First fines of over 40,000€ by the AEPD for exploiting customer data through business Wi-Fi
The Spanish Data Protection Agency (AEPD) has focused on the handling of personal data collected by companies through Wi-Fi in their establishments, warning of potential hefty fines for those who jeopardize their customers’ privacy.
These fines can range from €40,000 to €20 million, potentially even threatening the survival of small businesses.
Use of Wi-Fi tracking
Wi-Fi tracking, also known as Wi-Fi tracking technology, is a tool that allows the identification and tracking of mobile devices through the Wi-Fi signals they emit. Its main purpose is to detect the presence of devices in specific areas and analyze movement patterns. It is used, among other things, to estimate the number of people in a location, analyze movement flows, and measure dwell times.
This technology has applications in a wide variety of contexts, such as shopping centers, museums, workplaces, public spaces, public transportation, and large events. However, it is crucial to note that this practice presents significant privacy risks, as it could enable tracking of people’s movements without their consent or knowledge, and therefore without an appropriate legal basis.
The AEPD has focused on businesses that, without adequate preventive measures, allow the identification and tracking of electronic devices that have connected to the establishment’s network.
Violation of explicit consent
It is important to remember that any processing of personal data must comply with the principles established in Article 5 of the GDPR and meet at least one of the legal bases listed in Article 6 of the GDPR. This also applies to Wi-Fi tracking when the data controller chooses a technology that enables such processing.
It is important to note that Article 4.11 of the GDPR defines the data subject’s consent as any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
Wi-Fi tracking technology allows businesses to track devices comprehensively, so it must be ensured that the processing is conducted fairly and transparently, with individuals clearly understanding what data is being handled and how through Wi-Fi tracking. This information must be provided in an accessible and easy-to-understand manner, regardless of the technical or practical difficulties that Wi-Fi tracking may present to the data controller in complying with these principles.
Another possibility that businesses might argue is that the legitimate interest of the data controller, as outlined in Article 6.1.f) of the GDPR, takes precedence. However, the data controller must ensure that this processing is necessary to satisfy those interests and that the interests or rights and freedoms of the data subjects do not override them, considering their reasonable expectations.
This requires a meticulous assessment of whether the processing can be carried out and whether it takes precedence over others—a balancing test—even if a data subject could reasonably foresee it at the time and in the context of the collection of personal data. This balancing test must be conducted by the data controller.
Preventive measures
The data protection authorities in Spain have developed specific guidelines for those responsible who use Wi-Fi tracking technology. These guidelines examine both the technical and legal implications of Wi-Fi tracking, identify the main risks, and offer recommendations for proper use in compliance with data protection regulations. Beyond clearly informing users, these recommendations include:
- Anonymizing data immediately after collection.
- Restricting the scope of Wi-Fi tracking.
- Not cross-referencing geolocation data with information from other sources.
- Avoiding assigning the same identifier to a mobile device on different visits to the same location.
- Providing an effective opt-out option for users.
- Establishing data processing agreements that limit the use of data to the controller’s instructions.
- Avoiding international data transfers without adequate safeguards.
- Conducting independent audits.
- Implementing security measures adapted to the level of risk and subject to continuous reviews.