WiFi Marketing Last updated: June 2026 9 min read

How to Track Offline Visitors in Your Digital Marketing Funnel

C
CaptiFi Editorial Team
CaptiFi · June 2026
How to Track Offline Visitors in Your Digital Marketing Funnel
40-60%
Guests captured as subscribers
25-95%
Profit lift from 5% better retention (HBR)
SHA-256
Hashing Meta and Google use to match emails
£42
Email ROI per £1 spent (DMA, 2019)

A man walks into your pub on a Tuesday, connects to the WiFi, drinks two pints and leaves. Three weeks later he sees your Facebook ad for the quiz night, books a table for six and spends forty quid. In most venues, those two events live in completely separate universes. The footfall counter knows he came in. The marketing dashboard knows he saw the ad. Nobody connects the two, so the ad gets no credit, the quiz night looks like luck, and next quarter someone cuts the ad budget.

Offline-to-online attribution is the work of joining those dots. It is the difference between guessing your marketing works and being able to point at the visit it caused. The honest news is that you cannot do it perfectly: privacy rules and phone settings put hard ceilings on what is possible. The better news is that with a single shared identifier, captured properly at the door, you can do a great deal more than most venue owners assume. This is how it actually works, what it can and cannot tell you, and where the limits bite.

Why the physical visit is invisible to your funnel

A digital funnel is built on identifiers. A cookie, a logged-in account, an email address: something that lets a platform say "this is the same person across two moments." A walk-in has none of that. Your card reader sees a transaction with no name attached. Your door counter sees an anonymous body. Your CCTV sees a face you are not allowed to match to anything. The visit happens, but it leaves no trace that any ad platform can read.

For years the workaround was the device MAC address: the hardware ID a phone broadcasts when it connects to WiFi. Track the MAC and you could recognise a returning device. That era is over. Android made randomised MAC addresses the default in Android 11 (2020) and Apple turned on "Private Wi-Fi Address" by default in iOS 14 the same year, with iOS 18 adding periodic rotation on top. Phones now hand out a fresh, fake MAC to most networks, and Apple's setting forces a portal reconnect roughly every 24 hours. Device-level tracking across visits is, for practical purposes, dead. That is a good thing for privacy and an inconvenient thing for measurement, and it is exactly why the durable identifier has to be something the guest gives you on purpose: an email address.

Capturing identity at the door

The whole chain depends on one moment: the guest connecting to your WiFi and entering an email on a branded splash page. That email is your join key. It is the same string a guest later uses to open your newsletter, the same string an ad platform can match against its own users, and (if you ask for it again at the till or in a booking) the same string that ties a visit to a spend.

This is the part CaptiFi handles. We are software, not hardware: a branded captive portal that sits on top of the network you already run on UniFi, Omada, Meraki, Aruba, MikroTik, Ruckus, Cambium or DrayTek, authorising guests through the controller API. What we do is turn the connect moment into a consented, first-party email capture. Venues using CaptiFi typically capture 40 to 60 percent of connecting guests as email subscribers. For more on the mechanics, see how to capture emails from guest WiFi and our wider piece on first-party data from WiFi.

One rule sits above all of this, and it is not optional. You cannot make marketing consent a condition of getting online. The ICO's own worked example is a cafe that forces customers to agree to marketing to use the WiFi: the ICO's verdict is that "collecting customers' details for direct marketing purposes is not necessary for the provision of the WiFi, which means this is not valid consent." So the marketing opt-in must be a separate, unticked box, clearly worded, naming you and the purpose. Get the access path online first, then ask, separately, to market. Our GDPR compliance setup is built around exactly that split.

Building retargeting audiences from captured emails

Once you hold a list of consented emails, both Meta and Google let you turn that list into a targetable audience. The mechanic is the same on both, and it is worth understanding because the privacy design is better than people fear.

You upload your email list. The platform hashes each address with SHA-256 (a one-way scramble) and matches the hashes against its own users' hashed details. On Google Ads, this is Customer Match: Google states it hashes your data "using the same SHA256 algorithm, which is the industry standard for one-way hashing," matches it to Google accounts, and after matching "your data file is marked for deletion." Emails must be lowercased and whitespace-stripped before hashing. On Meta, Custom Audiences work identically: Meta says "before using the uploaded list for the matching process, the information in your customer list is hashed and will be unidentifiable at an individual level," and "after your Custom Audience is created, the matched and unmatched hashed information is deleted." Meta confirms it does not learn new identifying information and does not share your list. This is the kind of owned, consented retargeting that sits at the heart of WiFi marketing.

So your physical visitors become a digital audience you can show ads to on Facebook, Instagram and across Google, plus a "lookalike" audience of similar people. Note this is separate from email consent: only market to, and upload, people who agreed to hear from you, and your privacy notice should disclose ad-platform sharing.

A practical caveat: match rates are never 100 percent. Some guests use a different email with the platform than the one they gave you, some addresses are not on the platform at all, and matched audiences shrink over time. Treat the audience as a strong, cheap retargeting pool, not a perfect census of your visitors.

