Wi-Fi tracking by companies or public bodies has drawn substantial negative publicity, on account of the impact that it may have on the privacy of individuals. Various national data protection authorities in the EU, such as the Belgian, UK and Dutch data protection authorities, are increasingly scrutinizing Wi-Fi tracking and the processing of personal data in the context of privacy . In the Netherlands, the branch association for Marketing-insights, Research & Analytics (MOA) has proposed to introduce a "Do not track me register", although it is questionable whether the opt-out method may be applied for when using Wi-Fi tracking.
What is Wi-Fi tracking?
Many retail companies provide in-store Wi-Fi to individuals visiting their stores. In order to provide the free Wi-Fi service, the retail companies process the personal data of the users of this service. Moreover, retail companies want to further track individuals who visit their stores via Wi-Fi even if these persons do not access and use the in-store Wi-Fi network, in order to gain insight into the customer traffic and other customer footfall data.
Further, many municipalities use Wi-Fi tracking to count visitors in their cities. This gives the cities an idea of the appeal of their city center, of the influence of spatial changes in the city center, and also of the effects of events, promotional campaigns, and the shop opening hours.
Using Wi-Fi tracking has various advantages for organizations and public bodies. At the same time, it means that people can be tracked using the signal from their mobile devices. Wi-Fi-tracking entails the processing of location and unique identification network address information. Mobile devices continuously transmit Wi-Fi signals, both when they try to connect and when they are connected to a wireless network. These signals contain the unique MAC address (Media Access Control Address) of the mobile device. Combining the MAC address with other data--such as the signal strength of the registered Wi-Fi signal of the device, the location of the mobile device, the date, and time of the measurement-- results in the processing of personal data, as the data can be traced back to the whereabouts of a specific person.
GDPR Obligations
Due to the processing of personal data, the use of Wi-Fi tracking is subject to the strict requirements of the GDPR, and will only be authorizedif all these requirements have been met. This results in various obligations for organizations using Wi-Fi tracking.These obligations entail, inter alia, having a legitimate basis for the processing activities, having an adequate security level for the personal data, , having procedures in place to respond to requests of data subjects regarding their rights under the GDPR, as well as various information duties.
UIA Presentation
In her presentation for the UIA Commission "Privacy and Rights of the Digital Person" during the 63rd UIA conference in Luxembourg (6-10 November 2019), Dr. Elisabeth Thole will elaborate on the challenges for organizations on how to comply with the GDPR requirements when they use Wi-Fi tracking.
by Dr. Elisabeth Thole
Van Doorne N.V.
Amsterdam, the Netherlands