GDPR and Its Effects on Location-Based Services

Does location data account as personal data?

If we are using location-based services (LBS), the processing of location data is unavoidable. Due to the implementation of the GDPR on May 25th handling personal data is not as easy as it was before. But location data does not necessarily need to be personal data. It highly depends on the context and the use case. For example, location data can be used to track equipment and other lifeless objects unrelated to a human being. This could be the case if you use LBS as a part of your logistics optimization, when using it for asset tracking the usage of LBS it not at all affected by the GDPR.

But especially if you want to use location-based services for marketing reasons, you need to use location data related to a person, which then accounts as personal data. This is because the GDPR categories location data as personal data as soon as information about the physical location of a user’s phone or another digital device at a certain time are collected by an app or a service provider.

This is a problem, as the advantages of LBS are obtained by sending (potential) customers highly personalised content, which is relevant for them at this exact moment, at this exact place. The usage of personal data in this form can even be seen as a way to stop drowning people in brand messages. Who needs an ad for the nearest steakhouse if you are a vegetarian? Wouldn’t it be nicer to receive a discount for the cool veggie restaurant just around the workspace at lunchtime?

How to use location-based services and be GDPR compliant?

So what should you do, if the use of personal location data is unavoidable, to offer that superior customer experience you are aiming for? The regulation requires that if you use location data, it either must be anonymous, or you get the users' consent to use their information for a value-added service. As already discussed the usage of anonym data is often not purposeful, therefore you need to get consent!

But maybe you are wondering, what accounts under the category of “value-added services”. This can be any service which uses location data, beyond the data which is necessary for billing or the transmitting communication. This means every service you offer your customer to create additional value for him like you are using a car-sharing app and they are using your location (data) to show you which vehicle is closed to you.

Anyway, it is still needed that you get consent and since location data is accounted as personal data, you still need to ensure that you are using it in a right way. Some of the most important points to consider while using the location as data:

1.    Only use the data for exactly what they agreed to

2.    Being transparent about where the data is used & how it is used

3.   Storing it in a way:

- It can be reached and transmitted easily if an individual request it 

- It can be deleted easily when you are prompted to do so

- It is protected from data breaches 

So don’t be afraid, it is easier than it sounds! If you are working with location-based services or planning to do so the same rules apply as for all other personal data or even less if you limit yourself to asset tracking. If you are not dealing data on a shifty backyard, the GDPR is nothing you have to fear.