back button

Back

Does collecting user geolocation require consent?

December 5, 2017byJulie Tamba

Collecting geolocation is a tricky topic in data privacy regulations.

As of today, consent is not necessarily required by law. The ePrivacy Directive, on the first hand, requires consent for use of location data yet this obligation is only binding upon public electronic communication services and networks (telecom operators). The General Data Protection Regulation, on the other hand, specifies that use of personal data (including location data) may be based upon different grounds among which one may find consent but also the performance of a contract with the person or the legitimate interest of the recipient of the data.

In that regard, guidelines of the Article 29 Working Party (published in 2011 but still relevant) have indicated that “because location data from smart mobile devices reveal intimate details about the private life of their owner, the main applicable legitimate ground is prior informed consent“. Yet certain exceptions exist under which legitimate interest may be sufficient, for example, locations of WiFi access points for the specific purpose of offering geolocation services. If the data is not precise enough to indicate the specific geographic position of the terminal equipment of an individual (for example when the IP address is used to determine the country for statistics or to select a language or applicable legislation for a given individual), it would most likely not require consent: this interpretation may be elaborated on a decision of the French Data Protection Authority which mentioned in relation to audience measuring cookies that consent is not required when the IP address is not more precise than the city and immediately deleted after purpose is accomplished.

Now, will the adoption of the ePrivacy Regulation (whose scope will extend far beyond telecom operators to information society service providers) change this state of facts? The last version of the proposal released in October contains various provisions which may prove relevant and complexify the regime of location data.

First situation: electronic communications services providers

Location data such as IP address, GPS, Wifi or GSM signal belongs to the “metadata” category when it is necessary for the purpose of providing electronic communications services i.e. services encompassing an internet access service (e.g. an ISP) and/or an interpersonal communications service (e.g. WhatsApp) and/or a service consisting wholly or mainly in the conveyance of the signals (e.g. a mobile payment solution) and/or access to a publicly available electronic communications network (e.g. telephony). It may, therefore, be put forward that such qualification relates to the status of electronic communications services provider of the entity collecting the data.

Under article 6 §1 and §2 of this document, such metadata can only be used if necessary (i) to achieve the transmission of the communication, (ii) to maintain or restore the availability, integrity, confidentiality and security of the respective electronic communications network or services, or to detect technical faults and/or errors in the transmission of electronic communications, (iii) to meet mandatory quality of service requirements, (iv) for billing, determining interconnection payments, detecting or stopping fraudulent use of, or subscription to, electronic communications services.

If none of these exceptions apply, consent of the concerned individual is required. In principle, such metadata must be erased or made anonymous when it is no longer necessary for the provision of the service requested by the individual “without prejudice” however of points (ii) and (iii) and of a consent of the individual to the contrary.

Second situation: other actors collecting data emitted for a communication

When it is not necessary for the purpose of providing electronic communications services, location data may fall under the scope of article 8 §2 which concerns information emitted by terminal equipment to enable it to connect to another device and, or to network equipment. Here the qualification does not relate to the entity collecting the data but ensues from the context of emission of the data.

It must be underlined that in the initial version of the Commission dated January 2017, such data could be used provided a clear and prominent information notice was displayed. The Article 29 Working Party noted that this provision “gives the impression that organizations may collect information emitted by terminal equipment to track the physical movements of individuals (such as “WiFi-tracking” or “Bluetooth-tracking”) without the consent of the individual concerned” and recommended that this possibility should be restricted. Now the last version imposes that (i) data is used for the sole purpose of establishing a connection requested by the individual or (ii)  the risks should be mitigated and that use of such data should be limited to mere statistical counting.

Outside of this scope, consent of the concerned individual is required.

Third situation: data collected from a device in the absence of a communication

Finally, if it is neither necessary for the purpose of providing electronic communications services nor emitted by the device to connect to another equipment, the same location data may still be governed by article 8 §1 which concerns any collection of information from end-users’ terminal equipment. In such case, data may be used if strictly necessary (i)  to carry out the transmission of an electronic communication, (ii) for providing an information society service specifically requested by the individual, (iii) for measuring the reach of an information society service requested by the individual, only by or on behalf of the provider of said service, (iv) for software updates relating to security, confidentiality, integrity, availability and authenticity, and (v) for the execution of an employee’s task.

Again, if none of these exceptions apply, consent of the concerned individual is required.

The above can be summarized as follows: consent is and will remain the main rule for geolocation… Except under certain circumstances to be further specified by the EU and Data Protection Authorities.

To properly obtain a consent, mandatory information must be provided and a clear and positive action must be realized by the concerned person. The guidelines of the Article 29 Working Party, however, specified that when services require automatic location, requesting the relevant service would amount to consenting to be located provided individuals are given full information in advance about the processing of their location data. As always, information of individuals is the key to compliance.

Related articles

December 13, 2017byJulie Tamba

GDPR consent in practice – Part 2: Methods

After reviewing when it is opportune to obtain consent, it is time to take a closer look at ways to obtain consent. How should consent be obtained? Consent is defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement…

Read more

Consent

European Union

GDPR

Methods

personal data

November 29, 2017byJulie Tamba

ePrivacy, not voted but already applied

The EU is currently discussing the content of the future ePrivacy regulation which is now scheduled for the end of 2018. One of its key measures is contained in article 10 of the proposal which specifies that “Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet,…

Read more

Browsers

Cookies

ePrivacy

European Union

personal data

May 25, 2018byJulie Tamba

A potential future for the Ad Tech industry: consent without tracking walls

Publishers and actors of the Ad Tech sector targeting the EU currently face one of the biggest challenges they have ever encountered, one that may require them to change profoundly their model. Namely? Unambiguous positive consent. Some background Publishers (both online and offline) have traditionally been able to provide their readers with free contents by…

Read more

Ad Tech

Consent

ePrivacy

GDPR

Publishers

April 20, 2018byRomain Gauthier

Didomi now supports the IAB Europe consent framework

Didomi is proud to announce that our Consent Management Platform (CMP) is now officially registered with the IAB Europe’s GDPR consent framework. We’re one of the first CMPs to fully support the framework. The IAB Europe Consent Framework The IAB Europe Consent Framework aims at standardizing consent flows between advertising partners. Online advertising involves a…

Read more

Consent

Cookies

ePrivacy

GDPR

Publishers

tailored advertising

targeted advertising

February 9, 2018byJulie Tamba

(French) Consentement GDPR en pratique – Partie 3: les mineurs

Consentement des mineurs : une bonne chose de faite ? Mercredi 7 février 2018 a été adopté par l’Assemblée Nationale un amendement ajoutant à la loi Informatique et Libertés un article 7-1 relatif au consentement des mineurs au traitement de leurs données personnelles. Consentement lié à l’offre directe de services de la société de l’information aux enfants…

Read more

CNIL

Consent

GDPR

Informatique et Libertés

Minors

personal data