GDPR and guest WiFi: the UK pub owner's plain-English guide

Disclaimer: this article provides general guidance only. It is not legal advice. For specific legal queries, consult a qualified solicitor or contact the ICO directly.

If you offer guest WiFi at your pub, café, restaurant or B&B and you're collecting any customer data, email addresses, names, social media logins, then UK GDPR applies to you. The good news is that compliance isn't complicated, and done right, the data you collect legally can be genuinely valuable for your business.

Here's what you actually need to know.

The basics: what is UK GDPR?

UK GDPR is the UK's version of the EU General Data Protection Regulation, retained in UK law post-Brexit. It governs how organisations collect, store and use personal data. An email address is personal data. So is a name combined with a visit timestamp.

If your guest WiFi system collects any of this, and most social WiFi systems do, you're a data controller and UK GDPR applies to you.

The five things you must get right

1. Have a lawful basis for processing

You need a legitimate reason to collect and use guest data. For WiFi logins, the most common bases are:

• Consent, the guest explicitly agrees to their data being collected for marketing purposes.
• Legitimate interests, you may be able to collect basic login data (email for identification) without explicit consent if it's genuinely necessary for providing the service, but you should take legal advice on this.

For marketing specifically, sending promotional emails, you need consent. There's no getting around this.

2. Get proper consent for marketing

Marketing consent must be:

• Freely given, you can't make WiFi access conditional on marketing opt-in
• Specific, the guest must know what they're consenting to ("we'll email you about promotions and events")
• Informed, they must know who is collecting the data and why
• Unambiguous, a pre-ticked box is not valid consent; the guest must actively tick it

3. Tell people what you're collecting

Your WiFi login page must include (or link to) a privacy notice explaining:

• Who you are and how to contact you
• What data you collect and why
• How long you keep it
• Their rights (to access, rectify, erase their data)
• Whether you share data with anyone

This sounds onerous but in practice it's a simple privacy policy page. Our systems include a template you can customise.

4. Keep data secure and don't keep it forever

Guest WiFi data should be stored securely (not in a spreadsheet on a shared drive), and you should have a retention policy. A typical reasonable approach: delete WiFi login data after 2–3 years of inactivity.

5. Register with the ICO

If you process personal data as a data controller, you're required to register with the ICO (Information Commissioner's Office) and pay a small annual fee (usually £40–£60 for small businesses). This is often overlooked but it is a legal requirement. Register at ico.org.uk.

What about the Investigatory Powers Act (IPA)?

The IPA 2016 (the "Snooper's Charter") requires internet service providers to retain certain communications data. For a small pub offering guest WiFi, this legislation does not apply to you, you're a consumer of internet services, not a provider of them in the regulatory sense. The IPA applies to regulated telecommunications providers, not businesses with a café hotspot.

That said, if your WiFi system keeps connection logs (IP addresses, MAC addresses, timestamps), you should have a policy for how long those logs are kept and who can access them.

The practical upshot

Properly configured social WiFi is GDPR-compliant and entirely legal. The data you capture through a compliant system is more valuable precisely because it's consent-based, you have a genuine marketing relationship with those customers.

The risks come from doing it badly: pre-ticked consent boxes, not having a privacy notice, keeping data indefinitely or sharing it without authorisation.