Since Apple introduced iBeacons, beacons – the small, affordable wireless devices based on the Bluetooth Low Energy Standard – have been all the rage with offline retail businesses and e-commerce shops alike. Beacons communicate with special apps provided by a retail business or a third party (either of them are then “app-providers”). If installed on a user’s smartphone, the app enables location-based interaction between the retailer and the user, such as sending push messages on discounted products to users in the range.
Despite these exciting developments for retailers everywhere, questions remain around the legal implications of this technology. The following ABC checklist provides practical advice to assess and mitigate the legal risks around the use of beacons in the EU*:
I – Information
Users must be clearly informed about the use of beacons. The information needs to include answers to the following: What information is collect? Who receives this information? What does the respective recipient do with the information? The information can be provided in the app that communicates with the beacon. It is also recommended to put up signs in the shops, similar to those known for video surveillance, to inform users about the use of beacon technology.
B – Banking risks
If beacons are used to enable or to support payments, retailers should engage payment service providers who specialise in mobile payments. By doing so, retailers can avoid major legal risks as payment services are subject to a strict regulatory framework and regularly require authorisation from regulators.
E – eProfiling
Regarding customer profiles, many retailers want to know which routes customers take while shopping, such as what vouchers they redeem or how often they return. If payments are made via the app, the average price segment may also be of interest for the retailer. Analysing this, however, is only permitted if the respective customer has given prior consent.
Tip: If route and buying behaviour can only be analysed to optimise the shop, the app provider can process and provide such data in non-personalised form (ie. customer 007 bought a suit, a white shirt and a black bow tie). In this case, no consent is required.
A – Applicable data protection law
If, for example, the beacon is located in Germany, German and/or European Data Protection Law will always apply – even if the app provider is located in a non-EU country.
C – Consent
In most cases, apps may contact users through push messages if the message relates to the core purpose of the respective app. For instance, a pub guide app may inform users when a bar opens, or discount app can send messages or vouchers relating to an associated shop.
As soon as an app collects or uses the location of the user, consent must be obtained. Consent is also required for actions that do not relate to the core purpose of the app, such as where the core purpose of the app is to indicate the correct airport gate or train station platform, advertisements for nearby shops pushed out to the user when located at this gate may only be displayed with prior consent of the user. Even with consent it may be forbidden to excessively address users, especially when users shall be dis-attracted from competitors.
Necessary consent can be obtained electronically via the app by actively activating push messages through settings. Consent should also be renewed on a regular basis, especially when location data is collected and processed.
O – Other side
From a legal perspective, two parties are responsible for data processing in connection with beacons: the shop using the beacons and the app-provider whose app is communicating with the beacons. If the shop is not also the app-provider, both parties should choose one another carefully in advance and coordinate their behaviour. If an app-provider sells data collected via the app to third parties without being entitled to do so, the retailer may also risk liability. If a retailer places beacons within the private sphere this again can be risky for the app-provider. The main risk is: penalty fees of up to €300 000, cease and desist orders by the data protection authority and damage claims by the user.
N – No spam
Users must not be unreasonably harassed by messages which are triggered by the beacons, including unsubscribed emails or push. Thus, spamming as well as misleading information or any other improper influencing of a buying decision is prohibited. This is particularly important as customers are situated in close proximity to the products and are more inclined to conclude a contract spontaneously.
* The checklist applies to Germany, but meeting German standards in this area of data protection law usually means meeting or even over-achieving the standards of any other country in the European Union. The checklist, therefore, may be used to as guideline for a “one size fits it all” solution in the European Union.
Dr. Andreas Splittgerber is a partner and and Christian Leuthner is an associate at Olswang
This advertisement feature is provided by Olswang, sponsors of the Guardian Media Network’s Changing business hub
