Hostpot legal obligation
April 5, 2018

Hostpot legal obligation

Deploying Hotspot service can be very easy from a technical point of view, more tricky from a marketing point of view but clearly a nightmare from a legal standpoint.

Discussions with the legal department are usually very tense, you would like to move on but you see their feedback as a brake to the project.

In this article, I’ll list some questions you should ask to your legal department before deploying any Hotspot solution. This should be more effective that the eternal question “I need to deploy <put your new service here>, are you OK?”.

The article is based on my own experience of deploying an Hotspot service in 30+ countries for multiple luxury retail brands. As you can imagine legal councils and lawyers were especially attentive to comply with the law in that project so let me try to share what I did learn during this exchange.

Note: I’m not a lawyer so please use this article as a guideline and not as a state for the art.

Explain what you are going to do

The first point is not a question but an advice: explain what you are going to deploy (even if, at this stage, some details are unknown). I do not recommend to start from a blank page when you enter in discussion with lawyers and councils. The wider are the possibilities, the longer the list of obligations will be. You can also explain that you will start small and implement additional features after some times, this will help to focus on the mandatory obligations first.

At the minimum, you should detail:

  • Location where you plan to deploy the hotspot (Head quarter, stores, showroom, agency, school….) and associated countries.
  • Targeted users (anyone, only known customers, employees…)
  • The data your business want to gather through the service and the associated processing (send newsletter, customer profiling…). The country where the data will be stored is also important.
  • The partners that will help to provide the service (don’t forget the network providers, they are part of it) and their roles

If you have something to show (P.O.C or demo from the provider) it is even better.

Terms of Use and Privacy Notice

When the user will connect the Hotspot service via the captive portal, he has to read and accept the “Terms of use”. This document list the obligations and rights of both your company and the user himself. Because more and more countries have specific regulations in term of privacy, some of these terms may be separated in the “Privacy Notice”.

So the question to your legal department is “What is the content of the Term of use document?

Please remember that there is no unique way to write these terms, it highly depends on how you will deploy the service, where your will deploy it and your company’s business. Moreover, your legal department may accept not to comply with some regulations if the risk is low and the constraints are high, everything is arbitration!

Once your legal department deliver the document, please remember it will evolve as and when your service will get new features. So you should implement a solution to quickly update the document autonomously.

Last tips, your visitors may speak different languages, please consider translate the Term of Use for them.

Data collection and purposes

Throughout the user journey, the Hotspot service will collect two types of data:

  • Technical data: this is the data you will need for the service to work, for analytics and capacity planning or troubleshooting. This includes cookies, the authentication logs, DHCP leases, security logs and any other network statistics (bandwidth for example).
  • Personal data: this is the information that can help to identify the user. You may collect this for legal purpose (example in China) or marketing purpose but in both case, the Term of Use document should explain what and why.

As you understand, data collection is always associated to some communication to the user about what is collected but the most important in the different laws is the purposes of the collection.

The matrix resulting of combining collected data and purposes will determine, country per country, the associated legal obligations so ask your legal department 

Which obligations are associated to the following data/purpose matrix?

Based on the matrix, your legal department will :

  • fill the Term and Conditions document with the corresponding statements
  • list the different consent to be asked explicitly to the users (“I accept my phone number to be used to receive marketing calls”) either in Opt-In (unchecked by default) or Opt-out (checked by default, user have to explicitly refuse)
  • list the obligations in term of data security (anonymization or pseudonymization for example)
  • fill legal déclarations to the different official entities regarding data collection and data transfer through countries (CNIL in France)


Data access, rectification or erasure rights

Whatever the data collected by the Hotspot service, users should have the possibility to ask for data access or erasure. Usually data privacy laws impose to provide a privacy contact for user to request such procedures. Your company have to implement the process to answer these request in a certain amount of time.

So you should ask your legal department “What are the obligation in term of data access from the users?”

Security logs

As you may understand, your company may be subject to some network provider regulation and then will need to collect some data about which websites was reached via your hotspot service.

For example, in France, anyone subscribing to an Internet access is responsible for the usage of this access. Especially, if the police department detect someone use your Internet access for illegal downloading, website hacking or posting libel on a forum, you are legally responsible for that. So you have to collect the necessary data to inform the police department about the possible identity of the guilty user.

Ask your legal department “Which data should be recorded to be able to answer to police requests and how long shall we keep it”.

You may be tended to log everything and keep it as long as possible. This have 2 constraints:

  • The amount of data may be very huge (and the associated cost to store it may be exorbitant)
  • Some of these data are legally considered as private data and you may break a few laws if you collect and store it for too long.

Conclusion

When it comes to data and privacy, the legal validation is mandatory. Many government are concerns about privacy and some of them reinforce their laws (check the GDPR in European Union). You legal department should translate all these laws in a few requirement.

Romain Pillon, IT consultant.