Blog details

Guidance on the Use of Wi-Fi Tracking Technology

Guidance on the Use of Wi-Fi Tracking Technology

The AEPD has published guidance on the use of wi-fi technology in compliance with the GDPR. 


In a collaborative effort to address the growing concerns surrounding Wi-Fi tracking technology, the Spanish Data Protection Agency (AEPD), in conjunction with the Catalan Data Protection Authority, the Basque Data Protection Authority, and the Transparency and Data Protection Council of Andalusia, have jointly issued a comprehensive guidance document. This document delves into the multifaceted implications of Wi-Fi tracking technology, identifying its primary risks and potential vulnerabilities. Moreover, the guidance extends practical recommendations to ensure the responsible and ethical utilisation of this technology, emphasising compliance with standard data protection regulations.


Wi-Fi tracking technology has a wide range of applications including identifying, monitoring, and tracking the movement of mobile devices in various locations.


Wi-Fi tracking technology enables the identification and monitoring of mobile devices by detecting their Wi-Fi signals. This technology can pinpoint a device’s presence within a specific area and track its movement patterns. Wi-Fi tracking finds practical applications in various settings, including shopping centres, museums, workplaces, public areas, transportation systems, and large-scale events. Its uses range from estimating crowd capacity and analysing foot traffic flow, to measuring dwell times in specific locations.


Wi-Fi tracking technology raises data protection concerns and its use requires strict adherence to GDPR principles due to the potential for privacy risks.


The use of Wi-Fi tracking technology, while offering valuable insights in various applications, raises significant data protection concerns. According to a collective statement by AEPD, the Catalan Data Protection Authority, the Basque Data Protection Authority, and the Transparency and Data Protection Council of Andalusia, this technology’s potential to process personal data requires strict adherence to the principles, and obligations outlined in the GDPR. The authorities have emphasised the inherent privacy risks associated with Wi-Fi tracking, particularly the possibility of individuals’ movements being monitored without their knowledge or a proper legal basis. This highlights the importance of responsible and ethical deployment of this technology, balancing its benefits with the importance of safeguarding individual privacy rights.


The AEPD recommends conducting a DPIA before implementing Wi-Fi tracking technology, and emphasises transparency to balance its benefits with data privacy rights.


Given the inherent risks involved in processing personal data through Wi-Fi tracking technology, the AEPD, the Catalan Data Protection Authority, the Basque Data Protection Authority, and the Transparency and Data Protection Council of Andalusia jointly recommend conducting a Data Protection Impact Assessment (DPIA) prior to its implementation. This is to ensure that the technology’s use aligns with the principles of the GDPR. The authorities emphasise the importance of a DPIA even in cases where the necessity may not seem clear to the responsible party. Furthermore, the authorities stress the need for increased transparency through clear and accessible information. This can be achieved using visible information panels, public signage, voice alerts, or information campaigns. This approach aims to strike a balance between leveraging the benefits of Wi-Fi tracking technology and upholding the privacy rights of individuals.


To comply with the GDPR, organisations should anonymise and aggregate data, implement strong security, and conduct audits.


To ensure compliance with the General Data Protection Regulation (GDPR) when using Wi-Fi tracking technology, it is recommended that organisations anonymise and aggregate data immediately after collection; limit the scope of Wi-Fi tracking; avoid assigning the same identifier to a mobile device across multiple visits to the same location; implement solid security measures that are regularly reviewed and adapted to the level of risk; and conduct independent audits. These measures aim to protect individual privacy while enabling the effective use of Wi-Fi tracking technology.


At Aphaia, we commit to being the partner guiding you through a comprehensive journey of strengthening your data defences, ensuring compliance, and providing peace of mind in an ever-evolving digital landscape. If your organisation needs a data protection impact assessment, take that first step, and let’s build a secure future for your organisation together. Contact Aphaia today.

Combat the threat of cyber attacks
Prev post
Combat the threat of cyber attacks: A call to action from the ICO
May 23, 2024
Next post
Data Protection and AI chatbots: Advice from the ICO
June 6, 2024