HomeInsightsInformation Commissioner’s Office publishes new guidance on “Wi-Fi Location Analytics” for Wi-Fi operators.


+44 (0)20 7612 9612

The guidance explains how operators of Wi-Fi and other communication networks can use location and other analytics information in a manner that complies with the Data Protection Act 1998.

The guidance specifically targets the use of analytics data collected from the operation of Wi-Fi networks.  It does not consider the implications of providing internet connectivity through Wi-Fi, which, if provided by a public electronic communications service provider, is also subject to the Privacy and Electronic Communications (EC Directive) Regulations 2003.

The guidance explains that when a Wi-Fi enabled device (such as a smartphone or tablet) is switched on, it will continually broadcast “probe requests” in order to discover Wi-Fi networks that are within range.  If it finds one that is known to the device it may attempt to connect.

The probe request and response will contain an identifier that will be specific to that user’s device.  An organisation can therefore collect probe requests and extract the identifier information for further processing.  Monitoring of the signal strength received by the access point can also estimate the distance of the device from the access point.  If the user’s device is within range of more than one access point then the location of the device can be pinpointed more accurately.

Therefore, an organisation can monitor the location of the device and track the behaviour of a particular device over time.  If an individual can be identified from the identifier then the data will be personal data.  Using the identifier to track a device in order to, for example, offer the user specific products, services or content, will involve the processing of personal data.

Therefore, the guidance states, organisations must give clear and comprehensive information for individuals to make them aware of the processing.  The information should clearly define:

  • the identity of the data controller;
  • the defined purposes of the processing; and
  • information relating to any third parties or other organisation that the data may be shared with.

Organisations must also avoid excessive data collection and take steps to reduce the risk of identification of the individuals in the collected data, e.g. anonymise the data.  To access the guidance, click here and go to the “Online and computing” section of the page.