CNIL has published several rules applicable to devices that compile aggregated and anonymise personal data intended to gauge the audience in a certain space. CNIL noted that the reason for this publication is the increasing number of companies using devices that collect personal data from mobile devices, in order to advertise in the areas for where the public's presence can be measured, such as in shopping malls.
In shopping malls, for example, such devices collect data from mobile phones and allow the compilation of traffic statistics and analysis of the number of visitors to the mall over a certain period; to model the routes visitors take through the shopping mall and departments; and calculate the rate of repeat visitors. CNIL divided the discussion into the following three scenarios:
- Scenario 1: when data is anonymised within short notice (within minutes of collection):
- According to CNIL, the short period is defined as the time required for the devices to perform the anonymisation of the personal data, shall take no more than five minutes and shall be in accordance with the criteria set out in Opinion 05/2014 on Anonymization Techniques of the former Article 29 Working Party.
- CNIL states that in this scenario, data controllers can rely on their legitimate interest for processing the personal data under the GDPR. However, CNIL recommends that these controllers provide notice to individuals according to the layered approach of the Article 29 Working Party guidelines on transparency.
- Scenario 2: when the personal data is immediately pseudonymised and then anonymised or deleted (within 24 hours):
- In this scenario, the data controllers can rely on a legitimate interest in order to retain the personal data, as long as they provide individuals with prior notice, implement an appropriate mechanism to allow individuals to object to the collection of information, adopt processes to allow individuals to exercise their rights under the GDPR, and implement technical measures to ensure the data protection.
- CNIL highlights the importance of providing the individuals with the option to oppose the collection and processing of their personal data. Accordingly, companies wishing to install audience-measuring devices shall implement technical solutions in order to enable the objection right in a straightforward manner. CNIL gives several examples of who should exercise this right, which include both a priori and posteriori data collection.
- Scenario 3: All other cases:
- Where the device implemented by the data controller does not meet the abovementioned criteria, the controller may merely retain the personal data based on individual consent, which can be obtained by any means, and should be informed, freely-given and specific. The data controller must ensure that the option of withdrawing consent is as easy as it is to provide.
Moreover, CNIL noted that as long as the devices involve the systematic monitoring of individuals, the processing would require a data protection impact assessment prior to implementation, regardless of their scenario classification.
We would be happy to provide further advice and recommendations concerning audience measurement technologies in light of the new regulatory guidelines.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.