The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Guidance Note for Entities Considering the use of Bluetooth Technology for Direct Marketing Purposes.


Transmission of Messages

The use of Bluetooth technology to send messages to mobile devices including phones within a certain radius and in pair mode is one of interest and potentially concern to the Office of the Data Protection Commissioner.  The concern arises from the fact that consumers may receive messages that they do not want and that personal data may be processed without a valid basis in the Data Protection Acts.


There are currently no specific legal requirements in relation to the actual transmission of such messages as they are not sent over a publicly available telecommunications network.  It is likely that as this form of marketing expands that there will be increased and justifiable calls for improved regulation.


However, from a best practice perspective every effort should be made not to send messages to persons who do not wish to receive them.  In this respect, the issue of seeking prior consent for such messages has been put forward as enabling their transmission.  While this is to be welcomed, it is not entirely clear how this could be achieved in practice as the transmission of messages by Bluetooth makes no distinction between persons who have given their specific consent and persons who have not been afforded that opportunity.  In the latter category would seem to be persons who have expressly not given their consent but wish for their own reasons while in the proximity of a Bluetooth transmission in a public area, or even in an enclosed space such as a hotel or shopping centre for instance, to leave their phone in pair mode. In addition, the rights of employees working in Bluetooth zones and who have legitimate expectations in this area also need to be given due consideration.


One method put forward to this Office of achieving prior consent in the above way, may be via relatively small (2-3 metres)) but perfectly clear Bluetooth transmission zones into which the person must actively pass their Bluetooth device.  If the person places their Bluetooth device in such a zone, perhaps a clearly marked area on the floor of a shop, having received information that by doing so they will receive marketing messages of offers via Bluetooth from that entity then the consent of the person would seem to be given thereby legitimising the receipt of the message.

Data Protection Act Considerations

There are also specific considerations which may arise under the Data Protection Acts from a person's interaction with a Bluetooth message.  Specifically if that interaction resulted in any personal data such as phone no, handset ID, Bluetooth machine ID, name of receiving device, etc being transmitted to a Bluetooth base station, for example, this would need to be done in full compliance with the Data Protection Acts.  This requires a user to give consent before their details are collected.  Where it is not possible for this consent to be collected, compliance with the Data Protection Acts can be met by ensuring that no personal data is sent back to a Bluetooth base station.  It is understood that Bluetooth base stations can be set to a default position of not recording such personal data.


If any personal data was being collected from the acceptance/receipt of a Bluetooth message then this would lead to significant data protection concerns in the absence of specific and informed consent. An individual or organisation which controls the contents and use of such personal data is a data controller for the purposes of the Data Protection Acts and must discharge the responsibilities imposed on them by the Acts.