Bluetrace BV is a supplier of Wi-Fi tracking technology which can be used to detect Wi-Fi signals from mobile devices in and around stores, collecting information such as MAC address and the date, time, and place the MAC address was detected. The data is used to generate commercial information on things like attendance and shopping behaviour for Bluetrace’s client companies and organizations.
The Dutch Data Protection Authority (DPA) conducted an official investigation into how Bluetrace processes personal data during Wi-Fi tracking. It concluded that Bluetrace is in violation of the Dutch Data Protection Act.
According to the DPA, Bluetrace lacks a legal basis for the processing of personal data, as it is not required for any business interest that outweighs the privacy of passers-by and neighbours.
In addition, the data from passers-by was wrongfully stored. According to the DPA, Bluetrace must anonymise or delete the data immediately after collecting it. Bluetrace is not allowed to collect and store personal data from neighbours at all. The DPA deems a retention period of 24 hours appropriate for the personal data of store visitors.
The DPA also considers that the involved parties were not timely, sufficiently, or correctly informed about the processing of their personal data for Wi-Fi tracking activities.
In response to the investigation, the DPA has issued a cease and desist order to Bluetrace. The order obligates Bluetrace to stop processing personal data or to take measures to alleviate the illegal nature of the processing. Those measures mean that Bluetrace:
- must prevent the collection and processing of personal data from neighbours;
- must delete or anonymise the personal data collected from passers-by as soon as possible; and
- must, at the time of collection, inform involved parties about its identity, the purpose of the data processing, the personal data which is processed, and the retention period.
If Bluetrace does not comply with the order within six months, they will be fined a penalty of €5,000 per week that the order is not implemented, up to a maximum of €100,000.
If you have any questions regarding Wi-Fi tracking or the processing of personal data, please contact our privacy team.