Huq, a company that sells location data, has revealed that some of the information they have obtained was done without seeking consent from the users. Huq uses location data from apps and sells it to clients. It told the BBC that two app partners had not requested user consent.
One of the app developers admitted to having problems with the permissions, which have now been resolved. The second app developer failed to respond. Huq have stated they are aware of the two “technical breaches” of data privacy requirements.
This incident has raised two questions:
- How much do companies know about GDPR in terms of collecting location data?
- Are users being clearly made aware of how their data is being used?
Location data is information collected by a service or network about where the user’s phone or other device is or was located.
The regulation that covers location data is the Privacy and Electronic Communication Regulation (PECR). The regulation states that when obtaining location data, you must provide the user/the person subscribing with the following information:
- The types of location data you will be processing
- What you are using it for
- How long you will keep it
- Whether it will be passed to a third party to provide the value-added service
A customer is entitled to withdraw their consent at any time, in which case you should immediately stop using the location data.
As an organisation, it is important to outline the following things within your privacy notice:
- What you are doing with the data
- Why you need the information
- What type of information you will be processing
- The methods to withdraw consent
- How long the information will remain on the system
- If the information will be transferred to a third party
- If the information will be transferred outside your country or location
So, what can we take from this incident? For organisations to avoid sanctions from the Information Commissioners office (ICO), they must clarify to users/subscribers what, when, and how their information will be processed. It is also important to ad that we as an organisation should not hold any personal information longer than necessary.