Matching visits to opens and spend

Here is where attribution gets genuinely useful. The shared email lets you line up a physical visit against digital events on a timeline.

The cleanest version was tested in public. Yelp ran an offline-attribution trial at the restaurant Jack Astor's: it showed ads to registered Yelp users, captured the user's email when they connected to the restaurant's guest WiFi, then matched those WiFi-login emails against its registered-user database to see which ad-exposed people actually walked in. It used a one-day window for users who saw but did not click the ad and a 30-day window for clickers. That is the whole model in one experiment: ad exposure, then a WiFi capture as proof of visit, joined on email.

You can run lighter versions of the same idea with the data you already hold:

  • Visit timestamp against email open. If a guest who opened Tuesday's "two-for-one" email connects to your WiFi on Wednesday, that open looks like it drove a visit. Across hundreds of guests, the pattern is real signal, not coincidence.
  • Visit against POS spend. If your till or booking system captures the same email (loyalty sign-up, e-receipt, online booking), you can join WiFi visits to actual transactions and start to see visit-to-spend per customer.
  • Campaign against footfall. Send a win-back email to lapsed guests, then watch how many reconnect to the WiFi over the next fortnight.

Be honest about the ceiling, though. The Yelp test spelled out its own limits, and they apply to everyone: guests who visited but did not use the WiFi are invisible, guests who used a different email are unmatched, and Yelp did not track real per-person spend at all. It used "average ticket value and table size data supplied by Jack Astor's," an aggregate, not a per-customer POS link. The lesson is blunt: true individual visit-to-spend needs the same email at WiFi and at the till. Without that shared key, you have time-window correlation, which is informative, not deterministic proof.

Measuring repeat visits and customer value

The most reliable thing email-based attribution measures is also the most valuable: whether people come back. Because the email is stable across visits (unlike the MAC), you can count how many of last month's first-timers returned, how often regulars come in, and who has gone quiet. Our analytics dashboard tracks per-customer visit frequency for exactly this, and the deeper metrics are covered in WiFi analytics metrics.

Repeat business is where the money is, and the research backs it. Harvard Business Review reports that "increasing customer retention rates by 5% increases profits by 25% to 95%," citing Frederick Reichheld of Bain, and that winning a new customer is "anywhere from five to 25 times more expensive than retaining an existing one." It is also widely cited (and attributed to the textbook Marketing Metrics by Farris and colleagues) that the probability of selling to an existing customer is 60 to 70 percent versus 5 to 20 percent for a new prospect, though that range is a secondary citation rather than a verified primary quote. Once you can see who is lapsing, you can trigger automated win-back emails to bring a share of them back.

The attribution moves, with their limits

Every technique here trades reach for certainty. This table lays out what each move captures, what it lets you do, and exactly where it stops working, so you can pick the right tool rather than over-claim.

Data capturedWhat it enablesThe limit
Consented email at WiFi loginOwned, durable first-party identifier that survives MAC randomisationOnly covers guests who connect and opt in; needs a genuine, unbundled consent tick
Email uploaded to Meta / GoogleCustom and lookalike retargeting audiences from real visitorsPartial match rate; guests using a different email are missed; audiences decay
Visit timestamp vs email openCorrelate which campaigns precede visits across your listCorrelation, not proof; misses anyone who did not use the WiFi that day
Same email at WiFi and POS / bookingIndividual visit-to-spend, true repeat-customer valueRequires the till or booking system to capture the matching email
Repeat WiFi logins over timeVisit frequency, churn flags, win-back triggersSame-person only if they use the same email; one-time guests skew counts
Device MAC addressHistorically: device recognition across visitsLargely broken by default MAC randomisation on modern iOS and Android
The honest summary: email is the only identifier that bridges the physical visit and the digital funnel, and even then you are measuring the subset of guests who connect and consent. That subset is large and cheap to grow. The rest is inference, and inference, done carefully, still beats guessing.

Putting it into practice

You do not need a data team. The sequence is: get a branded portal capturing consented emails on the network you already have, push that list (consented only) into Meta and Google as a Custom Audience, ask for the same email at the till or in bookings so you can join visits to spend, then watch repeat-visit rates in your dashboard and trigger win-backs when someone lapses. Multi-site operators can run all of this from one place; see multi-location WiFi management.

If you want the bigger picture first, our complete guide to WiFi marketing ties capture, attribution and automation together, and turning anonymous foot traffic into a contactable list covers the capture step in depth. When you are ready, you can start a 30-day free trial at £0 today, from £49/mo, and see captures land within minutes of your first connecting guest.

Sources: ICO guidance on valid consent and when consent is appropriate; Google Ads Help on the customer matching process; Meta Business Help Center on hashing customer information and Custom Audiences; Search Engine Land's report on Yelp's guest-WiFi offline-attribution test; Eleven Software, Wifirst and Extreme Networks on MAC randomisation; the DMA Marketer Email Tracker 2019 for the £42 per £1 email ROI figure; and Harvard Business Review (Gallo, 2014, citing Reichheld) on retention economics, with the 60 to 70 percent figure widely attributed to Marketing Metrics by Farris and colleagues. CaptiFi performance figures are typical ranges, not guarantees. Details were correct at the time of writing in June 2026; verify current platform policies and the legal position before relying on them.

