By James Clark (Leeds)

Most of us are familiar with the many ways in which customer activity can be tracked in the online space. Customer accounts, cookies, web beacons and tracking pixels are familiar tools in the e-commerce arsenal, and all come with familiar challenges from a privacy and data protection perspective. Increasingly, retailers are expanding tracking technologies into the physical space through the use of Wi-Fi location analytics. As the benefits of tracking translate into the real world, so too do the compliance obligations.

Wi-Fi analytics most commonly work by monitoring the media access control (MAC) address which a Wi-Fi enabled device transmits when it is searching for Wi-Fi networks.

By monitoring signal strength (commonly abbreviated to RSSI), retail stores can estimate the distance of a device from a particular access point, distinguish passers-by from customers and, in effect, monitor the location of a device and track the behaviour of a particular device over time.

This kind of monitoring works even where a customer has not signed in to a store’s Wi-Fi, providing the customer’s device is “probing” for available networks.

The benefits of this kind of tracking are enormous. Stores can build data on customer engagement, measuring visit length, visit duration, frequency of visits and total number of customers. Stores can also track movement around the retail space. Where customers log in to a store’s Wi-Fi or have an existing account with the store which can be associated with their device, the store can even send them just-in-time special offers and coupons to drive real-time purchasing.

For the purposes of data protection law, if an individual can be identified from a MAC address, or other device specific information, then the data will be personal data – even where the name of the individual remains unknown. Where an organisation uses a MAC address or other unique identifier to track a device with the purpose of singling them out or treating them differently, or storing or using that information in any way, it will be processing personal data.

What can retailers do?

To ensure retailers remain legally compliant while exploiting this technology, they should:

  • understand what personal data they collect over the Wi-Fi network, including MAC addresses and location data
  • provide clear and prominent notices for example in privacy policies, on the log-in pages for Wi-Fi networks and in physical locations such as shop floors
  • provide users with easy to follow instructions about how to switch off Wi-Fi location tracking features
  • ensure their contract with their Wi-Fi analytics provider contains data processing terms and flows down privacy obligations
  • consider anonymising MAC addresses if their analytics can be carried out in this way
  • try other data minimisation techniques, such as sampling, to reduce the volume of personal data collected.

It is encouraging to see that some regulators, such as the UK’s Information Commissioner, have published specific guidance in response to this growing trend.