Compliance Last updated: June 2026 9 min read

Guest WiFi GDPR Compliance Checklist for UK Businesses

C
CaptiFi Editorial Team
CaptiFi · June 2026
Guest WiFi GDPR Compliance Checklist for UK Businesses
1 month
To answer an access or erasure request
3
Cumulative soft opt-in conditions under PECR
6
Lawful bases in Article 6 UK GDPR
£225k
ICO fines for nuisance marketing, Jan 2026

A cafe offers free WiFi. To get online, customers hand over a name, an email and a mobile number, and tick a box agreeing to terms that say "by providing your details you consent to marketing." Tidy, fast, and exactly the example the Information Commissioner's Office uses to explain what invalid consent looks like. Bundling marketing into the price of getting online is not consent at all, says the ICO, because collecting those details "is not necessary for the provision of the wifi."

That one worked example does most of the heavy lifting in this checklist. Get the line between "give me WiFi" and "email me later" right, and the rest is housekeeping. Get it wrong, and you are sending marketing on a basis the regulator has already published a verdict on.

This is general guidance, not legal advice. It is written for venue owners and marketers, drawing on published ICO guidance and the PECR statute. For your specific setup, confirm with a data protection professional or the ICO before you rely on it.

Start here: two layers, two rules

Guest WiFi marketing is really two activities stacked on top of each other, and they answer to two different rules. The first layer is giving someone an internet connection. The second is capturing their email so you can market to them afterwards. Most compliance trouble comes from treating these as one thing.

The connection itself is governed by UK GDPR, and the cleanest lawful basis for it is legitimate interests. The marketing layer is governed by both UK GDPR (you need a lawful basis to hold and use the email) and PECR (the rule that actually decides whether you may press send). Keep them mentally separate and the checklist below falls into place.

  • Layer one, the WiFi connection: lawful basis is legitimate interests. No marketing consent required to let someone online.
  • Layer two, the marketing: lawful basis is consent, and PECR Regulation 22 sets the bar for that consent. This is the layer people get wrong.

Our view, from working with venues on exactly this, is that the single highest-value compliance decision is keeping these two as visibly separate choices on the splash page. A guest should be able to connect and skip the newsletter, full stop. If you build the page that way, you have solved roughly 80% of the risk before you write a word of policy. CaptiFi's branded splash pages and GDPR tooling are built around exactly that split.

1. Get your lawful basis right

Article 6(1) of UK GDPR gives you six lawful bases for processing personal data. At least one has to apply to anything you do with a guest's data, you must decide which one before you start processing, and you must document that decision. That last part is not optional polish: writing it down is part of being compliant.

For the WiFi connection, the strongest basis is legitimate interests under Article 6(1)(f). You do not have to take our word for it. The ICO runs guest WiFi in its own offices and, in its published privacy notice, records the device MAC address, allocates an IP address and logs traffic information (sites visited, duration, date) on the basis of legitimate interests, described as "processing personal data when it's necessary for the purposes of legitimate interests." If the regulator uses that basis for its own visitor WiFi, it is a sound precedent for yours.

Consent is a different tool, and the ICO is clear it should be saved for cases where no other basis obviously fits, such as where data is used in a "particularly unexpected or potentially intrusive way." Sending someone marketing email they actively asked for is precisely that kind of case, which is why consent is the right basis for layer two and the wrong basis for simply letting someone online.

What to do

  • Write down legitimate interests as your basis for the WiFi connection, and consent as your basis for marketing.
  • Record the decision before you switch the portal on, not after.
  • State both bases in your privacy notice (see section 4).

This is the section that decides whether your mailing list is an asset or a liability. The ICO's standard for valid consent is specific, and a captive portal can meet every part of it if you design for it. Here is the bar.

  • A positive opt-in. People "must take a positive action to consent, so you must not use pre-ticked opt-in boxes, silence or inactivity as evidence of consent." No pre-ticked boxes, no opt-out boxes, no sneaky default settings.
  • Unbundled. Consent must be separated from your other terms and conditions, and presented in a way that is "prominent, concise and easy to understand, and user-friendly."
  • Granular. "Wherever possible, give separate ('granular') options to consent to different purposes and different types of processing." Email and SMS are different things; offer them separately.
  • Specific and informed. Consent "must specifically cover the controller's name, the purposes of the processing and the types of processing activity." Name your venue, say what you will send.
  • Freely given. Consent "should not be bundled up as a condition of service unless it is necessary for that service." Marketing is never necessary for WiFi, so it can never be a condition of it.

