Location-based marketing
Using location data from devices for marketing engages both the GDPR and ePrivacy. ePrivacy Art 9 requires opt-in consent to use location data for a 'value-added service', which is wide enough to cover location-based marketing. An exemption applies only where data is anonymised (unlikely in marketing). Before consent, the controller must inform people of the data types, purposes and duration, and any third-party transmission - and must allow withdrawal (opt-out) that is simple, free and available throughout.
Key distinction: the ePrivacy location rules attach to the geographic position of the terminal equipment (the device), not the location of the person. So if a friend uploads someone's whereabouts to a social network, the ePrivacy location rules don't apply (though other privacy considerations still do).
- Opt-in consent required to use location data for a value-added service (Art 9) - covers location-based marketing.
- Anonymised-data exemption exists but is unlikely to apply to marketing.
- Before consent, inform: types of location data; purposes and duration; any transmission to a third party.
- Offer withdrawal: a full opt-out, plus a temporary opt-out on each connection / transmission; means must be simple, free and available throughout.
- Process location data only to the extent and duration necessary for the value-added service.