Location Data Insights

Beacons & Privacy - You Can’t Afford to Miss This

September 9, 2016
Jarno Vanto
Chief Privacy Officer

Privacy is a hot topic when it comes to beacons, proximity and location, and there are many pitfalls that companies in the beacosystem may encounter. At Unacast we have always focused on privacy and compliance, and early on we hired Jarno as our Privacy Advisor. In this interview, Jarno goes into detail about privacy and what beacosystem entrepreneurs need to know. We will cover  some of those aspects here.

Why should you care about beacons privacy?

“Beacons do not track you, they just broadcast data, therefore privacy isn't an issue” - a quote from quite a few companies working in the beacosystem. It is correct that the beacons themselves do not collect data. However, there is usually a mobile app involved, which makes the case a bit different because the app interacts with beacons and generates data. When you add meaning or context to beacons by using software, such as apps, a lot of data can be extracted from this - is the consumer actually in the store, where in the store, etc.

It is important, and required by law, to tell the users of the mobile devices what data that is being collected, the purpose of collecting the data, how long you will keep the data and who will use the data, such as third parties. In other words, when there’s an app involved, a privacy policy is needed.

Another critical question in this regard is how beacon owners should gain consent for the collection of data and, in particular, location data? Given that the interaction with beacons takes place through the mobile device, mobile devices have robust mechanisms for accepting data collection with the help of beacons. An app asks from the user to opt-in to the collection of location data, and keeps asking through the app’s lifecycle on the mobile device whether a consumer wants to continue to allow the app to collect location data. Some apps also helpfully tell users why location data is useful for the consumer’s experience with the app. Most mobile devices now also enable users to opt-out of location data collection for a specific app, a selection of apps, or for the device as a whole. Having such choices is important. In addition to these device-based mechanisms, clear privacy policies must, obviously, be in place

The key to success is that the beacosystem has to make sure that mobile device users understand the collection of data, what this actually means, what purposes it will be used for, and to whom the data will be disclosed, among others.

What happens if you neglect privacy?

This depends obviously on where you are in the world because different countries have different laws and regulations. In the US, one of the key enforcers of consumer protection law is the Federal Trade Commission (FTC), which enforces promises that companies make to consumers in their privacy policies, among other things. If you violate the terms of your company’s privacy policy, you may be in trouble with the FTC.

Over the last couple of years there have been several instances where the FTC has gone after companies that are in the proximity ecosystem, such as in-store or Wi-Fi tracking companies. These companies had included untrue statements in their privacy policies and/or in agreements with their business partners. Following the FTC investigation, these companies ended up paying hundreds of thousands of dollars in fines. In addition to this, the companies were required to build a comprehensive privacy program that has to be audited annually.

To care about privacy is therefore crucial if you operate in the beacosystem.

US vs. EU

In the US, it is the FTC that mainly protects consumers by enforcing the law that prohibits “unfair or deceptive acts or practices in or affecting commerce”. In addition, there is plenty of industry self-regulation on the internet and mobile advertising industry, such as the Network Advertising Initiative and the Digital Advertising Alliance. Member companies of these organizations must comply with a code of conduct that deals with, among other things, opt-in consent for the collection of precise location data, and collection of sensitive personally identifiable information. It is also important to mention the Children’s Online Privacy Protection Act (COPPA) which requires advance affirmative parental consent for collection of personally identifiable information (including device ID:s) from children under 13 years of age.

In the EU, on the other hand, the Data Protection Directive, and the EU Member State laws that are based on it, govern all “processing” of personal data, such as data collected from users of mobile devices, and places many obligations on companies with access to personal data, such as notice (e.g. privacy policy), and choice (opt-in/opt-out). There is also what is known as the “E-Privacy Directive” which, among other things, requires opt-in consent for the collection of location data. The Member State Data Protection Authorities are in charge of enforcing the data protection laws. In 2018, the General Data Protection Regulation will enter into force, which harmonizes the Member State data protection laws, and increases fines up to 4% of the companies’ worldwide annual turnover for serious violations of data protection obligations.

For the future

It will be important to educate consumers further. Beacons will be everywhere, and consumers need to be educated in what this actually means. As pointed out in the beginning, users of the mobile devices need to be informed about what data is being collected, the purposes of collecting the data, how long you will keep the data and who will use the data, such as third parties. We in the industry have to come up with solutions and educate consumers about the benefits of beacons and the collection of data that is taking place in the beacosystem.