Appearance
GDPR Best Practices for Guest WiFi
Stay compliant while maximising data collection. This is a practical guide for venues using CaptiFi — not legal advice, but clear, actionable steps based on how the regulation works in practice.
The Basics
Under GDPR, you are the data controller for guest data collected via WiFi. CaptiFi is the data processor acting on your behalf.
Your core obligations:
- Lawful basis — Have a legal reason for collecting each piece of data
- Transparency — Tell guests what you collect and why
- Consent — Get explicit opt-in for marketing communications
- Data minimisation — Only collect what you genuinely need
- Rights — Allow guests to access, correct, and delete their data
- Security — Keep data secure and report breaches
The penalty for non-compliance: Up to €20 million or 4% of annual global turnover (whichever is higher). In practice, the ICO (UK) and EU regulators have issued fines ranging from £5,000 to £500,000 for SMEs with data handling failures. Even a small fine comes with reputational damage and enforcement costs.
CaptiFi's Built-In Compliance
CaptiFi handles much of the heavy lifting for you:
- ✅ Consent collection — marketing opt-in checkbox on splash page (unchecked by default)
- ✅ Consent records — timestamped proof of who consented, when, and to what
- ✅ Privacy policy link — displayed on every splash page
- ✅ Unsubscribe links — in every marketing email, processed automatically
- ✅ Data encryption — AES-256 at rest, TLS 1.3 in transit
- ✅ EU data storage — all data stored on EU-based servers
- ✅ Audit trail — full record of data access and changes
- ✅ Data deletion — one-click guest data removal from dashboard
- ✅ Data export — export a guest's full data record for Subject Access Requests
- ✅ Data retention controls — configure automatic data purging after a set period
- ✅ Cookie consent — splash page includes necessary cookie disclosures
What You Still Need to Do
CaptiFi provides the tools, but you are responsible for using them correctly.
1. Have a Privacy Policy
Your privacy policy must be accessible from the splash page and must cover:
| Topic | What to Include | Example |
|---|---|---|
| What you collect | List specific data points | "Email address, first name, device identifier" |
| Why you collect it | State your purpose | "To provide WiFi access and send marketing offers" |
| Legal basis | Legitimate interest and/or consent | "WiFi: legitimate interest. Marketing: consent" |
| Retention period | How long you keep it | "Marketing data retained for 24 months" |
| Third parties | Who you share with | "CaptiFi (data processor), Mailchimp (email delivery)" |
| Guest rights | How to request access/deletion | "Email privacy@yourvenue.com" |
| Contact details | Data controller information | Your business name, address, email |
CaptiFi provides a privacy policy template you can customise — find it in Settings → Compliance.
2. Get Marketing Consent Right
This is where most venues get it wrong. The rules are strict:
✅ Valid consent:
- Separate, unchecked checkbox
- Clear description of what they'll receive
- Specific to your venue/brand
- Easy to withdraw at any time
❌ Invalid consent:
- Pre-ticked checkbox
- Consent bundled with WiFi terms ("By connecting, you agree to receive marketing")
- Vague description ("Subscribe to updates")
- No way to withdraw without contacting you
Best practice opt-in text:
☐ "Yes, I'd like to receive exclusive offers and event news from [Venue Name] by email (maximum 2 per month). You can unsubscribe at any time."
Why specificity matters: Saying "maximum 2 per month" isn't just good practice — it sets expectations and reduces complaints. The ICO has specifically cited vague consent language as a common compliance failure.
3. Handle WiFi Login Data Separately from Marketing
There are two different legal bases at play:
| Data | Legal Basis | Consent Needed? |
|---|---|---|
| Device MAC address, connection time | Legitimate interest (network security) | No — but disclose in privacy policy |
| Email address for WiFi login | Legitimate interest (service provision) | No — but disclose in privacy policy |
| Email address for marketing | Consent (GDPR Art. 6(1)(a)) | Yes — explicit opt-in required |
| Phone number for SMS marketing | Consent | Yes — separate opt-in required |
| Browsing/location data | Consent | Yes — if you're tracking this |
Key point: A guest who provides their email to access WiFi has not consented to marketing. You need that separate checkbox.
4. Don't Pre-Tick the Consent Box
This is non-negotiable under GDPR. Pre-ticked boxes are not valid consent (confirmed by the CJEU in the Planet49 ruling, 2019). CaptiFi's consent checkbox is unchecked by default — do not override this.
5. Honour Data Rights Promptly
Guests have the following rights. Here's how to handle each:
| Right | What It Means | How to Handle | Deadline |
|---|---|---|---|
| Access (SAR) | Guest wants to see their data | Use CaptiFi's data export feature | 30 days |
| Rectification | Guest wants to correct data | Edit in CaptiFi dashboard | 30 days |
| Erasure ("Right to be forgotten") | Guest wants data deleted | One-click delete in CaptiFi | 30 days |
| Portability | Guest wants data in machine-readable format | CaptiFi exports as CSV/JSON | 30 days |
| Objection | Guest objects to processing | Stop processing, consider deletion | Without undue delay |
| Withdraw consent | Guest unsubscribes from marketing | CaptiFi handles automatically | Immediate |
Tip: Most requests come via email unsubscribe (handled automatically) or a casual "can you delete my data?" email. Treat every request seriously and respond within 72 hours even if you need the full 30 days to complete it.
