Last year, there were approximately 4 million beacons deployed around the world, and by 2020 that number is expected to grow to 400 million, according to ABI Research, a technology research firm. Although the potential for the technology to help organizers personalize events, streamline the exchange of information, and to better understand attendee behavior is enormous, it also raises privacy issues. We reached out to Julie O’Neill, a partner in the Privacy & Data Security practice of Morrison & Foerster LLP, in Washington, D.C., to help us understand the responsibilities of meeting professionals when using RFID and beacon technology.
What disclaimers should be in place in your confirmation letters and on your website, badges, etc., to make people aware/informed when you are using beacon technology to track attendee movement in sessions, the exhibition hall, and other event spaces?
Julie O’Neill: This question raises interesting privacy issues. There is no generally applicable privacy law in the United States, but the Federal Trade Commission (FTC) has brought numerous privacy-related enforcement actions under Section 5 of the FTC Act, which contains a broad prohibition on unfair and deceptive acts and practices.
The FTC has taken the position that precise location is sensitive information that — in order to avoid a charge of deception or unfairness — requires the individual’s affirmative consent to its collection. For this reason, an event organizer should provide an attendee with clear and conspicuous notice of the use of tracking technology and obtain his or her consent to it, such as at the point of registration.
For example:
Your conference badge will contain a chip to track your attendance at conference sessions and events so that we can provide continuing education credit. We will also use the information to understand the demand for conference sessions, which helps us in evaluating our events and planning future events. By registering, you agree to this collection and use of your attendance information.
The notice may be short, but it must be accurate, and it should not omit any material use of the information. This means that additional disclosures may be required if the information will be used for other purposes (such as targeted marketing) or shared with third parties.
If it is not possible to obtain consent, the next-best option is to provide clear and conspicuous notice of the tracking to the attendee, before he or she uses the badge.
It is important to note that the obligations may be different if the conference takes place outside of the United States and/or is targeted to residents of a particular ex-U.S. jurisdiction(s). Local privacy counsel should be consulted in these cases.