The cafe example is the trap. In the ICO's words, "collecting customer details for direct marketing purposes is not necessary for the provision of the wifi. This is not therefore valid consent." A guest must be able to connect to your network and decline your newsletter in the same breath. If declining marketing also blocks the WiFi, the consent is void and so is everything you send off the back of it.

In practice this means an unticked, clearly labelled marketing checkbox that sits apart from the "connect" action, with your venue named and the purpose spelled out. We dig into the mechanics of this in our guide to capturing emails from guest WiFi and in the post on building a compliant email list from WiFi.

3. Check the PECR rules before you email

UK GDPR governs whether you may hold the data. PECR (the Privacy and Electronic Communications Regulations 2003) governs whether you may actually send the marketing. The relevant rule is Regulation 22, and it covers unsolicited marketing by electronic mail, which includes both email and SMS, to individual subscribers.

The general rule under Regulation 22(2) is blunt: do not send unsolicited marketing email or text to an individual unless they have previously told you they consent. There are two exceptions. One is the long-standing "soft opt-in." The other, added by the Data (Use and Access) Act 2025, is a new soft opt-in for registered charities marketing their charitable purposes (Regulation 22(3A)), with equivalent opt-out conditions. For most commercial venues, the charity route is irrelevant, so the question is whether the soft opt-in saves you.

The soft opt-in has three cumulative conditions

All three must be met. They are:

  1. You obtained the contact details "in the course of the sale or negotiations for the sale of a product or service to that recipient."
  2. You only market "that person's similar products and services only."
  3. You gave "a simple means of refusing (free of charge except for the costs of the transmission of the refusal)" the marketing, both at the point of collection and "at the time of each subsequent communication."

Here is the catch for WiFi, and it is a big one. The ICO is explicit that simply using free guest WiFi is not a sale or a negotiation for a sale, so it does not qualify for the soft opt-in. Someone tapping "connect" on your splash page has not bought anything from you, so condition one fails on its own. The practical takeaway: for guest WiFi sign-ups, you almost always need a proper, explicit, ticked opt-in, not the soft opt-in. Do not let a vendor tell you otherwise.

The ICO actively enforces these rules. A January 2026 ICO press release reported fines totalling 225,000 pounds for nuisance marketing messages. Getting the opt-in right is cheaper than getting it wrong.

For more on staying the right side of PECR while still building a list that earns its keep, see our GDPR-compliant WiFi guide and the deeper piece on guest email marketing.

4. Write a privacy notice that actually informs

The right to be informed means you must give people privacy information at the time you collect their data. For guest WiFi that means a notice linked from your splash page, available before someone connects, not buried in a footer somewhere they will never look. If you obtain data from another source, you have a reasonable period to inform them and no later than one month, but for captive portals you are collecting it directly, so the answer is simple: tell them up front.

A workable guest WiFi privacy notice covers, at a minimum:

  • Your organisation's name and contact details (and your representative and DPO contact details where applicable).
  • The purposes of the processing.
  • Your lawful basis or bases, and where you rely on legitimate interests, what those interests are.
  • The categories of personal data, and where data is not collected from the person, its source.
  • Who you share the data with.
  • How long you keep it.
  • Individuals' rights, including the right to complain to the ICO.

Write it in plain language. A notice no one can read informs no one, and the ICO expects it to be genuinely understandable. Naming your lawful basis is mandatory, so do not leave it vague. This is one part of the job a captive portal platform should handle for you: CaptiFi links a privacy notice from every splash page and stores it alongside the guest data capture records, so the notice and the consent are tied to the same sign-up.

5. Minimise data and set a retention period

Two principles do the work here, and both are about restraint. Data minimisation (Article 5(1)(c)) says personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." In plain terms: collect the least you need. If you only intend to email guests, you do not need their mobile number and home postcode. Asking for everything because the form allows it is a minimisation failure.

Storage limitation (Article 5(1)(e)) says you must keep identifiable data "for no longer than is necessary for the purposes for which the personal data are processed." Note what UK GDPR does not do here: it sets no fixed time limit. There is no statutory "keep WiFi logs for X days" number. Anyone quoting one is inventing it. What the law requires instead is that you choose a retention period you can justify, write down the reasoning, and then actually erase or anonymise data once it passes that point.

