Location data plays a key role in the business-consumer relationship today. Whether it’s a shipping company monitoring their drivers’ movements to ensure customers receive packages on time or a search engine helping you find the nearest takeout restaurant, location data is a powerful tool. Many websites integrate location data collection for the geo-marketing reasons and new GDPR law can affect that. In this article you can find your safe guide on how to avoid GDPR problems and prepare your website for it.
Location-based data and individual rights
On the site “Business.com” we find this informations:
The GDPR will apply to all countries within the EU and is set to unify data regulations into one program.
Businesses and organizations will face stricter rules regarding data processing and security. For example, a data protection impact assessment (DIPA) will need to be undertaken before certain projects can be completed and brought to market.
This is a process designed to ensure businesses and organizations identify and minimize any risks related to their project’s data protection. This applies to those applications or systems in which data processing poses a high risk to users, essentially putting greater pressure on businesses to consider the potential repercussions of their service.
The GDPR will affect companies using location data in different ways. For example, a business using fleet tracking will see a change in their right to record data on their employees’ movements and performance.
As it is, implied consent has been enough, but under the GDPR, they will need to have legitimate reasons to process employees’ personal data.
These businesses will also have to inform their employees of what data will be collected and why in explicit terms. They can only use said information for the purpose specified, store it with fit-for-purpose security procedures, and ensure that employees understand they have the right to ask for a copy of data in which they can be identified clearly (which must be supplied within 30 days).
How is GDPR going to impact processing of location data?
By “GeoSpartialWorld.net“: -Everything is based on location. Whether you are ordering food, taking a drive, or ordering medicines, everything has location as a core component. Hence with an exponential increase in connectivity, ubiquitous cameras and sensors, there is a huge amount of data being produced every moment. While it can benefit companies in a big way by capturing these data in innovative measures, customers or common man feel a threat to their privacy.
There is also a growing trend where customers are increasingly sharing their location data with map or navigation and weather services. To address privacy concerns and bring current privacy rights in accordance to digital age, EU is implementing the new General Data Protection Regulation (GDPR) in May 2018.
According to the regulation, enterprises that collect data from citizens in European Union(EU) countries will need to comply with strict new rules around protecting customer data by May 25.
According to GDPR location data is considered as “personal data” in Article 4 (1). Under this clause personal data are granted extended rights, including a right to access and a right to erasure.
Under the right to access users can obtain confirmation about whether data concerning them is being processed, where and for what purpose. The right to erasure can put an expiration date on the data already collected.
GDPR consequently describes requirements for data processing companies and organisations. Processors are required to offer explicit and transparent notification about their data practices. A “Privacy by Design” approach should ensure that data processors take the measures necessary to collect, process and store data in a secure way.
The regulation also mentions that special rules that apply to the processors of sensitive data. This will include guidelines for data assessments and the mandatory appointment of an official data protection officer to inform and advise the organization.
Furthermore, the regulation emphasises the importance of consent. In future it will need to be clear and affirmative, putting an end to pre-checked checkboxes when installing or using apps.
Need to understand location complexities
Location data is extremely personal and valuable. Considering its complexities, it is difficult to foresee as to how many ways location data could be used and misused in the future.
Hence, this issue needs to be researched and there is dire need to educate people about privacy rights as well as data science. Organizations can use GDPR as a guideline to evaluate their data practices and to ensure their external communication gives users all the information they need to provide consent.
In times to come GDPR will steadily increase the pressure on businesses that process data. There is an immediate need to improve security standards and also set measures about how data is being used.
Does collecting user geolocation require consent?
By article on the “Didomi.io“: -As of today, consent is not necessarily required by law. The ePrivacy Directive, on the first hand, requires consent for use of location data yet this obligation is only binding upon public electronic communication services and networks (telecom operators). The General Data Protection Regulation, on the other hand, specifies that use of personal data (including location data) may be based upon different grounds among which one may find consent but also the performance of a contract with the person or the legitimate interest of the recipient of the data.
In that regard, guidelines of the Article 29 Working Party (published in 2011 but still relevant) have indicated that “because location data from smart mobile devices reveal intimate details about the private life of their owner, the main applicable legitimate ground is prior informed consent“. Yet certain exceptions exist under which legitimate interest may be sufficient, for example, locations of WiFi access points for the specific purpose of offering geolocation services. If the data is not precise enough to indicate the specific geographic position of the terminal equipment of an individual (for example when the IP address is used to determine the country for statistics or to select a language or applicable legislation for a given individual), it would most likely not require consent: this interpretation may be elaborated on a decision of the French Data Protection Authority which mentioned in relation to audience measuring cookies that consent is not required when the IP address is not more precise than the city and immediately deleted after purpose is accomplished.
In the other case, desktop users can have a much more precise or exact geo location that can be privacy problem that affect on the GDPR and there must be some sort of consent.
How to protect yourself from GDPR law problems?
By guideline on the “DataProtection.ie“: -Before collecting or processing any location data, you should consider whether the Data Protection Acts apply to the data you want to collect.
You should treat information about the location of a device which can be tracked or located electronically as “personal data”, and comply with the Data Protection Acts in relation to it, if:
- The data relates to a living person (a “data subject”);
- It is possible to identify the person to whom it relates from the location data itself, or from the location data together with other information which you have or are likely to acquire.
Data Protection Acts defines “personal data” as: data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller
If we know this, the conclusion is that we need to have a document or section within Privacy Policy and Terms and Conditions where we accurately inform what information is being collected and processed. There should also be detailed information through which technology or services you collect all informations.
Your obligation is that all users who come to the site must agree with the privacy policy, collect sensitive information, and indicate which information is automatically collected, but also those that they need or can give you in some proccess.
Read more:
If you are interested in how Geo Controller solved the problem with GDPR, it is enough to know that Geo Controller does not collect information on your server. Geo Controller retrieves the visitor’s IP address and information from your server (server’s IP address, host name, server date and time, admin email address) and returns the geo information stored in your server’s session for 5 minutes (read more about All Geo Controller Features). After 5 minutes, this check is done again for each visitor. That informations you use to display or switch content by geolocation, made redirections or protection. Geo Controller by itself not collect visitor informations or any kind forms. Geo Controller is just provider not keeper and you are safe from GDPR problems but still you must notify users about data processing.
Click to Download latest Geo Controller version 8.7.7
Conclusion and last Tip about GDPR law and Location Data Collection
- You must to notify your users that you will transfer their IP address to 3rd party API to get their geo information for further navigation and functionality on the site.
- You must to specify which geo information you are collecting, how you keep it, how long you keep it, and for what purposes you are using it.
- If you record this information somewhere, you must notify the user about this and provide the information or delete it at the request of the user
- Users for each processing must be notified and must agree to be processed
And if this looks complicated, the solution can be simple. Many sites have put all the rules and information about GDPR in the Privacy Policy and Terms and Conditions page. Only one popup asked new visitors are they agreed with these conditions. If they agree, you do not have anything to worry about, they read it or not. If someone delivers a complaint, you are sending them first to the Privacy Policy and then to the Terms and Conditions and you’re asking if they read it before using the site.
All in all, find a lawyer who is familiar with this and compile a legal document that will be part of your Privacy Policy and you have nothing to worry about.