An e-privacy organisation has today released the findings of an investigation which reveals the extent of mobile location tracking in the UK.

The report, published by Krowdthink Limited, examines the contracts, policies and practices of mobile Wi-Fi service providers in relation to location tracking.

According to the report, mobile and Wi-Fi service providers know – ‘without you knowing – where you are, how you got there and can figure out where you are going.’ Many people are location-tracked by their mobile phone device each day, unaware of the highly sensitive data that this generates which can and is then sold on for profit. The report reveals that many mobile phone and Wi-Fi service providers, including wireless hotspots, are not telling customers upfront at the point of contract signature or online via their websites that the customer’s movements will be tracked and location data (which can be saved for up to 12 months) can then be used for marketing purposes or sold onto third parties. The details of this is often concealed in contracts and the fact that customers can opt out of location tracking is often unclear.

The level of detail extracted by service providers can reveal a customer’s gender, sexual orientation, religion and many other personal details that could present serious risks to blackmailing. Mobile phone service providers often anonymise data which means that they are not legally obliged to ask for consent, however customers need to be aware of the weakness of anonymisation alone to secure our personal information as low dimension data can be de-anonymised.

93% of UK citizens opt in to location tracking by default, meaning that nearly every one of us with a mobile phone, even a simple one, is being location tracked all the time. Under the Data Protection Act (DPA), consumers can opt out of this by contacting their service provider and following the introduction of the General Data Protection Regulation (GDPR) we will, in certain circumstances, have the right to have all of our data erased (the so-called “right to be forgotten”).

The GDPR will require mobile phone service providers and providers of Wi-Fi networks to provide more transparent and consumer friendly privacy contracts. At the moment, the report has found that  many of these contracts  separate out the clauses that discuss what data is collected from consumers from the clauses that discuss usage with location . Service providers try to legitimise their obtaining of location data as something that is needed for routing phone calls or meeting the requirements of government security, however this is not always true.

Mobile phone companies and providers of Wi-Fi networks should consider doing the following:

  • communicate privacy notices, including information about location tracking, at the point that data is first collected from users;
  • ensure consent is obtained to the use of location tracking data, in accordance with the Privacy and Electronic Communications Regulations;
  • make privacy policies as clear, transparent and consumer friendly as possible;
  • ensure privacy policies communicate to data subjects what their rights are;
  • consider providing users with easy to follow instructions about how to switch off GPS or Wi-Fi location tracking features;
  • ensure users understand who location data will be shared with and for what purposes; and
  • only retain location data for as long as is necessary to fulfil the purposes for which it was collected.

You can find Krowdthink’s report here – http://www.krowdthink.com/report.pdf