Hotspot legal obligations
Deploying Hotspot service can be very easy from a technical point of view, more tricky from a marketing point of view but clearly a nightmare from a legal standpoint.
Discussions with the legal department are usually very tense, you would like to move on but you see their feedback as a brake to the project.
In this article, I’ll list some questions you should ask to your legal department before deploying any Hotspot solution. This should be more effective that the eternal question “I need to deploy <put your new service here>, is it OK for you?”.
The article is based on my own experience of deploying a Hotspot service in 30+ countries for multiple luxury retail brands. As you can imagine legal councils and lawyers were especially attentive to comply with the law in that project so let me try to share what I did learn during this exchange.
Note: I’m not a lawyer so please use this article as a guideline and not as a state for the art.
Explain what you are going to do
The first point is not a question but an advice: explain what you are going to deploy (even if, at this stage, some details are unknown). I do not recommend to start from a blank page when you enter into discussion with lawyers and councils.
The wider are the possibilities, the longer the list of obligations will be. You can also explain that you will start small and implement additional features after some times, this will help to focus on the mandatory obligations first.
At the minimum, you should detail:
- Location where you plan to deploy the hotspot (headquarter, stores, showroom, agency, school….) and associated countries.
- Targeted users (anyone, only known customers, employees…)
- The data your business wants to gather through the service and the associated processing (send newsletter, customer profiling…). The country where the data will be stored is also important.
- The partners that will help to provide the service (don’t forget the network providers, they are part of it) and their roles.
If you have something to show (P.O.C or demo from the provider) it is even better.
This document lists the obligations and rights of both your company and the user himself. Because more and more countries have specific regulations in terms of privacy, some of these terms may be separated in the “Privacy Notice”.
Please remember that there is no unique way to write these terms, it highly depends on how you will deploy the service, where your will deploy it and your company’s business. Moreover, your legal department may accept not to comply with some regulations if the risk is low and the constraints are high, everything is arbitration!
Once your legal department delivers the document, please remember that it will evolve and that your service may get new features. So you should implement a solution to quickly update the document autonomously.
Data collection and purposes
Throughout the user journey, the Hotspot service will collect two types of data:
- Technical data: this is the data you will need for the service to work, for analytics and capacity planning or troubleshooting. This includes cookies, the authentication logs, DHCP leases, security logs and any other network statistics (bandwidth for example).
As you understand, data collection is always associated to some communication to the user about what is collected but the most important in the different laws is the purposes of the collection.
The matrix resulting of combining collected data and purposes will determine, country per country, the associated legal obligations so ask your legal department:
“Which obligations are associated to the following data/purpose matrix ?”
Based on the matrix, your legal department will:
- fill the Terms and Conditions document with the corresponding statements
- list the different consent to be asked explicitly to the users (“I accept my phone number to be used to receive marketing calls”) either in Opt-In (unchecked by default) or Opt-out (checked by default, user have to explicitly refuse)
- list the obligations in term of data security (anonymization or pseudonymization for example)
- fill legal declarations to the different official entities regarding data collection and data transfer through countries (CNIL in France)
Data access, rectification or erasure right
Whatever the data collected by the Hotspot service, users should have the possibility to ask for data access or erasure.
Usually data privacy laws impose to provide a privacy contact for user to request such procedures. Your company has to implement the process to answer these request in a certain amount of time.
So you should ask your legal department “What are the obligation in terms of data access from the users?”
As you may understand, your company may be subject to some network provider regulation and then will need to collect some data about which websites were reached via your Hotspot service.
For example, in France, anyone subscribing to an Internet access is responsible for the usage of this access. Especially, if the police department detects someone using your Internet access for illegal downloading, website hacking or posting libel on a forum, you are legally responsible for that. So you have to collect the necessary data to inform the police department about the possible identity of the guilty user.
Ask your legal department “Which data should be recorded to be able to answer to police requests and how long shall we keep it”.
You may be tended to log everything and keep it as long as possible. This has 2 constraints:
- The amount of data may be very huge (and the associated cost to store it may be exorbitant)
- Some of these datas are legally considered as private data and you may break a few laws if you collect and store it for too long
When it comes to data and privacy, the legal validation is mandatory. Many governments are concerned about privacy and some of them reinforce their laws (check the GDPR in European Union). You legal department should translate all these laws in a few requirements.