You searched for:
The Cookie Jar
Mobile – Location-based services
Where is your user now? Where has your user been? And where is your user likely to go? If you are a software developer, advertiser or service provider, the answers to these questions about your target audience are very valuable. They allow you to target and personalise the content, recommendations and advertisements so they are geographically relevant to your users. And, with the rise of mobile devices that can accurately determine their location, the answers are more readily available.
 
However, the use of mobile location information, particularly if tracked over a period of time, can be considered intrusive and raises concerns about the potential for malicious use (for instance, to track down political dissidents). It is no surprise therefore that there are numerous European laws that limit the use of location data. This legal framework is explored in this article in the context of mobile applications.
 
Mobile location sources

Before diving into the legal framework, it is worth considering the source of the geo-location data that may be used by an application. The most obvious example is where a user manually inputs their location, such as a postcode, and sends it to a service provider. However, many mobile devices can automatically determine their location, allowing it to be communicated online without the user needing to know where they are or manually input any data.
 
There are a number of ways in which a mobile device might determine its location. Some are relatively inaccurate providing geo-location data only at a country or city level. These include IP geo-location systems, which approximate geo-location using publically available information about the IP address of the infrastructure through which a mobile device connects to the internet. Other geo-location systems are more accurate, such as GPS, Wi-Fi Positioning Systems (WPS) and Cellular/Mobile Positioning Systems (MPS). These systems provide more accurate geo-location data by calculating the approximate distance of the mobile device from the known location of stationary satellites or base stations.
 
Legal Framework

There are four key ‘geolocation laws’ that place restrictions on the use of location data from mobile devices in the European Union, as follows:
  • Directive 95/46/EC (the ‘Data Protection Directive’)
     
  • Article 5(3) of Directive 2002/58/EC as amended (the ‘device data law’)
     
  • Article 6 of Directive 2002/58/EC (the ‘traffic data law’)
     
  • Article 14 of Directive 2002/58/EC (the ‘location data law’)
Each of these laws must be implemented in the national law of each EU Member State. So while this article is drafted from a UK perspective, the principles discussed are generally applicable across the EU.
 
Data Protection Directive

Geolocation data can be collected when a user is logged into an account and may therefore combined with information that could identify individual such as a full name, date of birth, address or email address. In this case, geo-location data will be personal data and subject to the Data Protection Directive.
 
Even where a user is not logged in, geo-location data is usually captured with a relatively unique identifier, such as a device ID or IP address. A mobile application provider should consider whether this identifier sufficiently identifies an individual alone or is stored by the mobile application provider or third party (such as an internet service provider) with identifying information. Where the identifier could reasonably be used to determine which individual the geo-location data relates to, then this information may also be considered personal data.
 
In addition, if accurate geo-location location data (e.g. GPS, WPS or cellular/mobile geolocation data) is tracked over a period of time, then this information could also be personal data on its own. The data may show, for instance, that a user primarily visits two locations (home and office) and this could be used with public information available for those two locations (e.g. website profiles of employees working at the office location and land registry records for a home location) to identify an individual. However, this is unlikely for IP geo-location data, which is usually far less accurate.
 
‘Device Data Law’

Any data that is accessed from or stored on a user’s mobile device is regulated by Article 5(3) of the Directive 2002/53/EC (as amended). Although this law is most commonly associated with cookies, it is drafted in a technology neutral fashion and applies to any data (whether or not personal). A mobile application provider accessing geo-location data from a mobile device will be subject to device data law.
 
The ‘Traffic Data Law’ and the ‘Location Data Law’

Article 6 of Directive 2002/58/EC regulates the use of traffic data, that is: any data that is processed to convey a communication on an electronic communications network. This would include an IP address for instance. In addition, other non-traffic data that is processed that indicates the geographic position of a user of a public electronic communications service is considered ‘location data” and is regulated under Article 14 of Directive 2002/58/EC. Location data might include timing or cell information sent from a mobile device that indicates location but is not used to send messages through the network.
 
