By Stephanie Kinch, Wi-Fi NOW Staff Writer
If you’re providing Wi-Fi in exchange for browser data that you then sell to advertisers without consent, it’s time to make changes to your business model. After May 25, that practice will be illegal in the EU.
“Under the General Data Protection Regulation (GDPR), this activity will be banned unless the appropriate consent is obtained from the user during login,” says Jessica Thomas, a Marketing Executive at Purple.
Last July, Purple became the world’s first GDPR-compliant Wi-Fi provider. The UK-based tech firm offers a Wi-Fi platform for businesses to see and analyse customer shopping patterns and habits and communicate via targeted messaging. That means processing a lot of personal data, and the GDPR meant that Purple – like most companies throughout Europe – made some changes.
GDPR and Wi-Fi
Starting in May, all companies located in and doing business within Europe will be subject to more stringent data protection rules as part of the General Data Protection Regulation (GDPR). The regulation is designed to streamline data protection rules across Europe.
The European Union (EU) last established data protection rules in 1995, long before cloud migration, big data, and public Wi-Fi were in widespread use. Now, at a time when big data equals big payoffs, the EU is cracking down on how personal data is used, stored, and processed.
Personal data is an umbrella term that includes any information that relates to an individual. It includes names, addresses, e-mails, ID numbers, IP address, cookie IDs, etc. It’s the type of data that many Wi-Fi providers collect from public hotspots, especially those using social logins through Facebook or LinkedIn.
Luckily for providers, the GDPR doesn’t outlaw the data collection. It just makes sure that users know what they’re getting into when they log in – and can easily opt out if they aren’t interested.
“As long as there is complete transparency and an overview of terms clearly outlining what customer data will be collected, how the data will be used, and by whom – there should be no significant impact to the use of social logins,” says Thomas.
Read the small print
Terms and conditions have always been a routine part of Wi-Fi logins with the classic “click here to acknowledge that you have read the terms and conditions” box at the bottom of the page. The problem is that no one reads those terms.
As a social experiment, Purple once added a community service clause to their terms, where users agreed to 1,000 hours of community service in exchange for free Wi-Fi. Twenty-two thousand users agreed to the terms, presumably because they never actually read them. Luckily, Purple didn’t hold them to it.
Under the GDPR, sneaky user agreements will be a thing of the past. The regulation explicitly states that businesses must slim down their terms of business and privacy policies and clearly indicate how their data will be used – and by whom. A process must also be in place to give users access to their data within one month of request. Purple’s privacy policy recently went from 1600 words to just 260 on a splash page that shows up when a customer clicks the consent box.
“This means no more tedious legal jargon, just simplistic language that clearly outlines what data we collect, why we collect it and what we do with it,” says Thomas.
The up-side to GDPR compliance
While GDPR compliance involves lengthy paperwork and new business decisions, the regulation can be advantageous to those companies that take advantage of it.
Alan Calder is the Founder of IT Governance, which provides IT governance, risk management and compliance solutions to businesses worldwide. He says that smart providers will recognize the competitive advantage of transparency.
“The GDPR will take time, but it will drive more awareness over the fact that we own our individual data and services,” he says. “Customers that speak to that will find themselves gaining market share.”
/Stephanie