Frequently asked questions

Quick answers to the most common questions about this topic.

Can you really track an offline visitor in a digital marketing funnel?

Partly, and only if the visitor gives you a shared identifier. The practical method is to capture a consented email when the guest connects to your WiFi. That email becomes the link between the physical visit and digital events: you can upload it to Meta and Google to retarget that person, match the visit timestamp to email opens, and join it to till spend if the same email is captured there. You cannot track someone who never connects to the WiFi or never opts in, and you measure that subset of guests rather than everyone who walked through the door.

Why can't I just track visitors by their phone's MAC address anymore?

Modern phones hand out a random, fake MAC address to each network by default. Android made randomised MAC addresses the default in Android 11 in 2020, and Apple turned on Private Wi-Fi Address by default in iOS 14 the same year, with iOS 18 adding periodic rotation. Because the MAC changes, you can no longer use it to recognise a returning device reliably. That is good for guest privacy but it breaks MAC-based attribution, which is why a consented email, given on purpose, is now the durable identifier for connecting visits to your funnel.

How do Meta and Google match my email list to their users?

You upload your email list and the platform hashes each address using SHA-256, a one-way scramble, then matches those hashes against the hashed details of its own users. Google calls this Customer Match and says it hashes your data and marks your file for deletion after matching. Meta calls it Custom Audiences and says the information is hashed and unidentifiable at an individual level, with matched and unmatched data deleted afterwards. Neither platform learns new identifying information from you, and you should only upload addresses from people who consented to marketing.

What match rate should I expect when I upload my emails?

Expect less than 100 percent, and treat the matched audience as a strong retargeting pool rather than a complete picture of your visitors. Matches are missed when a guest used a different email with the platform than the one they gave you, or when their address is not registered on that platform at all. Matched audiences also shrink over time as people change accounts. Meta and Google do not publish a guaranteed figure in their primary documentation, so be wary of any vendor that quotes you a precise percentage as fact.

Can I measure how much an individual customer spent after a visit?

Only if the same email is captured both at the WiFi login and at the point of sale or booking. With that shared key you can join a visit to an actual transaction and see real visit-to-spend per customer. Without it, you are left correlating WiFi visits with aggregate spend over a time window, which is informative but not proof at the individual level. Yelp's public guest-WiFi attribution test made this clear: it used average ticket and table-size figures supplied by the restaurant, not a per-person POS link.

Is it legal to capture guest emails and use them for retargeting?

In the UK it is, provided you do it properly. You cannot make marketing consent a condition of getting online: the ICO is explicit that forcing customers to agree to marketing to use the WiFi is not valid consent because marketing is not necessary to provide WiFi. So the marketing opt-in must be a separate, unticked box that names you and the purpose. Only upload and market to people who gave that consent, and disclose in your privacy notice that you share hashed data with ad platforms. CaptiFi's portal is built around that consent split.

What is the most reliable thing this kind of attribution measures?

Repeat visits. Because the email is stable across visits, unlike the device MAC, you can count how many first-timers came back, how often your regulars return, and who has gone quiet. That matters because retention drives profit. Harvard Business Review reports that increasing retention by 5 percent increases profits by 25 to 95 percent, and that acquiring a new customer costs five to 25 times more than keeping one. Once you can see who is lapsing, you can trigger automated win-back emails to bring a share of them back.

How much of my footfall will actually end up in my email list?

It depends on your venue, your splash page and the incentive to connect, so treat any single number with caution. Venues using CaptiFi typically capture 40 to 60 percent of connecting guests as email subscribers, which is a realistic working range rather than a guarantee. Anyone quoting an exact footfall-to-database conversion rate as a hard benchmark is guessing, because no credible published figure exists for that specific metric across venue types. Your own incentive, signage and splash-page wording move the number more than anything else.

Do I need expensive software or a data analyst to do this?

No. The core setup is a branded captive portal capturing consented emails on the network you already run, then uploading that list into Meta and Google as a Custom Audience and asking for the same email at the till or in bookings. Repeat-visit tracking and win-back triggers run from the dashboard automatically. CaptiFi layers this onto existing UniFi, Omada, Meraki, Aruba, MikroTik, Ruckus, Cambium or DrayTek networks via the controller API. A 30-day free trial, £0 today, lets you test it first.
C
Written by
CaptiFi Editorial Team

The CaptiFi Editorial Team writes about guest WiFi marketing, captive portals, GDPR-compliant data capture, and local SEO for venue operators. We base our recommendations on real customer outcomes and verified third-party reviews from G2.com.

Ready to turn your guest WiFi into a marketing engine?

CaptiFi captures customer data from every WiFi login, automates Google reviews and email follow-ups, and plugs into the tools you already use. Hardware included (refundable hold), transparent pricing, 30-day free trial.

Related reading