How to Track Offline Visitors in Your Digital Marketing Funnel
A man walks into your pub on a Tuesday, connects to the WiFi, drinks two pints and leaves. Three weeks later he sees your Facebook ad for the quiz night, books a table for six and spends forty quid. In most venues, those two events live in completely separate universes. The footfall counter knows he came in. The marketing dashboard knows he saw the ad. Nobody connects the two, so the ad gets no credit, the quiz night looks like luck, and next quarter someone cuts the ad budget.
Offline-to-online attribution is the work of joining those dots. It is the difference between guessing your marketing works and being able to point at the visit it caused. The honest news is that you cannot do it perfectly: privacy rules and phone settings put hard ceilings on what is possible. The better news is that with a single shared identifier, captured properly at the door, you can do a great deal more than most venue owners assume. This is how it actually works, what it can and cannot tell you, and where the limits bite.
Why the physical visit is invisible to your funnel
A digital funnel is built on identifiers. A cookie, a logged-in account, an email address: something that lets a platform say "this is the same person across two moments." A walk-in has none of that. Your card reader sees a transaction with no name attached. Your door counter sees an anonymous body. Your CCTV sees a face you are not allowed to match to anything. The visit happens, but it leaves no trace that any ad platform can read.
For years the workaround was the device MAC address: the hardware ID a phone broadcasts when it connects to WiFi. Track the MAC and you could recognise a returning device. That era is over. Android made randomised MAC addresses the default in Android 11 (2020) and Apple turned on "Private Wi-Fi Address" by default in iOS 14 the same year, with iOS 18 adding periodic rotation on top. Phones now hand out a fresh, fake MAC to most networks, and Apple's setting forces a portal reconnect roughly every 24 hours. Device-level tracking across visits is, for practical purposes, dead. That is a good thing for privacy and an inconvenient thing for measurement, and it is exactly why the durable identifier has to be something the guest gives you on purpose: an email address.
Capturing identity at the door
The whole chain depends on one moment: the guest connecting to your WiFi and entering an email on a branded splash page. That email is your join key. It is the same string a guest later uses to open your newsletter, the same string an ad platform can match against its own users, and (if you ask for it again at the till or in a booking) the same string that ties a visit to a spend.
This is the part CaptiFi handles. We are software, not hardware: a branded captive portal that sits on top of the network you already run on UniFi, Omada, Meraki, Aruba, MikroTik, Ruckus, Cambium or DrayTek, authorising guests through the controller API. What we do is turn the connect moment into a consented, first-party email capture. Venues using CaptiFi typically capture 40 to 60 percent of connecting guests as email subscribers. For more on the mechanics, see how to capture emails from guest WiFi and our wider piece on first-party data from WiFi.
One rule sits above all of this, and it is not optional. You cannot make marketing consent a condition of getting online. The ICO's own worked example is a cafe that forces customers to agree to marketing to use the WiFi: the ICO's verdict is that "collecting customers' details for direct marketing purposes is not necessary for the provision of the WiFi, which means this is not valid consent." So the marketing opt-in must be a separate, unticked box, clearly worded, naming you and the purpose. Get the access path online first, then ask, separately, to market. Our GDPR compliance setup is built around exactly that split.
Building retargeting audiences from captured emails
Once you hold a list of consented emails, both Meta and Google let you turn that list into a targetable audience. The mechanic is the same on both, and it is worth understanding because the privacy design is better than people fear.
You upload your email list. The platform hashes each address with SHA-256 (a one-way scramble) and matches the hashes against its own users' hashed details. On Google Ads, this is Customer Match: Google states it hashes your data "using the same SHA256 algorithm, which is the industry standard for one-way hashing," matches it to Google accounts, and after matching "your data file is marked for deletion." Emails must be lowercased and whitespace-stripped before hashing. On Meta, Custom Audiences work identically: Meta says "before using the uploaded list for the matching process, the information in your customer list is hashed and will be unidentifiable at an individual level," and "after your Custom Audience is created, the matched and unmatched hashed information is deleted." Meta confirms it does not learn new identifying information and does not share your list. This is the kind of owned, consented retargeting that sits at the heart of WiFi marketing.
So your physical visitors become a digital audience you can show ads to on Facebook, Instagram and across Google, plus a "lookalike" audience of similar people. Note this is separate from email consent: only market to, and upload, people who agreed to hear from you, and your privacy notice should disclose ad-platform sharing.
A practical caveat: match rates are never 100 percent. Some guests use a different email with the platform than the one they gave you, some addresses are not on the platform at all, and matched audiences shrink over time. Treat the audience as a strong, cheap retargeting pool, not a perfect census of your visitors.
Matching visits to opens and spend
Here is where attribution gets genuinely useful. The shared email lets you line up a physical visit against digital events on a timeline.
The cleanest version was tested in public. Yelp ran an offline-attribution trial at the restaurant Jack Astor's: it showed ads to registered Yelp users, captured the user's email when they connected to the restaurant's guest WiFi, then matched those WiFi-login emails against its registered-user database to see which ad-exposed people actually walked in. It used a one-day window for users who saw but did not click the ad and a 30-day window for clickers. That is the whole model in one experiment: ad exposure, then a WiFi capture as proof of visit, joined on email.
You can run lighter versions of the same idea with the data you already hold:
- Visit timestamp against email open. If a guest who opened Tuesday's "two-for-one" email connects to your WiFi on Wednesday, that open looks like it drove a visit. Across hundreds of guests, the pattern is real signal, not coincidence.
