Out-Law News | 25 Jan 2016 | 12:38 pm | 3 min. read
The recommendation was contained in a new working paper that has been issued by an international working group on data protection in telecommunications on the topic of location tracking from communications of mobile devices.
The working paper said that retailers that use location tracking technologies, whether through Wi-Fi, Bluetooth or other mobile communication tools, could potentially collect personal data by doing so. Organisations that collect and use personal data are subject to data protection laws. Retailers should disclose to customers that they are using location tracking technology using both physical and digital notices, it said.
"Organisations must ensure that there is sufficient information, including a range of physical and digital signage, to clearly inform individuals that location technology is in operation," the working paper said. "The information must clearly state the purpose for collection and identify the organisation responsible."
"It is recommended that the industry develop a standard symbol which can be distributed throughout an area to remind individuals that the technology is in operation, similar to the effect from CCTV signage. Specific consideration must be given to staff, employees or other individuals who, if not excluded from the tracking, may be subject to extensive data collection," it said.
The working group's paper said retailers should not "seek to collect and monitor outside their premises" and can avoid doing so "through careful placement of receivers, limiting data collection through a sampling method and to specified time periods or times of day".
"The frequency of collection should also be limited to that which supports the specified purpose," the working group recommended. "The use of air-gaps to create a non-contiguous data collection area and ensuring that collection only takes place in areas which are relevant to the specified purpose should also reduce the risk of privacy intrusion. Organisations should also seek to identify 'privacy zones' where no tracking can take place as a result of technical or physical measures. This can be important in areas which have particular sensitivity such as toilets or rooms set aside for first-aid or worship."
Retailers were also advised to gain customers' consent before they combine personal location data they collect with other data they hold on them. Consent should also be obtained before sharing "individually identifiable data with third parties", the guidance said.
"Individuals should be fully informed when location data is intended to be combined with other information such as transaction history," the working paper said. "This is especially relevant when location tracking is added as a feature to an existing loyalty scheme, for example, adding BLE (Bluetooth Low Energy) beacon functionality to an existing retailer’s smart phone app. The user’s acceptance of an update via the app store is unlikely to be sufficient to qualify as being fully informed. Legislation in some jurisdictions may also require explicit consent for certain types of personal data."
Samantha Livesey, an expert in retail data privacy at Pinsent Masons, the law firm behind Out-Law.com, has previously highlighted the rise of new 'beacon' technologies that help retailers connect with consumers via their mobile devices as they move around shopping centres and within individual stores.
Livesey said the technology allows retailers to prompt consumers with promotional offers for goods as they approach particular parts of a shop, and said the ability to collect valuable personal data can help retailers identify future customer trends or improvements in store layouts. However, she recommended that retailers adopt a layered approach to address privacy issues so as to remain compliant with data protection laws.
“Retailers have for some time now been looking into the use of technology to enhance their customer offering from using beacon technologies and mobile apps to targeted billboards," Livesey said. "Retailers should pay close attention to the working group's recommendations because even if they do not intend to collect personal data by their use of in-store technologies they may inadvertently be doing so, particularly when communicating with customer’s smartphones."
"Retailers should be aware of the risks involved with using such technology and implement policies to minimise these risks, such as having clear limits of the type and volume of data collected and utilising anonymisation measures where appropriate," she said.