Directive 2002/58/EC was drafted at a time when the use of mobile geolocation data was in its infancy. The ‘iPhone’ was only unveiled by Apple several years later in 2007. As Opinion 13/2011 on Geolocation services on smart mobile devices from the Article 29 Working Party recognises, the traffic and location data laws were only intended to apply to providers of public communication services and networks (e.g. cellular network operators). Directive 2002/58/EC did not anticipate that geo-location data would be calculated by the phone itself and used directly by mobile app providers.
 
However, it is worth noting that the Data Retention Directive 2006/24/EC also uses the same definitions as Directive 2002/58/EC. It envisages that Internet access, email and telephony are also public communications services. Mobile apps providing these services should therefore consider the traffic and location data laws as they might still apply to their services.
 
Complying with ‘Geo-location’ laws

Consent

Where the Data Protection Directive, device data law, traffic data law or location data law apply to the processing of geo-location data by a mobile application, the provider will generally need to obtain user consent prior to access. Such consent must be freely given, specific and informed and the user must provide a positive indication that they are giving consent. EU regulators also consider that the user must be given the ability to withdraw consent at any time.
 
As a result, there are a few ground rules that mobile application providers should follow:
  • Mobile application providers should not rely on any default ‘ON’ settings of the user’s mobile device nor on the possibility for the user to opt-out as consent. The user should always be expressly asked for consent when first launching the application.
     
  • Separate consent should be sought for each of the mobile application provider’s applications.
     
  • Consent for geo-location should be separated from acceptance of general terms and conditions.
     
  • Users should be able to withdraw consent in a straight forward way that is easily accessible.
     
  • If the mobile application provider materially changes the way it is using geo-location data, it should seek consent again.
EU regulators also recommend asking users to renew their consent periodically to reduce the risk of they are not aware that their geo-location data is being tracked.
 
There are some cases where consent may not be required. For instance, where an employer has an important need to track an employee who using a work mobile device, it may not be necessary (or appropriate) to obtain consent from the employee (provided geo-location tracking is limited, proportionate and justified).
 
Information

The ‘geo-location laws’ referred to above require information to be provided to users about the processing of geo-location data. A mobile application provider should explain to users what the consequences of using a geo-location application and of providing consent are, answering questions such as:
  • Will the application only obtain geo-location once on the occasion the user provides consent? Or will the application continue to track geo-location once consent is given?
  • Will the application provider only use the collected geo-location once or will this information be stored and used at a later date?
     
  • How does a user disable the use of geo-location data at a later date?
EU regulators have repeatedly stated that they consider the validity of any consent to be inextricably linked to the quality of the information provided about the use of their geo-location data. Information should be clear, comprehensive, accessible to non-technical members of the public and appropriate to the age of the audience.
 
EU regulators also strongly recommend that a visible reminder is shown to the user whenever geo-location data is being captured by an application, such as a geo-location icon. This is to avoid the risk that geo-location might be tracked covertly, without the user being aware. For instance, there have been examples of individuals setting up tracking applications on their partner’s mobile device without their knowledge.
 
Given the small screens used by most mobile devices, meeting these information requirements may be difficult for mobile application providers. However, mobile application stores and operating systems are increasingly providing layered policies and geo-location APIs with built-in privacy messages that are designed for smaller screens.
 
Other requirements

If the Data Protection Directive applies, a mobile application provider will also need to comply with general data protection requirements. In particular, providers should ensure that they: (i) are not capturing personal geo-location data without a real need to do so; (ii) anonymise geo-location data as soon as and as far as possible; and (iii) provide users on request with access to geo-location data that could identify them.
 
The requirements for using geo-location data are, of course, just one of the compliance areas that mobile application providers and developers may need to grapple with. Please see our A-Z of Apps which outlines a range of legal issues that may also apply and our specific article on mobile advertising and marketing.