Data protection obligations; Wi-Fi providers | Davis Blank Furniss

IP & IT analysis: New guidelines for businesses and organisations that offer on-premises Wi-Fi connectivity, serves as a useful reminder of their data protection obligations to employees and customers alike. Anna Bunting, partner at Davis Blank Furniss, outlines the key points of interest in the guidance.

Original news

ICO guidance on Wi-Fi analytics, LNB News 17/02/2016 143

New guidance issued by the Information Commissioner’s Office (ICO) sets out how operators of Wi-Fi and other networks may use location and other analytics information in a manner that complies with the Data Protection Act 1998 (DPA 1998). The guidance aims to help data controllers to fully understand their obligations and promote good practice.

What are Wi-Fi analytics?

Electronic devices such as smartphones and tablets are often fitted with a Wi-Fi connection for wireless connectivity for when you are at home or out and about. Many businesses and organisations today offer Wi-Fi access for their customers and employees. When a Wi-Fi-enabled device is switched on, it will regularly broadcast what are called probe requests, in order to find Wi-Fi networks that are within range. These probe requests contain a unique identifier which is known as a media access control (MAC) address. Organisations that offer Wi-Fi access can collect these probe requests and extract the MAC addresses from each device, and can also monitor signal strength to estimate the location of a device based upon the Wi-Fi connection in their business. This enables businesses and organisations to both monitor and track those devices to analyse a person’s behaviour. The analysis of that behaviour is called Wi-Fi analytics.

How common is the use of such analytics?

A whole industry has been built upon the use of this data to inform marketing strategies. Organisations can use the data to monitor the number of visits to their premises, how busy they are at different times of the day, and analyse the behaviour of customers. It is not uncommon for the data analysis to inform their store layout and shape marketing strategy by targeting specific products to individuals.

The main concern from the ICO about this kind of data collection is that because it doesn’t actually require the electronic device to connect to the Wi-Fi network—a probe request is all that’s needed—it means the data analysis can be done covertly without the individual knowing about it.

Has the ICO successfully taken any action against any businesses in this area?

I’m not aware of any action in this specific area. The ICO has been busy clamping down heavily in recent months on companies making unsolicited marketing calls (eg recorded PPI calls), but I think this guidance suggests it is turning its attention to Wi-Fi network operators and data protection issues. It is the first step in helping businesses and organisations to achieve compliance with data protection laws, and once the ICO is confident it has got its message across, this will assist it in taking enforcement action against any offenders.

What can businesses do to ensure compliance with DPA 1998?

DPA 1998 has been around for nearly 20 years now, and contains wide obligations that apply to any business that processes personal data. It has to comply with eight data protection principles and notify the ICO where necessary. The most important of these principles is to ensure that any data processing is fair and lawful, which usually means getting consent from the data subject.

The ICO guidance contains a number of recommendations in relation to Wi-Fi analytics and data protection compliance—this is a top-level summary: 2


The key issue is gaining consent from the data subject as far as possible. There is a difficulty in this, obviously, because of the nature of that data, and the guidance recommends an organisation conducts a privacy impact assessment to consider the level of information being collected through its Wi-Fi networks that will help to identify and reduce those risks.


An organisation needs to be very clear and transparent as to what it is doing. It must notify individuals where it can about any collection of data, whether that is by using signage at the entrance to or throughout the premises. If a data subject signs up to the organisation’s website, the website should give them information as to how they can control the collection of data by adjusting the settings on their phone.


An organisation must ensure the data collection is proportionate, that is, only for the purposes it is collecting it for, that is not obtaining data from people who are merely passing by the premises, and that data is not kept any longer than is necessary and deleted afterwards.

Anonymising MAC addresses

The guidance also recommends anonymising MAC addresses where possible to avoid the identification of specific individuals, and giving individuals the opportunity to opt-out of processing in various ways.

Are there any other laws or guidance that businesses should be aware of?

In the area of data usage, the ICO’s website is very useful and contains lots of different guidance. If they have not already, organisations should also familiarise themselves with the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, which sit alongside DPA 1998 and are more specific to the use of electronic means of communication and collecting data.

How will the General Data Protection Regulations regulate the use of such analytics?

The General Data Protection Regulations are expected to come into force in early 2018. The existing core concepts under DPA 1998 will remain unchanged, but the Regulations are being introduced to harmonise data protection laws across EU Member States and reflect the huge development in new technologies that involve data processing since 1998. Although the obligations are fairly broad and apply to all processing (rather than specifically to Wi-Fi analytics), organisations will potentially need to take their data protection obligations more seriously, as it is proposed that there will be quite a drastic increase to the maximum fine that can be imposed, coupled with more stringent requirements generally. This includes requirements to document and recording processing activities, direct obligations on data processors such as third party contractors and increased rights for data subjects to request that their data is deleted and to object to processing such as profiling. One of the key proposals that may affect those using Wi-Fi analytics is the requirement to obtain consent. It will no longer be possible to rely on implied consent, as consent under the draft regulations has to be specific and explicit. The draft regulations also mirror some of the recommendations in the new guidance on Wi-Fi analytics relating to privacy impact assessments and anonymisation of data.

Interviewed by Duncan Wood.


Read what our clients have to say...

View All

Excellent experience start to finish – always very responsive to any queries and the turnaround on the property I was buying was very quick, even in the busy time leading up to stamp duty deadline. Jenny was always very helpful and went above and beyond to close on a short timescale.

Ben Armitage

“Very approachable, practical solutions to problems, but most of all very responsive which I personally think is very important because if you need help, you need it quickly, or at least to know someone is looking at it for you”.

Joanne Rowe, Finance Director, Greater Manchester Chamber

“Always able to contact, very approachable, friendly and professional”

Nives Feely, JAM Recruitment

“I believe I have been able to establish a professional working relationship with everyone I have come into contact. Importantly, I sense the relationships which have been established give me the confidence that I can make contact with Davis Blank Furniss at any time and on any matter. I would also like to express my thanks to the very impressive “gatekeepers” who work in reception, not only for making me very welcome, but also for their professionalism”

Bill Pryke, CEO, Chartered Institution of Civil Engineering Surveyors

“Thank you for your efficient and friendly help throughout this process. We have had it easy but your approach has been part of that”.

Robert Amsbury (Conveyancing Client)

“I would like to take this opportunity to thank you personally for the ongoing support and assistance the firm has offered to our parents over the years. I hope also that we may be able to call on you if necessary in the future.”

Valerie Fisher (Probate Client)

“Jo always provides great service, understands our needs and delivers on her promises. Our needs are relatively simple but the complexity arises out of the volume of work and short time frames, Jo always delivers.”

Peter Fernandez, Corporate Director at Royal Bank of Scotland

“A big thank you to all who dealt with my wife’s claim… We would not hesitate to recommend Davis Blank Furniss to anyone that may be in a situation like we have been…”

Anon (Personal Injury client)

“Before putting my case in Kirsty (Morbey)’s capable hands I’ve met a couple of other solicitors. None of them listen to me as intently as Kirsty and showed me as much empathy and understanding as she did. Simultaneously she was able to look at my case from legal perspective, explain all the options and follow each of our meetings with written summary of the discussed matters (in timely manner). Her advice was invaluable and led me to successfully ending the case matter (hopeful for good). I’m forever grateful for he work and would definitely recommend her to anyone looking for reliable, knowledgeable and committed solicitor”.

Anon (Family client)
5 star service

Our Manchester office is rated 5 stars on Google