The legal implications of Mobile Location Analytics and location-based marketing

In this Alert, Partner Hayden Delaney and Solicitor Sheree O’Dwyer discuss the legal considerations for retailers, ad-tech vendors and consumers of mobile location analytics (MLA) and location-based marketing. 

Key points

  • While using MLA in physical retail outlets offers considerable benefits to the retailer and consumer, data collected through MLA could be merged with other data sets to identify individuals; raising serious privacy concerns.
  • The use of such technologies potentially brings businesses under a complex, multi-layered compliance regime, including the Spam Act 2003 (Cth), the Privacy Act 1988 (Cth) and the Do Not Call Register Act 2006 (Cth), and that’s just in Australia.
  • Businesses need to be aware of the legal implications of using MLA technology and location-based marketing, and also ensure that they comply with their legal obligations in the collection, use and disclosure of data.

Mobile Location Analytics (MLA)

If you have ever walked into or near a retail store with your smart phone or tablet, the chances are you are being tracked, as businesses increasingly use MLA to monitor and analyse consumer behaviour, as well as location-based marketing to deliver targeted and personalised marketing to consumers.

While online stores have been using web analytics for years (and it is now considered the norm to monitor customer traffic and optimise the user experience), more traditional bricks-and-mortar stores are now able to gain similar advantages through MLA to provide a more customised and optimised in-store experience. 

MLA technology works by capturing the unique identifier of a smart phone or tablet (such as the device’s MAC address - a 12 digit combination of letters and numbers assigned to a device by its manufacturer) and tracking it over WiFi or Bluetooth beacons.  The technology then tracks a customer’s movement around the store to analyse data such as the path they take while shopping, the displays they spend time at, or the time spent waiting in the checkout line.  The power of the aggregation of this type of data is obvious, with retail store owners now able to accurately report on the highest traffic areas, most popular products or times when the store is busiest, and in turn make strategic and operational decisions to improve their store’s performance and profitability.

Location-based marketing

The benefits of MLA are further enhanced when coupled with location-based marketing which involves using the information collected to deliver a targeted and personalised shopping experience.

At a basic level, MLA technology does not collect identifiable personal information.  However, it is possible to merge the collected data with other available data to identify the individual (e.g. a business could match the information to a customer’s purchase history, preferences, mobile phone number, email address or online activity).  Stores can also use location-based marketing to send marketing communications (such as product discounts or special offers) targeted to a specific location or based on individual customer preferences. 

What are the legal implications?

MLA used in physical retail stores is a relatively new practice and raises many questions about the legal implications of this technology associated with data protection, the collection, use and disclosure of an individual’s personal information, and electronic marketing. Some of these questions include:

  • Do customers need to be notified of the collection of information?
  • Do you require a customer’s consent to collect the information?
  • Are you able to use the information for marketing purposes?
  • What are the implications if a retail store collects photos, contacts or other personal information from a device?
  • What are the implications if the data collected and used is from the device of a person under the age of 18?

While MLA and location-based marketing offers many benefits, there needs to be safeguards in place. 

The US has a self-regulatory Mobile Location Analytics Code of Conduct (code).  The code focuses on seven key principles:

  • notice to consumers;
  • limited collection of information;
  • choice to opt-out;
  • limitation on collection and use;
  • onward transfer of data;
  • limited retention; and
  • consumer education.

At face value, the code is a positive step towards the implementation of appropriate safeguards.  However, while adoption and compliance with the code remains voluntary, it remains only a first step. 

It is yet to be seen whether Australia will take similar steps and implement a code specifically dealing with MLA, or whether such a code is even necessary given that Australia (unlike the US) has overarching informational privacy laws. 

Implications under Australia’s current legislative landscape

The Privacy Act 1988 (Privacy Act) and Australian Privacy Principles (APPs) regulate ‘APP entities’ (i.e. generally an organisation or agency that has an annual turnover over $3,000,000 unless an exception applies).  Of relevance, APP 5 requires that an APP entity provides, at each event of collection, specific collection statements that notify the individual of certain matters at the time, or as soon as practicable after the collection. 

If businesses wish to use the information collected using MLA for location-based marketing they will need to consider APP 7 which prohibits using or disclosing personal information for direct marketing purposes.  This is unless an exception applies; in particular, the individual would reasonably expect their personal information to be used for direct marketing or by seeking express consent from the individual. 

Given the method of data collection, and in order to gain the full benefits of location-based marketing, it is most likely that these marketing messages will be sent via electronic means, such as text messages, email or via an instant message service.  These types of messages would constitute commercial electronic messages under the Spam Act 2003 (Spam Act) which imposes consent, disclosure and ‘opt-out’ / unsubscribe requirements on the sender.  If businesses wish to use the information to call the customer to invite them to a promotional event or inform them of a current offer, the Do Not Call Register Act 2006 (Do Not Call Register Act) applies to telemarketing calls which impose similar obligations. 

If express consent is to be relied upon, then businesses will need to consider ways to record the provision of that consent, and to dynamically ensure its direct communications match that consent.  Typically, this requires the design and implementation of a consent database which integrates with the organisation’s CRM system.  These are important considerations for retailers because if a dispute over consent does arise, the onus will be on the business, as the sender of the communication, to show that valid consent existed. 

The contravention of these Acts attracts significant financial penalties for businesses as well as individuals.  Businesses should also consider the potential reputational damage and brand erosion that a breach of privacy legislation can lead to, and most recently, American fashion retailer, Nordstrom experienced significant media and customer backlash after failing to notify its customers that it had been piloting an MLA system (click here for more information). 

Conclusion

MLA and location-based marketing offers very obvious benefits to both businesses and consumers, however, as with all technology associated with data collection and usage, there are legal implications that must be considered from the outset to ensure the implementation of that technology doesn’t expose a business or an individual to legal and reputational risk.