With the proliferation of location-based app services like traffic alerts and ride-sharing programs, the collection of consumers’ location information has exploded in recent years.  It comes as no surprise, therefore, that the Office of the Data Protection Commissioner (“DPC”) in Ireland issued guidance last week on the collection of location data, warning individuals about the risks associated with information relating to their location and clarifying businesses’ obligations when collecting that data.  The takeaways: most location-based data constitutes “personal data” and must be protected accordingly, some location-based data will be subject to enhanced protections as “sensitive personal data,” and businesses that collect or process location data should obtain informed consent before collecting consumers’ location information. 

The DPC’s guidance classifies location-based data as “personal data” if it relates to a living person and if it is possible to identify that person (the “data subject”).  Not surprisingly, location information connected to an individual’s name, phone number, or email address clearly constitutes personal data.  Less obviously, data that reveals the location of an individual over a period of time could also be enough to identify the data subject.  And it’s not just cell phones that can collect location information amounting to personal data.  The location of a self-driving or “autonomous” vehicle, for example, would not normally be considered personal data, but if the autonomous vehicle carried a passenger that could be identified, the location data would constitute personal data relating to the passenger.

Location-based data that amounts to personal data is subject to Ireland’s Data Protection Acts of 1988 and 2003 (collectively, the “Data Protection Acts”), even where companies never intend to link the location data they collect to a particular person.  Under the Data Protection Acts, businesses must refrain from “excessive collection or processing of data.”  Essentially, businesses should both limit the amount of data gathered to only what is necessary to achieve their business purposes, and they should avoid retaining unnecessary location data.  Although some location data will inevitably fall outside the purview of the Data Protection Acts, the DPC guidance noted that businesses collecting aggregated or anonymized data should take “extreme care” to prevent the identification of data subjects.

In addition, some location-based data will amount to “sensitive personal data,” which requires enhanced protection under the Data Protection Acts.  Sensitive personal data includes information about a data subject’s religious or political beliefs, the subject’s physical or mental health, or information about the subject’s sexuality—and location-based data constitutes sensitive personal data if it is possible to discern any of the defined traits about the data subject from the data.  Businesses might inadvertently collect data showing attendance at a place of worship or repeat hospital visits, for example, which could divulge information about a data subject’s religion or health.  Businesses accordingly must take care to identify and protect sensitive personal data they collect.

To comply with the Data Protection Acts, companies must inform data subjects that their location data will be collected and/or processed, as well as give them the opportunity to opt in or opt out.  Companies collecting data must take care to get informed consent from the data subject, as opposed to the owner of the device.  Employer-provided cell phones and public computers are examples of instances where the device owner might be different from the device user.  Alternatively, the Data Protection Acts permit the processing of data without the consent of the data subject in order to protect the “legitimate interests” of the data controller or a third party.  However, the data processing cannot amount to an unwarranted infringement of the fundamental rights of the data subject.

In conjunction with its guide for businesses, the DPC also issued separate guidance to inform individuals about companies’ obligations when collecting location data, as well as educate individuals about their rights when it comes to location information.