What to do

  • Capture the minimum fields you genuinely use. An email address is usually enough for marketing.
  • Set a retention period per data type (connection logs, marketing list) that you can defend.
  • Document why you chose it.
  • Build in actual deletion or anonymisation, not just an intention to delete one day.

First-party data you collect cleanly and keep lean is also more valuable, not less. We make that case in the first-party data post: a small, consented, well-maintained list beats a bloated one you cannot account for.

6. Secure the data and honour rights requests

Holding personal data means securing it and responding when people exercise their rights over it. Two rights come up constantly with guest data: access and erasure.

The right of access (a subject access request, or SAR) lets a person obtain a copy of their personal data plus supplementary information. SARs can be made verbally or in writing, you must respond without undue delay and within one month of receipt, and in most cases you cannot charge a fee. For complex requests, or several from the same person, you can extend by a further two months, but you must tell them inside the original month and explain why.

The right to erasure (the "right to be forgotten") lets a person ask you to delete their data. It is not absolute and applies only in certain circumstances, but where it does apply you again respond without undue delay and within one month. For a marketing list, an unsubscribe plus a deletion-on-request process usually covers the day-to-day cases.

RightHow it can be madeYour deadline
Access (SAR)Verbally or in writing1 month (extendable by 2 for complex cases)
ErasureVerbally or in writing1 month (not an absolute right)

Practically, you need a named person who watches for these requests, a way to find a given guest's records quickly, and a reliable delete path. A central dashboard helps: if your data sits in one place rather than scattered across spreadsheets, answering a SAR is minutes rather than days. That is part of why we built a single dashboard for guest records, and it matters even more if you run several sites, which we cover in multi-location WiFi management.

7. Keep records you can show the ICO

Accountability is its own principle: you not only have to comply, you have to be able to show you comply. With marketing consent that is concrete. For every subscriber you should be able to evidence who consented, when, to what, and how they were asked.

If a complaint ever reaches the ICO, "we think most people ticked the box" is not a defence. A timestamped record of the exact consent, tied to the privacy notice that was live at the time, is. This is the difference between a list you can defend and one you simply hope is fine.

The cheapest insurance in WiFi marketing is a consent record you can produce on demand. If you cannot prove how and when someone opted in, you cannot prove the marketing was lawful.

Keep, at minimum: the consent wording shown, the timestamp, the choice the guest made (opted in or not), and the privacy notice version in force. A good captive portal logs this automatically. We go through the wider picture of doing this at scale in our complete WiFi marketing guide, and you can see how CaptiFi handles consent records on a free trial from £49/mo.

The one-page summary checklist

Here is the whole checklist on a single screen. Keep it next to your splash page settings. As above, this is general guidance rather than legal advice, so sense-check your own setup against the ICO's current guidance or a data protection professional.

RequirementWhat to doLawful basis / source
WiFi connectionProcess connection data without marketing consentLegitimate interests, Article 6(1)(f); ICO's own office WiFi precedent
Marketing opt-inUnticked, unbundled, granular, names your venue, never a condition of WiFiConsent, Article 6; ICO valid-consent guidance
Sending email or SMSGet explicit opt-in; soft opt-in does not cover free WiFi sign-upsPECR Regulation 22
Privacy noticeLinked from splash page before connection; names, purposes, basis, retention, rightsRight to be informed, Articles 13 and 14
Data minimisationCollect only the fields you actually useArticle 5(1)(c)
RetentionSet and document a justified period; no fixed legal figure exists; then eraseArticle 5(1)(e)
Access and erasureRespond within one month; usually no fee for a SARRight of access and right to erasure
RecordsLog who consented, when, to what, and the notice version shownAccountability principle

None of this should slow your list down. A clean, consented, well-documented setup is the foundation of guest WiFi marketing that actually pays off, and it is exactly what platforms like CaptiFi are designed to handle automatically on top of your existing network. To see the compliance pieces in action, start a free trial or read more about why venues choose CaptiFi.

Sources: ICO guidance on lawful basis, valid consent, the right to be informed, data minimisation, storage limitation, the right of access and the right to erasure; the Privacy and Electronic Communications Regulations 2003, Regulation 22, on legislation.gov.uk; and ICO press releases from January and April 2026. This article is general guidance and was correct at the time of writing, June 2026. It is not legal advice.

Frequently asked questions

Quick answers to the most common questions about this topic.

Do I need consent to give guests WiFi access?

