Data from WiFi users in shopping centres can reveal more about customers than just footfall. Kathryn Rogers explains how far owners and retailers can go
New guidance from the Information Commissioner highlights the steps shopping centre owners and retailers need to be taking in relation to both their customers and their employees if they want to be able make the most of the data they can collect through WiFi networks operated in their centres and their shops.
There is now a vast array of data that can be collected from customers who bring mobile devices into retail spaces, and a whole industry dedicated to helping retailers and shopping centre owners make valuable use of that data. WiFi analytics has been heralded as the new tool to help bricks-and-mortar retailers compete with the internet. In theory, providing a better understanding of customer behaviour should be able to drive sales, but anyone seeking to make use of information collected through a WiFi network needs to be mindful of the potential to breach data protection legislation, which could lead to legal liability, fines and damaging publicity.
How it works
WiFi analytics involve tracking the media access control (MAC) address which a WiFi enabled device transmits when it is searching for networks to join. Location-based analytics, which can record the number of people in-store (and nearby) and track their dwell time, then allows retailers and shopping centre owners to work out the level of passing traffic and from there how that converts into an in-store visit. Understanding “street-to-store conversion” allows retailers then to measure the impact of a new window display or marketing campaign or to plan staffing and stocking levels. This technology works in a similar way to beacons, which have also been trialled by retailers and in shopping centres, but because beacons require a shopper to download an app, their effectiveness can be limited, even if their tracking accuracy may be better than WiFi.
But it’s not just footfall that can be analysed. Combining location-based services with customer analytics and social WiFi marketing can allow retailers to further engage with customers while in store, with potential to increase customer loyalty and point-of-sale opportunities as offerings can be more targeted. Some analytics providers can also integrate their own market data with that of an individual retailer, giving potentially more powerful contextual information. Aggregation of data in this way could allow the provider to infer the age and gender of the device owner, leading to increased data protection concerns.
Data protection
Two key points of note arise. First, if an individual can be identified from a MAC address then, regardless of whether the name of the individual is known, this brings data collection about that individual within the scope of the Data Protection Act 1998. Secondly, a device does not need to be connected to the WiFi network in order for it to be tracked, so there is a potential for covert monitoring, which has proved in the past unpopular with both the public and the Information Commissioner.
So the data protection aspects of WiFi analytics should not be ignored, even if the analytics industry wants to play these down. The recent guidance issued by the Information Commissioner’s Office (ICO) aims to help businesses comply with data protection law when using personal data collected through WiFi services. The main requirements are for businesses to give clear and comprehensive information to individuals so that they are aware of exactly what data is being collected and what it is being used for; for retailers to avoid excessive collection of data; and to take steps to reduce the risk that individuals can be identified from the data collected. Businesses are also advised by the ICO to conduct a privacy impact assessment in order to identify and reduce privacy risks.
How to comply
In terms of practical steps, this means clear signs at the entrance of collection areas detailing the data controllers’ identity, what data is being collected and what it is used for, who it is being shared with, and reminders throughout the location and on websites and sign-up pages. Retailers and shopping centre owners should also consider where data collection devices are located (for example, sensitivity about toilets, first-aid stations or religious areas) and over what periods.
The ICO also recommends businesses take steps to remove the identifiable elements from the MAC address and convert it into an alternative format that suits the specific purpose for which it has been collected, and to reduce the privacy risk by ensuring data is anonymised. Another factor to consider is the period of time the data is held for (which should be no longer than necessary). Most organisations will be using a data analytics company to acquire these services, so will need to understand how their contractor operates and what steps it takes to ensure data is collected, stored and used legally. Proper contractual protection will be key for shopping centres and retailers alike.
The ICO also wants people to be provided with information on how they can use the privacy settings on their devices to control the collection of their data as well as giving them opt-in or opt-out choices, for example by placing a terminal at the entrance to WiFi zones in which users place their devices or adding an opt-in/out facility to WiFi access/registration pages. The ICO in particular focuses in its guidance on protecting employees and contractors. As they are much more frequently on-site, and therefore potentially subject to increased monitoring, the amount of data collected about them may be much higher than even for regular shoppers. Informing them about the processing of their data, for example by privacy notices in staff areas and visitor and staff briefings, is encouraged by the ICO.
Kathryn Rogers is a partner in the commercial team at Cripps
