How the GDPR will affect Wi-Fi providers

In the past few years, public Wi-Fi has gone from an attraction to a necessity for many industries. People’s obsession with constantly checking their phones has led to cafes, libraries, shops and many other organisations being forced to provide Wi-Fi or risk potential customers going elsewhere.

But the way companies offer Wi-Fi to customers is set to change, as the collection of data to log in to wireless hotspots is subject to the EU General Data Protection Regulation (GDPR).

The GDPR, which takes effect on 25 May 2018, applies to any organisation that handles EU residents’ personal data.


An expensive change

A lot of public Wi-Fi is free, but that might not be the case for much longer. The most common practice of providing free Wi-Fi is to offset the cost by selling data that’s collected to marketing companies, but the GDPR will toughen the rules for doing that. Anyone who processes data will need a legitimate reason to do so, they must process as little data as is necessary for that purpose and that data must be used only for that purpose.

Unless users consent to their data being used for marketing purposes, this practice will no longer be possible.

Organisations that provide free Wi-Fi have three alternatives to selling data, none of which are terribly attractive: to put in place a pay-to-use service, to eat the cost themselves or to stop providing Wi-Fi altogether. Which of these choices organisations opt for will depend on how important they deem free Wi-Fi to be to their business.


But what about consent?

Organisations that continue to provide Wi-Fi – however they pay for it – will still need to sort out the issue of finding a legitimate reason to process data.

Contrary to what many people think, this doesn’t necessarily mean gaining consent. There are six lawful bases for collecting data, and consent is the least preferable because it can be hard to obtain and maintain. However, in this instance many organisations will find themselves having to rely on it.

Wi-Fi provider Purple claims to be the first such company to meet these rules. In a blog post, it said it had updated its consent policy and created a user account system that allows people to log in to rectify and erase any data they no longer want to share.

All organisations that rely on consent will need a system similar to Purple’s.

But there is another option, one that doesn’t rely on consent – or compliance with the GDPR at all. Shane Buckley, CEO of Wi-Fi company Xirrus, says organisations may choose to implement federated identity management (FIM) technology.

He said: “There is no need to store any customer data with FIM, which makes it an attractive route for public Wi-Fi providers seeking cost-effective GDPR compliance.

“Many people already use the process regularly when using their Facebook profile to access a third party website or app. Similarly, a secure federated login replaces the collection of personal data to allow customers to auto-connect to public Wi-Fi networks.

“Removing the need to store personal data transfers compliance responsibility to the federated identity provider. Reducing the compliance burden while providing a more seamless connection experience for users will likely see the end of the ‘captive portal’.”


GDPR training

If you want to know more about preparing for the Regulation, you should enrol on one of our GDPR training courses. Depending on your level of expertise, you might be interested in either:

Certified EU General Data Protection Regulation Foundation (GDPR) Training Course

Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course

These courses are available in both classroom and distance learning formats.

Book these courses together in our Combination Course and save 15%.


  1. Nigel 20th February 2018
    • Niall McCreanor 19th April 2018
  2. Neil Rogerson 6th September 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.