Glossary

GDPR & Guest WiFi

GDPR & guest WiFi refers to the UK and EU data-protection rules that apply when a venue captures personal data via a captive portal — requiring lawful basis, opt-in consent, an accessible privacy notice, audit trail, and the right to erasure.

Start free trial Browse glossary

If you collect any personal data from guests via your WiFi splash page — even just an email — UK and EU GDPR apply. So does PECR (the Privacy and Electronic Communications Regulations) the moment you send a marketing message to that email. Done correctly, GDPR-compliant guest WiFi protects the business; done badly it\'s a major liability.

The six requirements you cannot skip

  1. Lawful basis. Almost always "consent" for marketing emails; "legitimate interest" can occasionally apply but is usually the wrong choice for a splash page.
  2. Specific, granular, opt-in consent. No pre-ticked boxes. Marketing opt-in must be a separate action from the WiFi sign-in itself.
  3. Accessible privacy notice linked from the splash page, in plain English, telling the guest exactly what you collect, why, how long you keep it, and who else sees it.
  4. Right to access, rectification and erasure. A guest can email you and ask for their data back, or for it to be deleted, and you must comply within 30 days.
  5. Audit trail. You must be able to prove, per individual, when consent was given, the IP address, the splash-page version, and the wording shown. CaptiFi captures this automatically.
  6. Data minimisation. Only collect what you actually need. Asking for date of birth, postcode and gender on a coffee-shop splash page is generally not defensible.

PECR — the rule about marketing emails specifically

PECR (UK) and the ePrivacy Directive (EU) layer additional rules on top of GDPR for any "electronic communication for marketing purposes" — emails, SMS, push notifications. The core requirement is prior, specific, opt-in consent, with the option to opt out in every message. Soft opt-in (you bought from us recently) doesn\'t apply to a guest WiFi sign-up.

What good practice looks like

  • WiFi sign-in form has the email field as required, marketing-opt-in checkbox as unticked by default.
  • Privacy notice link is one tap away, on the splash page itself.
  • Every marketing email has a one-click unsubscribe in the footer.
  • Data is retained only as long as the legitimate purpose lasts (e.g. 24 months from last visit).
  • The platform stores tamper-evident consent logs by default.

For a deeper walkthrough see the GDPR-compliant WiFi guide.

Related

Related terms

Captive Portal

A captive portal is a web page that public WiFi users see before being granted internet access — typically used to authenticate users, accept terms, and capture data such as email or social-login identity.

Read more

WiFi Data Capture

WiFi data capture is the process of collecting customer information — typically name, email, mobile number or social-login identity — when a guest connects to a venue's WiFi via a captive portal.

Read more

WiFi Email Capture

WiFi email capture is the technique of collecting a guest's email address as a condition of free WiFi access, typically through a captive portal's sign-in form, so the venue can send marketing communications afterwards.

Read more

Guest WiFi

Guest WiFi is a public, internet-only WiFi network a business offers to customers, separate from its private back-office network, typically secured by a captive portal that requires sign-in.

Read more

Try CaptiFi free for 30 days

Capture guest emails, run automated email/SMS campaigns, and grow Google reviews — all from your existing WiFi.

Start free trial Browse glossary