• by Sean Hargrave , Staff Writer, December 9, 2019

Last week, the news broke that Google and Facebook are in the EU dock, again. This time, it's over how they collect, process and monetise data.

It was always likely, considering the duopoly's troubled history with regulators (both at home in the US and abroad).

If GDPR is compared to how these tech giants behave, it is likely to highlight some glaring holes around consent and the transparency of information used to garner consent.

I've had a different question mark at the back of my head for the past few months. In a word -- location. It rarely gets more than a fleeting mention when investigations into how data is handled but, for me, it will one day prove a huge issue.

I was reminded of this last week when reading about how programmatic is changing digital outdoor. It's true the technology is hugely exciting, but when I've talked to industry insiders, part of the positivity lies in audiences being tracked via their smartphone. By knowing where people are at different times of the day, screen owners can sell a variety of audiences in different locations through the working day, weekend and evening slots. 

When I've asked how this is done, there is usually a quick reference to all information being GDPR-compliant and the conversation moves on. 

However, I struggle to see how this could be the case because location rules in the new legislation are very strict. To begin with, you have to be a telecoms company to capture the information or be someone offering a value-added service, such as a car breakdown business, to warrant tracking a person. The idea is that tracking their location must be vital to providing a service or incredibly helpful to a person in some way. 

Consent for a person to have their location processed can only be given by that smartphone user, and there are two criteria. It must be anonymous and it must be essential to providing a value-added service. 

Now, we could argue until the cows come home whether a mobile device ID is personally identifiable or anonymous. A campaigner would say it is unique to a person and so is identifiable, while an ad executive would probably argue it is a random number which they do not pin against a person's identity. A campaigner might well reply that location data including "home" and "work" addresses on a mapping service might mean that device ID is not quite so anonymous. You can pick your own side of the argument here.

However, where things do become tricky for adland is when trying to prove that the other side of the bargain is adhered to. Is location data being only processed when it is necessary to provide a value-added service, such as pointing out where your nearest restaurant is, providing instruction on walking to a meeting or revealing what the weather is going to be like on the commute home?

The tricky point is a service. Sure, adland can probably get away with tracking a phone whose user has agreed to be alerted when passing a coffeehouse or restaurant with a great deal for loyal members or anyone using a particular phone network. 

Quite how tracking people can lead to any other form of monetisation or research for adland, however, is far more problematic. Tracking a person physically to see where they are in the world and which stores they have passed and which outdoor screen they may have walked by. It's very hard to see how any of this can be done within the strict remit of GDPR. 

It is also hard to see how permissions have been obtained legally to share location data with third parties when GDPR is very clear that tracking someone for a service should not be tied in with forcing them to accept that information can be passed on to a third party. Even then, the third party is supposed to only be required to provide the value-added service, not just be an advertising company tracking audiences around town. 

So, there are issues around consent with location. There are also issues with it being used by anyone who is not your telecoms provider or someone providing a service for which location processing is necessary. 

it could be me getting the wrong end of the stick or reading the GDPR rules too strictly, but I cannot see how location is anything other than a major GDPR ticking time bomb.