6. Set Appropriate Retention Periods
Don't keep data forever. Set retention periods based on your actual use:
| Data Type | Recommended Retention | Why |
|---|---|---|
| WiFi login data | 6-12 months | Network security, analytics |
| Marketing contact data | 12-24 months from last interaction | Active marketing |
| Consent records | 36 months after consent withdrawn | Proof of compliance |
| Analytics data (anonymised) | Indefinite | No personal data involved |
Configure auto-purge in CaptiFi Settings → Data Retention. This ensures you don't accidentally retain data beyond your stated period.
7. Keep Your Data Processor List Updated
If you use CaptiFi data with other tools (Mailchimp, Zapier, Google Sheets, etc.), each one is a data processor you should list in your privacy policy.
Common processors to disclose:
- CaptiFi (captive portal and data storage)
- Email service provider (e.g., Mailchimp, SendGrid)
- CRM system (e.g., HubSpot, Salesforce)
- Analytics tools (e.g., Google Analytics)
- Any integrations you've connected
Data Breach Procedures
If you suspect a data breach (unauthorised access, accidental deletion, data sent to wrong person):
- Assess the breach — what data was affected, how many people, what's the risk?
- Contain it — change passwords, revoke access, fix the vulnerability
- Report to the ICO within 72 hours if it poses a risk to individuals (ico.org.uk/make-a-complaint)
- Notify affected individuals without undue delay if the risk is high
- Document everything — even if you decide not to report, record your reasoning
CaptiFi's role: We will notify you within 24 hours if we detect any breach affecting your data, and assist with investigation and reporting.
International Guests
If your venue serves international visitors:
- EU guests in the UK: GDPR applies (UK GDPR is essentially identical to EU GDPR post-Brexit)
- US guests: GDPR still applies while they're in the UK/EU — it protects people in the jurisdiction, regardless of nationality
- Marketing to guests after they leave the EU/UK: The original consent covers this, but be mindful of local laws (e.g., CAN-SPAM in the US)
- Splash page language: Consider offering your privacy notice in multiple languages if you regularly serve international guests
Staff Training
Your team should understand the basics:
- Front-of-house staff should know: what data you collect via WiFi, how to direct guests who ask about privacy, and who to escalate data requests to
- Managers should know: how to handle Subject Access Requests, who your data protection lead is, and how to report a potential breach
- IT/Marketing should know: full GDPR obligations, how to use CaptiFi's compliance tools, and how to run compliant campaigns
Practical tip: Create a one-page "Data Privacy Cheat Sheet" for staff. Include:
- What to say if a guest asks about WiFi data collection
- Who to contact for data requests
- How to escalate a suspected breach
Do You Need a Data Protection Impact Assessment (DPIA)?
A DPIA is required when processing is "likely to result in a high risk" to individuals. For most venues using CaptiFi for basic WiFi and marketing, a DPIA is not required. However, you should consider one if you:
- Process data for profiling or automated decision-making
- Use WiFi data for location tracking within your venue
- Process data on a large scale (e.g., large event venues with 10,000+ guests)
- Combine WiFi data with other datasets for detailed customer profiling
CaptiFi can provide a DPIA template if needed — contact support.
Common GDPR Questions
Q: Do I need consent for WiFi login data? A: Not for the login itself (legitimate interest for providing the service), but yes for marketing communications. Always separate these.
Q: Can I use WiFi data for targeted advertising? A: Only with explicit consent. This means a clear opt-in on your splash page that specifically mentions targeted advertising.
Q: What if a guest asks for their data? A: You must provide it within 30 days. Use CaptiFi's data export feature — it generates a complete record in seconds.
Q: Do I need a Data Protection Officer (DPO)? A: Most small businesses don't. You need a DPO if your core activity involves large-scale monitoring of individuals or processing of special category data. However, you should designate someone as responsible for data compliance.
Q: Can I transfer guest data outside the UK/EU? A: Only with appropriate safeguards. CaptiFi stores all data in the EU. If you export data to a US-based tool (e.g., Mailchimp), ensure they have Standard Contractual Clauses (SCCs) or equivalent safeguards in place.
Q: How do I handle a guest who wants to use WiFi but refuses to provide any data? A: You're not required to provide free WiFi. However, consider offering a click-through option (no personal data collected) alongside your data-collecting login. This shows good faith and reduces complaints.
Q: What about cookie consent on the splash page? A: If your splash page uses cookies beyond what's strictly necessary for WiFi service, you need cookie consent. CaptiFi's splash page includes appropriate cookie disclosures.
Compliance Checklist
Use this quarterly checklist to stay on top of compliance:
- [ ] Privacy policy is up to date and accessible from splash page
- [ ] Marketing consent checkbox is unchecked by default
- [ ] Consent text clearly describes what guests will receive
- [ ] Data retention periods are configured in CaptiFi
- [ ] All data processors are listed in your privacy policy
- [ ] Staff know how to handle data requests
- [ ] Unsubscribe links are working in all email campaigns
- [ ] No data is being kept beyond the stated retention period
- [ ] Consent records are intact and exportable
- [ ] You have a documented process for handling data breaches
For more GDPR details, see our GDPR FAQ.