No. The act of providing the WiFi connection itself does not need consent. The cleaner lawful basis is legitimate interests under Article 6(1)(f) of UK GDPR, which is the same basis the ICO uses for its own office guest WiFi when it logs the device MAC address, allocates an IP and records traffic information. Consent is the right basis only for the separate marketing layer, where you want to email guests afterwards. You must still document your lawful basis decision before you start processing, and tell guests about it in your privacy notice.

Can I make joining my mailing list a condition of using the WiFi?

No, and this is the single most common mistake. The ICO's published example describes a cafe that requires marketing consent as the price of getting online, and concludes it is not valid consent because collecting marketing details is not necessary for providing the WiFi. Consent must be freely given, which means a guest has to be able to connect and decline marketing and still get online. Build the connect action and the marketing opt-in as two separate, distinct choices on your splash page.

What is the PECR soft opt-in and does it cover guest WiFi sign-ups?

The soft opt-in is an exception in PECR Regulation 22(3) that lets you email existing customers without prior consent, but only if all three conditions are met: you obtained the details during a sale or negotiation for a sale, you only market your own similar products, and you offered a simple free opt-out at collection and in every message. For most guest WiFi it does not apply, because simply connecting to free WiFi is not a sale or negotiation. The ICO states this directly. So you generally need a proper, explicit opt-in tick instead.

How long can I keep guest WiFi data?

There is no fixed legal time limit. UK GDPR's storage limitation principle says you must keep identifiable data no longer than is necessary for the purpose, but it does not set a number for WiFi logs or marketing lists. That means you decide a retention period you can justify for your purpose, write down the reasoning, and then actually erase or anonymise data once it passes that point. Be wary of any source quoting a specific statutory figure for WiFi logs, because none exists in law.

What must a guest WiFi privacy notice include?

Under the right to be informed, you must provide privacy information at the time you collect the data, so linked from your splash page before connection. At a minimum it should cover your organisation's name and contact details (plus a DPO if you have one), the purposes of processing, your lawful basis or bases and the legitimate interests where relied on, the categories of data, who you share it with, how long you keep it, and the individual's rights including the right to complain to the ICO. Write it in plain language, not dense legalese.

How quickly must I respond to a data access or erasure request?

Within one month of receiving the request. A subject access request can be made verbally or in writing, you usually cannot charge a fee, and you must provide a copy of the person's personal data plus supplementary information. The right to erasure follows the same one-month deadline where it applies, though it is not an absolute right. For complex requests or multiple requests from the same person, you can extend by a further two months, but you must tell them within the original month and explain why.

Does a pre-ticked opt-in box count as consent?

No. The ICO is explicit that valid consent requires a positive opt-in, where the person takes a deliberate action. You must not use pre-ticked boxes, opt-out boxes or other default settings, and silence or inactivity is never evidence of consent. The tick must also be unbundled from your terms and conditions, specific about what they are agreeing to, and name your organisation. If your splash page pre-selects the marketing box, the consent is invalid and any marketing you send on the back of it is non-compliant.

Does the soft opt-in change for charities under the 2025 law?

Yes. The Data (Use and Access) Act 2025 added a new soft opt-in for charitable purposes at PECR Regulation 22(3A). It lets registered charities send electronic-mail marketing of their charitable purposes without prior consent, provided equivalent conditions are met, including giving an opt-out both when the details are first collected and in every message. This is a narrow route for registered charities only. It does not change the rules for commercial venues, which still need a proper opt-in for guest WiFi marketing.

Does CaptiFi make my guest WiFi GDPR compliant on its own?

CaptiFi is built to support compliance, but compliance is ultimately the venue's responsibility. The platform provides an unbundled, timestamped marketing opt-in kept separate from WiFi access, a privacy notice linked from the splash page, and consent records stored in your dashboard so you can demonstrate accountability. It does not give legal advice or write your retention policy for you. You still need to set your retention period, handle rights requests, and confirm your specific setup with a data protection professional if you are unsure.
C
Written by
CaptiFi Editorial Team

The CaptiFi Editorial Team writes about guest WiFi marketing, captive portals, GDPR-compliant data capture, and local SEO for venue operators. We base our recommendations on real customer outcomes and verified third-party reviews from G2.com.

Ready to turn your guest WiFi into a marketing engine?

CaptiFi captures customer data from every WiFi login, automates Google reviews and email follow-ups, and plugs into the tools you already use. Hardware included (refundable hold), transparent pricing, 30-day free trial.

Related reading