The Information Commissioner’s Office (ICO) has issued guidance to help wireless (WiFi) operators understand their duties under the Data Protection Act 1998 (DPA) when collecting and using location and other analytics information.

When a device’s WiFi functionality is enabled, it broadcasts ‘probe requests’ to find WiFi networks that are within range. If the device discovers a WiFi network that it recognises (such as the user’s home or work network), the device may attempt to connect with that network.

Each probe request contains an identifier – known as a media access control (MAC) address – that is designed to be unique to each device. The MAC address not only identifies the device but can be used to track its location over time. If the network operator can identify an individual from the MAC address (whether alone or in combination with other information in the operator’s possession), the data constitutes personal data.

The ICO’s guidance includes the following recommendations:

  • Network operators should conduct a Privacy Impact Assessment (PIA) to identify the privacy risks associated with operating a WiFi network.
  • If WiFi analytics are collected, operators should be transparent about the identity of the data controller, the purposes of the processing, and any third parties with whom the personal data may be shared.
  • Network operators should consider converting MAC addresses into an alternative format that removes any identifiable elements.
  • Individuals should be given ample opportunity to view information about how their personal data may be processed before it occurs (this could involve signage at the entrance to the data collection area, information on the operator’s website and in any sign-up or portal page of the WiFi network.
  • Network operators should consider the location of data collection devices to minimise privacy intrusion.
  • Data retention periods should be clearly defined.
  • Individuals should be given a simple and effective means to control data collection (this could involve the introduction of an appropriate opt-in or opt-out mechanism.)

The guidance is a helpful reminder of the privacy risks that arise in the context of WiFi analytics and the steps that operators can take towards meeting their compliance obligations as well as promoting consumer confidence in their data processing practices.