Guest WiFi GDPR Compliance Checklist for UK Businesses
A cafe offers free WiFi. To get online, customers hand over a name, an email and a mobile number, and tick a box agreeing to terms that say "by providing your details you consent to marketing." Tidy, fast, and exactly the example the Information Commissioner's Office uses to explain what invalid consent looks like. Bundling marketing into the price of getting online is not consent at all, says the ICO, because collecting those details "is not necessary for the provision of the wifi."
That one worked example does most of the heavy lifting in this checklist. Get the line between "give me WiFi" and "email me later" right, and the rest is housekeeping. Get it wrong, and you are sending marketing on a basis the regulator has already published a verdict on.
This is general guidance, not legal advice. It is written for venue owners and marketers, drawing on published ICO guidance and the PECR statute. For your specific setup, confirm with a data protection professional or the ICO before you rely on it.
Start here: two layers, two rules
Guest WiFi marketing is really two activities stacked on top of each other, and they answer to two different rules. The first layer is giving someone an internet connection. The second is capturing their email so you can market to them afterwards. Most compliance trouble comes from treating these as one thing.
The connection itself is governed by UK GDPR, and the cleanest lawful basis for it is legitimate interests. The marketing layer is governed by both UK GDPR (you need a lawful basis to hold and use the email) and PECR (the rule that actually decides whether you may press send). Keep them mentally separate and the checklist below falls into place.
- Layer one, the WiFi connection: lawful basis is legitimate interests. No marketing consent required to let someone online.
- Layer two, the marketing: lawful basis is consent, and PECR Regulation 22 sets the bar for that consent. This is the layer people get wrong.
Our view, from working with venues on exactly this, is that the single highest-value compliance decision is keeping these two as visibly separate choices on the splash page. A guest should be able to connect and skip the newsletter, full stop. If you build the page that way, you have solved roughly 80% of the risk before you write a word of policy. CaptiFi's branded splash pages and GDPR tooling are built around exactly that split.
1. Get your lawful basis right
Article 6(1) of UK GDPR gives you six lawful bases for processing personal data. At least one has to apply to anything you do with a guest's data, you must decide which one before you start processing, and you must document that decision. That last part is not optional polish: writing it down is part of being compliant.
For the WiFi connection, the strongest basis is legitimate interests under Article 6(1)(f). You do not have to take our word for it. The ICO runs guest WiFi in its own offices and, in its published privacy notice, records the device MAC address, allocates an IP address and logs traffic information (sites visited, duration, date) on the basis of legitimate interests, described as "processing personal data when it's necessary for the purposes of legitimate interests." If the regulator uses that basis for its own visitor WiFi, it is a sound precedent for yours.
Consent is a different tool, and the ICO is clear it should be saved for cases where no other basis obviously fits, such as where data is used in a "particularly unexpected or potentially intrusive way." Sending someone marketing email they actively asked for is precisely that kind of case, which is why consent is the right basis for layer two and the wrong basis for simply letting someone online.
What to do
- Write down legitimate interests as your basis for the WiFi connection, and consent as your basis for marketing.
- Record the decision before you switch the portal on, not after.
- State both bases in your privacy notice (see section 4).
2. Build the marketing opt-in properly
This is the section that decides whether your mailing list is an asset or a liability. The ICO's standard for valid consent is specific, and a captive portal can meet every part of it if you design for it. Here is the bar.
- A positive opt-in. People "must take a positive action to consent, so you must not use pre-ticked opt-in boxes, silence or inactivity as evidence of consent." No pre-ticked boxes, no opt-out boxes, no sneaky default settings.
- Unbundled. Consent must be separated from your other terms and conditions, and presented in a way that is "prominent, concise and easy to understand, and user-friendly."
- Granular. "Wherever possible, give separate ('granular') options to consent to different purposes and different types of processing." Email and SMS are different things; offer them separately.
- Specific and informed. Consent "must specifically cover the controller's name, the purposes of the processing and the types of processing activity." Name your venue, say what you will send.
- Freely given. Consent "should not be bundled up as a condition of service unless it is necessary for that service." Marketing is never necessary for WiFi, so it can never be a condition of it.
The cafe example is the trap. In the ICO's words, "collecting customer details for direct marketing purposes is not necessary for the provision of the wifi. This is not therefore valid consent." A guest must be able to connect to your network and decline your newsletter in the same breath. If declining marketing also blocks the WiFi, the consent is void and so is everything you send off the back of it.
In practice this means an unticked, clearly labelled marketing checkbox that sits apart from the "connect" action, with your venue named and the purpose spelled out. We dig into the mechanics of this in our guide to capturing emails from guest WiFi and in the post on building a compliant email list from WiFi.
