi-Fi access it is certainly a fitting time to consider this issue.
Wi-Fi analytics is the ability of businesses to track customers or employees using the media access control (MAC) address which a Wi-Fi enabled device transmits when it is searching for Wi-Fi networks.
By monitoring signal strength organisations can estimate the distance of a device from a particular access point and, in effect, monitor the location of a device and track the behaviour of a particular device over time.
If an individual can be identified from a MAC address, or other information in possession of the network operator, then the data will be personal data – regardless of whether the name of the individual remains unknown. Where an organisation uses a MAC address or other unique identifier to track a device with the purpose of singling them out or treating them differently, or storing or using that information in any way, it will be processing personal data. As there is no requirement for the device to connect to the Wi-Fi network there is also a risk that data relating to an individual is processed in a covert manner.
The guidance also reiterates that organisations using Wi-Fi analytics should take care to avoid excessive data collection and to reduce the risk of identification of individuals in the collected data. By way of example, this could be accomplished by converting the MAC addresses into alternative formats that continue to suit the specified purposes whilst removing the identifiable elements. Location of the data collection device as well as sampling methods could also be used to reduce the volume or privacy intrusion of the data collected or to define specific collection periods. Organisations should also be considering the use of effective control mechanisms allowing individuals a simple and effective means to control the processing.
It is now clear that the processing of device identifiers collected through the provision of Wi-Fi networks can involve the processing of personal data. In light of this, if you use Wi-Fi analytics you must now begin to implement the ICO’s guidance to ensure that they remain compliant. In summary, you should:
- understand what personal data you collect over your Wi-Fi network, including MAC addresses and location data;
- provide clear and prominent notices – in privacy policies, on the log-in pages for Wi-Fi networks and in physical locations such as shop floors;
- consider anonymising MAC addresses if your analytics can be carried out in this way;
- try other data minimisation techniques, such as sampling, to reduce the volume of personal data collected.
You can find the ICO guidance here – https://ico.org.uk/media/for-organisations/documents/1560691/wi-fi-location-analytics-guidance.pdf
For more information about the issues contained in this post, please contact Andrew Dyson, Partner (firstname.lastname@example.org), JP Buckley, Legal Director (email@example.com) or James Clark, Associate (firstname.lastname@example.org), all at DLA Piper UK LLP.