- Visit against POS spend. If your till or booking system captures the same email (loyalty sign-up, e-receipt, online booking), you can join WiFi visits to actual transactions and start to see visit-to-spend per customer.
- Campaign against footfall. Send a win-back email to lapsed guests, then watch how many reconnect to the WiFi over the next fortnight.
Be honest about the ceiling, though. The Yelp test spelled out its own limits, and they apply to everyone: guests who visited but did not use the WiFi are invisible, guests who used a different email are unmatched, and Yelp did not track real per-person spend at all. It used "average ticket value and table size data supplied by Jack Astor's," an aggregate, not a per-customer POS link. The lesson is blunt: true individual visit-to-spend needs the same email at WiFi and at the till. Without that shared key, you have time-window correlation, which is informative, not deterministic proof.
Measuring repeat visits and customer value
The most reliable thing email-based attribution measures is also the most valuable: whether people come back. Because the email is stable across visits (unlike the MAC), you can count how many of last month's first-timers returned, how often regulars come in, and who has gone quiet. Our analytics dashboard tracks per-customer visit frequency for exactly this, and the deeper metrics are covered in WiFi analytics metrics.
Repeat business is where the money is, and the research backs it. Harvard Business Review reports that "increasing customer retention rates by 5% increases profits by 25% to 95%," citing Frederick Reichheld of Bain, and that winning a new customer is "anywhere from five to 25 times more expensive than retaining an existing one." It is also widely cited (and attributed to the textbook Marketing Metrics by Farris and colleagues) that the probability of selling to an existing customer is 60 to 70 percent versus 5 to 20 percent for a new prospect, though that range is a secondary citation rather than a verified primary quote. Once you can see who is lapsing, you can trigger automated win-back emails to bring a share of them back.
The attribution moves, with their limits
Every technique here trades reach for certainty. This table lays out what each move captures, what it lets you do, and exactly where it stops working, so you can pick the right tool rather than over-claim.
| Data captured | What it enables | The limit |
|---|---|---|
| Consented email at WiFi login | Owned, durable first-party identifier that survives MAC randomisation | Only covers guests who connect and opt in; needs a genuine, unbundled consent tick |
| Email uploaded to Meta / Google | Custom and lookalike retargeting audiences from real visitors | Partial match rate; guests using a different email are missed; audiences decay |
| Visit timestamp vs email open | Correlate which campaigns precede visits across your list | Correlation, not proof; misses anyone who did not use the WiFi that day |
| Same email at WiFi and POS / booking | Individual visit-to-spend, true repeat-customer value | Requires the till or booking system to capture the matching email |
| Repeat WiFi logins over time | Visit frequency, churn flags, win-back triggers | Same-person only if they use the same email; one-time guests skew counts |
| Device MAC address | Historically: device recognition across visits | Largely broken by default MAC randomisation on modern iOS and Android |
The honest summary: email is the only identifier that bridges the physical visit and the digital funnel, and even then you are measuring the subset of guests who connect and consent. That subset is large and cheap to grow. The rest is inference, and inference, done carefully, still beats guessing.
Putting it into practice
You do not need a data team. The sequence is: get a branded portal capturing consented emails on the network you already have, push that list (consented only) into Meta and Google as a Custom Audience, ask for the same email at the till or in bookings so you can join visits to spend, then watch repeat-visit rates in your dashboard and trigger win-backs when someone lapses. Multi-site operators can run all of this from one place; see multi-location WiFi management.
If you want the bigger picture first, our complete guide to WiFi marketing ties capture, attribution and automation together, and turning anonymous foot traffic into a contactable list covers the capture step in depth. When you are ready, you can start a 30-day free trial at £0 today, from £49/mo, and see captures land within minutes of your first connecting guest.
Sources: ICO guidance on valid consent and when consent is appropriate; Google Ads Help on the customer matching process; Meta Business Help Center on hashing customer information and Custom Audiences; Search Engine Land's report on Yelp's guest-WiFi offline-attribution test; Eleven Software, Wifirst and Extreme Networks on MAC randomisation; the DMA Marketer Email Tracker 2019 for the £42 per £1 email ROI figure; and Harvard Business Review (Gallo, 2014, citing Reichheld) on retention economics, with the 60 to 70 percent figure widely attributed to Marketing Metrics by Farris and colleagues. CaptiFi performance figures are typical ranges, not guarantees. Details were correct at the time of writing in June 2026; verify current platform policies and the legal position before relying on them.
Frequently asked questions
Quick answers to the most common questions about this topic.
Can you really track an offline visitor in a digital marketing funnel?
Why can't I just track visitors by their phone's MAC address anymore?
How do Meta and Google match my email list to their users?
What match rate should I expect when I upload my emails?
Can I measure how much an individual customer spent after a visit?
Is it legal to capture guest emails and use them for retargeting?
What is the most reliable thing this kind of attribution measures?
How much of my footfall will actually end up in my email list?
Do I need expensive software or a data analyst to do this?
The CaptiFi Editorial Team writes about guest WiFi marketing, captive portals, GDPR-compliant data capture, and local SEO for venue operators. We base our recommendations on real customer outcomes and verified third-party reviews from G2.com.
Ready to turn your guest WiFi into a marketing engine?
CaptiFi captures customer data from every WiFi login, automates Google reviews and email follow-ups, and plugs into the tools you already use. Hardware included (refundable hold), transparent pricing, 30-day free trial.