Guides · Compliance

Guest WiFi and the law.
The five things that keep you right.

GDPR and PECR sound frightening on a poster. In practice they ask five sensible things of your sign-in page. Here they are in plain English.

6 minute read · Updated June 2026

Why venue owners worry about this

Mention GDPR to a pub landlord and you can watch the shutters come down. Most have heard a horror story, usually third-hand, about fines with lots of zeroes. So guest WiFi either gets left wide open with no sign-in at all, or it gets handed to a platform that promises to "handle compliance" for a monthly fee, forever.

Here is the calmer truth. The rules that apply to a venue collecting emails through its WiFi are sensible, fixed, and easy to meet if the sign-in page is built properly on day one. This guide walks through exactly what they ask. It is general guidance rather than legal advice, but it is the same checklist we build into every portal we make.

The two sets of rules, in one minute

Two pieces of law matter here, and they do different jobs.

UK GDPR governs personal data: collecting it, storing it, and being able to show why you have it. An email address with a name attached is personal data, so the moment your WiFi captures one, GDPR applies.

PECR governs electronic marketing: who you are allowed to email or text, and what every message must include. It is the older, blunter cousin, and it is the one that actually bites venues, because it covers the question owners care about: "am I allowed to send offers to this list?"

Together they boil down to one sentence. You can market to the people who said yes, and you must be able to prove they said yes.

The five things a compliant portal needs

The compliant portal checklist: an unticked box, plain words, a privacy link, an unsubscribe link in every email, and a timestamped consent log

1. An unticked box. The guest chooses to opt in. A pre-ticked box, or a portal where connecting automatically joins you to the list, is not consent. This is the single most common failure and the easiest to avoid.

2. Plain words next to the box. "Send me the occasional offer from The Tinker's Arms" beats three paragraphs of legal mist. The guest should know who will email them and roughly how often, in the time it takes to read one line.

3. A link to your privacy notice. One short page saying what you collect, why, where it lives and how to be removed. If you have a website you almost certainly have one already; the portal just needs to point at it.

4. An unsubscribe link in every email. Every single one, working, one click. Most mailing list tools (Mailchimp, Brevo and the rest) add this automatically, which is one reason we sync portals into them rather than reinventing it.

5. A timestamped consent log. A record of who opted in, when, and what the page said at the time. Nobody looks at it for months on end, and then one day somebody asks "why am I getting these emails?" and it answers the question in ten seconds. This is the piece most cheap setups skip, and the piece that actually protects you.

That is the whole list. None of it is expensive and none of it slows a guest down. Built in from the start, compliance is a property of the page, not a chore on your to-do list.

Who owns the data (read this before signing anything)

Under GDPR the venue is the data controller: the list belongs to your business, and you decide what is done with it. Whoever built or hosts your portal is a data processor, handling the data on your instructions.

That is not just legal trivia, it is the commercial question. Some WiFi marketing platforms hold your guest list on their servers and let you use it while you subscribe. Stop paying and the practical value of "your" list can walk out the door with them. Whatever you sign, check the answer to one question: if we part ways, do I keep every contact and every consent record, in a format my own mailing list tool can read? If the answer is fuzzy, so is your ownership.

Our own setups sync opt-ins straight into the venue's mailing list account, so the answer is built in: it was always yours.

The common mistakes, so you can spot them

A pre-ticked consent box, anywhere, ever. "Everyone who connects joins the mailing list" with no choice. Buying a list to top yours up, which PECR treats very dimly indeed. Emailing people who only ever asked for the WiFi password verbally. And keeping no record at all of who consented, which turns an easy question into an awkward one.

If a supplier proposes any of these, that is your cue to smile, finish your coffee and choose a different supplier.

What about the browsing side?

A quieter worry we hear: "am I responsible for what guests do on my WiFi?" Sensible practice is family-friendly content filtering on the guest network and keeping guests separated from your tills and business systems. What a portal does not do is watch what people browse. A good guest network knows who connected and when; it is not a periscope into anyone's phone, and you should be suspicious of any product that sells it as one.

Questions owners actually ask

Do I need a cookie banner on the portal?

A well-built portal does not need to store anything on the guest's device, so no. Ours are built exactly that way, which keeps the sign-in to one screen.

How long can I keep the list?

As long as you are genuinely using it and people can leave at any time. What you should not do is sit on years of contacts you never email; if the list has gone cold, refresh consent or let it go.

Someone asked to be deleted. What now?

Remove them from your mailing list tool and they are gone from future sends; the unsubscribe link does the same job automatically. Keep a note of the request and the date, and you have handled it properly.

Is the free WiFi at the big chains doing all this?

The good ones, yes, with entire compliance teams behind them. The point of doing your portal properly is that an independent venue gets the same protection from a checklist instead of a legal department.

The short version

Guest WiFi compliance is five things: an unticked box, plain words, a privacy link, an unsubscribe link, and a consent log. Make sure the list and the log belong to your business, not your supplier. Get those right on day one and the law becomes the least interesting thing about your guest WiFi, which is exactly how it should be.

We build portals with all five baked in, across Worcester and the Three Counties. If yours is missing a couple, a free survey will tell you straight.

See our captive portal service →or book a free site survey