3. Check the PECR rules before you email
UK GDPR governs whether you may hold the data. PECR (the Privacy and Electronic Communications Regulations 2003) governs whether you may actually send the marketing. The relevant rule is Regulation 22, and it covers unsolicited marketing by electronic mail, which includes both email and SMS, to individual subscribers.
The general rule under Regulation 22(2) is blunt: do not send unsolicited marketing email or text to an individual unless they have previously told you they consent. There are two exceptions. One is the long-standing "soft opt-in." The other, added by the Data (Use and Access) Act 2025, is a new soft opt-in for registered charities marketing their charitable purposes (Regulation 22(3A)), with equivalent opt-out conditions. For most commercial venues, the charity route is irrelevant, so the question is whether the soft opt-in saves you.
The soft opt-in has three cumulative conditions
All three must be met. They are:
- You obtained the contact details "in the course of the sale or negotiations for the sale of a product or service to that recipient."
- You only market "that person's similar products and services only."
- You gave "a simple means of refusing (free of charge except for the costs of the transmission of the refusal)" the marketing, both at the point of collection and "at the time of each subsequent communication."
Here is the catch for WiFi, and it is a big one. The ICO is explicit that simply using free guest WiFi is not a sale or a negotiation for a sale, so it does not qualify for the soft opt-in. Someone tapping "connect" on your splash page has not bought anything from you, so condition one fails on its own. The practical takeaway: for guest WiFi sign-ups, you almost always need a proper, explicit, ticked opt-in, not the soft opt-in. Do not let a vendor tell you otherwise.
The ICO actively enforces these rules. A January 2026 ICO press release reported fines totalling 225,000 pounds for nuisance marketing messages. Getting the opt-in right is cheaper than getting it wrong.
For more on staying the right side of PECR while still building a list that earns its keep, see our GDPR-compliant WiFi guide and the deeper piece on guest email marketing.
4. Write a privacy notice that actually informs
The right to be informed means you must give people privacy information at the time you collect their data. For guest WiFi that means a notice linked from your splash page, available before someone connects, not buried in a footer somewhere they will never look. If you obtain data from another source, you have a reasonable period to inform them and no later than one month, but for captive portals you are collecting it directly, so the answer is simple: tell them up front.
A workable guest WiFi privacy notice covers, at a minimum:
- Your organisation's name and contact details (and your representative and DPO contact details where applicable).
- The purposes of the processing.
- Your lawful basis or bases, and where you rely on legitimate interests, what those interests are.
- The categories of personal data, and where data is not collected from the person, its source.
- Who you share the data with.
- How long you keep it.
- Individuals' rights, including the right to complain to the ICO.
Write it in plain language. A notice no one can read informs no one, and the ICO expects it to be genuinely understandable. Naming your lawful basis is mandatory, so do not leave it vague. This is one part of the job a captive portal platform should handle for you: CaptiFi links a privacy notice from every splash page and stores it alongside the guest data capture records, so the notice and the consent are tied to the same sign-up.
5. Minimise data and set a retention period
Two principles do the work here, and both are about restraint. Data minimisation (Article 5(1)(c)) says personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." In plain terms: collect the least you need. If you only intend to email guests, you do not need their mobile number and home postcode. Asking for everything because the form allows it is a minimisation failure.
Storage limitation (Article 5(1)(e)) says you must keep identifiable data "for no longer than is necessary for the purposes for which the personal data are processed." Note what UK GDPR does not do here: it sets no fixed time limit. There is no statutory "keep WiFi logs for X days" number. Anyone quoting one is inventing it. What the law requires instead is that you choose a retention period you can justify, write down the reasoning, and then actually erase or anonymise data once it passes that point.
What to do
- Capture the minimum fields you genuinely use. An email address is usually enough for marketing.
- Set a retention period per data type (connection logs, marketing list) that you can defend.
- Document why you chose it.
- Build in actual deletion or anonymisation, not just an intention to delete one day.
First-party data you collect cleanly and keep lean is also more valuable, not less. We make that case in the first-party data post: a small, consented, well-maintained list beats a bloated one you cannot account for.
6. Secure the data and honour rights requests
Holding personal data means securing it and responding when people exercise their rights over it. Two rights come up constantly with guest data: access and erasure.
The right of access (a subject access request, or SAR) lets a person obtain a copy of their personal data plus supplementary information. SARs can be made verbally or in writing, you must respond without undue delay and within one month of receipt, and in most cases you cannot charge a fee. For complex requests, or several from the same person, you can extend by a further two months, but you must tell them inside the original month and explain why.
