You can only process location data (information from the network or service about the location of a phone or other device) with the authority of the network, service or value-added service provider, and only if:
- it is anonymous; or
- you have consent to use it for a value-added service.
In more detail…
- What is location data?
- What are the rules on location data?
- Who needs to comply?
- What is a ‘value-added service’?
- How should we get consent?
Location data is defined as:
“any data processed in an electronic communications network or by an electronic communications service indicating the geographical position of the terminal equipment of a user of a public electronic communications service, including data relating to—
(f) the latitude, longitude or altitude of the terminal equipment;
(g) the direction of travel of the user; or
(h) the time the location information was recorded”.
In other words, it is information collected by a network or service about where the user’s phone or other device is or was located – for example, tracing the location of a mobile phone from data collected by base stations on a mobile phone network.
In our view, this does not generally include GPS-based location information from smartphones, tablets, sat-navs or other devices, as this data is created and collected independently of the network or service provider. Neither does it include location information collected at a purely local level (eg by wi-fi equipment installed by businesses offering wi-fi on their premises). However, organisations using such data still need to comply with the Data Protection Act.
The rules on location data are in regulation 14 and are very strict. You can only process location data if you are a public communications provider, a provider of a value-added service, or a person acting on the authority of such a provider, and only if:
- the data is anonymous; or
- you have the user’s consent to use it for a value-added service, and the processing is necessary for that purpose.
This regulation does not apply if the data is traffic data. See above for more information on when you can use traffic data.
There is an exemption for emergency 999 or 112 calls (regulation 16). There is also an exemption for emergency alerts where a relevant public authority needs to warn, advise or inform users or subscribers of an emergency in their location (regulation 16A).
The relevant public communications provider has ultimate responsibility for complying with these rules. If you are a network or service provider and you are passing location data to a third-party value-added service provider, or using a third-party data processor to process location data on your behalf, you need to take steps to ensure they comply with PECR. In particular, you should have a written contract with any data processor setting out what the data processor is allowed to do.
This ties in with the seventh data protection principle for processing personal data – but remember that to comply with PECR the contract needs to cover the location data of corporate users as well as the personal data of individuals. See our separate Guide to data protection for more information on the seventh principle.
However, anyone else processing location data without proper authority would also be in breach of PECR.
A ‘value-added service’ is defined as:
“any service which requires the processing of traffic data or location data beyond that which is necessary for the transmission of a communication or the billing in respect of that communication”.
This may include, for example, a call service that locates the driver of a broken-down vehicle, a ‘find my phone’ service offered by a mobile provider, or a mobile network operator using their customers’ location to target location-specific content.
PECR specify that you must give the user or subscriber information about:
- the types of location data you will be processing;
- what you are using it for;
- how long you will keep it; and
- whether it will be passed to a third party to provide the value-added service.
You will not be able to rely on a blanket ‘catch-all’ statement on a bill or website, and should get separate consent for each value-added service requested. The clearest way to obtain consent is to ask for an explicit opt-in to the use of location data. If you want to rely on implied consent (eg consent is implied by subscribing to a service), you must include a clear and prominent statement about the use of location data.
PECR also specify that you must get consent from the person who the data is actually about – who may be a subscriber or a user. For this reason it may not always be enough to rely on consent given by the subscriber in advance when they signed up to their contract, if someone else will actually be using the connection.
In the case of companies and other corporate subscribers (limited liability partnerships, Scottish partnerships and government bodies), you can accept assurances from a representative giving consent on behalf of the organisation, unless you have reasonable grounds to question their authority.
PECR specify that the network or service provider must provide the relevant information. However, if the relevant value-added service is offered by a third party, we accept that it is likely to be more appropriate for the third-party provider to contact the customer directly to provide information and obtain the relevant consent. The important point is that the customer must understand who is using the data and who is providing the service.
Remember that the customer is entitled to withdraw their consent at any time, in which case you should immediately stop using the location data. You must give users a free and easy way to withdraw their consent each time they connect to the network or send a communication. You may also want to offer the option of changing their settings to temporarily withdraw consent. However, you must make the effect of this very clear so that the customer understands exactly how this works and in what circumstances their consent would be reactivated.