IP & IT analysis: New guidelines for businesses and organisations that offer on-premises Wi-Fi connectivity, serves as a useful reminder of their data protection obligations to employees and customers alike. Anna Bunting, partner at Davis Blank Furniss, outlines the key points of interest in the guidance.
ICO guidance on Wi-Fi analytics, LNB News 17/02/2016 143
New guidance issued by the Information Commissioner’s Office (ICO) sets out how operators of Wi-Fi and other networks may use location and other analytics information in a manner that complies with the Data Protection Act 1998 (DPA 1998). The guidance aims to help data controllers to fully understand their obligations and promote good practice.
What are Wi-Fi analytics?
Electronic devices such as smartphones and tablets are often fitted with a Wi-Fi connection for wireless connectivity for when you are at home or out and about. Many businesses and organisations today offer Wi-Fi access for their customers and employees. When a Wi-Fi-enabled device is switched on, it will regularly broadcast what are called probe requests, in order to find Wi-Fi networks that are within range. These probe requests contain a unique identifier which is known as a media access control (MAC) address. Organisations that offer Wi-Fi access can collect these probe requests and extract the MAC addresses from each device, and can also monitor signal strength to estimate the location of a device based upon the Wi-Fi connection in their business. This enables businesses and organisations to both monitor and track those devices to analyse a person’s behaviour. The analysis of that behaviour is called Wi-Fi analytics.
How common is the use of such analytics?
A whole industry has been built upon the use of this data to inform marketing strategies. Organisations can use the data to monitor the number of visits to their premises, how busy they are at different times of the day, and analyse the behaviour of customers. It is not uncommon for the data analysis to inform their store layout and shape marketing strategy by targeting specific products to individuals.
The main concern from the ICO about this kind of data collection is that because it doesn’t actually require the electronic device to connect to the Wi-Fi network—a probe request is all that’s needed—it means the data analysis can be done covertly without the individual knowing about it.
Has the ICO successfully taken any action against any businesses in this area?
I’m not aware of any action in this specific area. The ICO has been busy clamping down heavily in recent months on companies making unsolicited marketing calls (eg recorded PPI calls), but I think this guidance suggests it is turning its attention to Wi-Fi network operators and data protection issues. It is the first step in helping businesses and organisations to achieve compliance with data protection laws, and once the ICO is confident it has got its message across, this will assist it in taking enforcement action against any offenders.
What can businesses do to ensure compliance with DPA 1998?
DPA 1998 has been around for nearly 20 years now, and contains wide obligations that apply to any business that processes personal data. It has to comply with eight data protection principles and notify the ICO where necessary. The most important of these principles is to ensure that any data processing is fair and lawful, which usually means getting consent from the data subject.
The ICO guidance contains a number of recommendations in relation to Wi-Fi analytics and data protection compliance—this is a top-level summary: 2
The key issue is gaining consent from the data subject as far as possible. There is a difficulty in this, obviously, because of the nature of that data, and the guidance recommends an organisation conducts a privacy impact assessment to consider the level of information being collected through its Wi-Fi networks that will help to identify and reduce those risks.
An organisation needs to be very clear and transparent as to what it is doing. It must notify individuals where it can about any collection of data, whether that is by using signage at the entrance to or throughout the premises. If a data subject signs up to the organisation’s website, the website should give them information as to how they can control the collection of data by adjusting the settings on their phone.
An organisation must ensure the data collection is proportionate, that is, only for the purposes it is collecting it for, that is not obtaining data from people who are merely passing by the premises, and that data is not kept any longer than is necessary and deleted afterwards.
Anonymising MAC addresses
The guidance also recommends anonymising MAC addresses where possible to avoid the identification of specific individuals, and giving individuals the opportunity to opt-out of processing in various ways.
Are there any other laws or guidance that businesses should be aware of?
In the area of data usage, the ICO’s website is very useful and contains lots of different guidance. If they have not already, organisations should also familiarise themselves with the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, which sit alongside DPA 1998 and are more specific to the use of electronic means of communication and collecting data.
How will the General Data Protection Regulations regulate the use of such analytics?
The General Data Protection Regulations are expected to come into force in early 2018. The existing core concepts under DPA 1998 will remain unchanged, but the Regulations are being introduced to harmonise data protection laws across EU Member States and reflect the huge development in new technologies that involve data processing since 1998. Although the obligations are fairly broad and apply to all processing (rather than specifically to Wi-Fi analytics), organisations will potentially need to take their data protection obligations more seriously, as it is proposed that there will be quite a drastic increase to the maximum fine that can be imposed, coupled with more stringent requirements generally. This includes requirements to document and recording processing activities, direct obligations on data processors such as third party contractors and increased rights for data subjects to request that their data is deleted and to object to processing such as profiling. One of the key proposals that may affect those using Wi-Fi analytics is the requirement to obtain consent. It will no longer be possible to rely on implied consent, as consent under the draft regulations has to be specific and explicit. The draft regulations also mirror some of the recommendations in the new guidance on Wi-Fi analytics relating to privacy impact assessments and anonymisation of data.
Interviewed by Duncan Wood.