The right to erasure (the "right to be forgotten") lets a person ask you to delete their data. It is not absolute and applies only in certain circumstances, but where it does apply you again respond without undue delay and within one month. For a marketing list, an unsubscribe plus a deletion-on-request process usually covers the day-to-day cases.
| Right | How it can be made | Your deadline |
|---|---|---|
| Access (SAR) | Verbally or in writing | 1 month (extendable by 2 for complex cases) |
| Erasure | Verbally or in writing | 1 month (not an absolute right) |
Practically, you need a named person who watches for these requests, a way to find a given guest's records quickly, and a reliable delete path. A central dashboard helps: if your data sits in one place rather than scattered across spreadsheets, answering a SAR is minutes rather than days. That is part of why we built a single dashboard for guest records, and it matters even more if you run several sites, which we cover in multi-location WiFi management.
7. Keep records you can show the ICO
Accountability is its own principle: you not only have to comply, you have to be able to show you comply. With marketing consent that is concrete. For every subscriber you should be able to evidence who consented, when, to what, and how they were asked.
If a complaint ever reaches the ICO, "we think most people ticked the box" is not a defence. A timestamped record of the exact consent, tied to the privacy notice that was live at the time, is. This is the difference between a list you can defend and one you simply hope is fine.
The cheapest insurance in WiFi marketing is a consent record you can produce on demand. If you cannot prove how and when someone opted in, you cannot prove the marketing was lawful.
Keep, at minimum: the consent wording shown, the timestamp, the choice the guest made (opted in or not), and the privacy notice version in force. A good captive portal logs this automatically. We go through the wider picture of doing this at scale in our complete WiFi marketing guide, and you can see how CaptiFi handles consent records on a free trial from £49/mo.
The one-page summary checklist
Here is the whole checklist on a single screen. Keep it next to your splash page settings. As above, this is general guidance rather than legal advice, so sense-check your own setup against the ICO's current guidance or a data protection professional.
| Requirement | What to do | Lawful basis / source |
|---|---|---|
| WiFi connection | Process connection data without marketing consent | Legitimate interests, Article 6(1)(f); ICO's own office WiFi precedent |
| Marketing opt-in | Unticked, unbundled, granular, names your venue, never a condition of WiFi | Consent, Article 6; ICO valid-consent guidance |
| Sending email or SMS | Get explicit opt-in; soft opt-in does not cover free WiFi sign-ups | PECR Regulation 22 |
| Privacy notice | Linked from splash page before connection; names, purposes, basis, retention, rights | Right to be informed, Articles 13 and 14 |
| Data minimisation | Collect only the fields you actually use | Article 5(1)(c) |
| Retention | Set and document a justified period; no fixed legal figure exists; then erase | Article 5(1)(e) |
| Access and erasure | Respond within one month; usually no fee for a SAR | Right of access and right to erasure |
| Records | Log who consented, when, to what, and the notice version shown | Accountability principle |
None of this should slow your list down. A clean, consented, well-documented setup is the foundation of guest WiFi marketing that actually pays off, and it is exactly what platforms like CaptiFi are designed to handle automatically on top of your existing network. To see the compliance pieces in action, start a free trial or read more about why venues choose CaptiFi.
Sources: ICO guidance on lawful basis, valid consent, the right to be informed, data minimisation, storage limitation, the right of access and the right to erasure; the Privacy and Electronic Communications Regulations 2003, Regulation 22, on legislation.gov.uk; and ICO press releases from January and April 2026. This article is general guidance and was correct at the time of writing, June 2026. It is not legal advice.
Frequently asked questions
Quick answers to the most common questions about this topic.
Do I need consent to give guests WiFi access?
Can I make joining my mailing list a condition of using the WiFi?
What is the PECR soft opt-in and does it cover guest WiFi sign-ups?
How long can I keep guest WiFi data?
What must a guest WiFi privacy notice include?
How quickly must I respond to a data access or erasure request?
Does a pre-ticked opt-in box count as consent?
Does the soft opt-in change for charities under the 2025 law?
Does CaptiFi make my guest WiFi GDPR compliant on its own?
The CaptiFi Editorial Team writes about guest WiFi marketing, captive portals, GDPR-compliant data capture, and local SEO for venue operators. We base our recommendations on real customer outcomes and verified third-party reviews from G2.com.
Ready to turn your guest WiFi into a marketing engine?
CaptiFi captures customer data from every WiFi login, automates Google reviews and email follow-ups, and plugs into the tools you already use. Hardware included (refundable hold), transparent pricing, 30-day free trial.