GDPR and Wi-Fi – what you need to know

The General Data Protection Regulation (GDPR) – which comes into force across the EU in May 2018 – will impact every company providing public Wi-Fi services.  From coffee shops to train stations, the increased data protection responsibilities for the use and storage of EU citizen data is poised to have a significant impact on how companies offer Wi-Fi to customers.

Failing to prepare, preparing to fail

Many companies are not yet prepared for the rigorous legislation.  44 percent of IT decision makers think GDPR will not apply to UK business after the UK leaves the EU, and a further four percent have not even started preparations.  GDPR will apply to UK citizens until the country officially leaves the EU, and will continue to apply to UK-based companies post-Brexit that still deal with EU citizen data.

A business offering Wi-Fi in London, for example, will likely provide connectivity to European visitors.  Wi-Fi networks in UK international transport hubs will almost certainly continue to serve EU citizens.  These examples demonstrate the importance of developing a strong GDPR compliance plan.

Familiarity in a shifting landscape

One aspect of GDPR compliance is poised to cause a major shift in the way businesses provide public Wi-Fi.  GDPR specifically forbids restricting access to a wireless network on the basis of a customer providing personal data.  Companies that previously offset free Wi-Fi costs by selling personal data to third party marketing companies may replace their model with charging fees for Wi-Fi access.  If they do request customer data, businesses will need to demonstrate consent was “explicit, freely given, specific, and informed.”  Consent will not be “freely given” if there was no genuine or free choice.

The likely result of more stringent access requirements will be a widespread uptake of Federated Identity Management (FIM) technology among public Wi-Fi providers.   With FIM, applications and organisations rely on a common federated authority to manage the identity of a user.  There is no need to store any customer data with FIM, which makes it an attractive route for public Wi-Fi providers seeking cost-effective GDPR compliance.

For customers connecting to public Wi-Fi, FIM will be a familiar process.  Many people already use the process regularly when using their Facebook profile to access a third party website or app.  Similarly, a secure federated login replaces the collection of personal data to allow customers to auto-connect to public Wi-Fi networks.  Removing the need to store personal data transfers compliance responsibility to the federated identity provider.  Reducing the compliance burden while providing a more seamless connection experience for users will likely see the end of the ‘captive portal’.


Businesses need to start planning right now about how they will meet GDPR requirements.  Those offering public Wi-Fi services may not have considered the impact GDPR will have in this area.  While twelve months might seem a long way off, action must be taken ahead of the GDPR deadline to achieve compliance when the legislation comes into force.

Federated Identity offers perhaps the most effective route, but even with this in place there will still be elements of the legislation to consider.  The shift presents an opportunity to bring all areas of data protection up to speed to help customers feel more secure while using public networks.  GDPR has the potential to be a catalyst for real change and improved standards for public Wi-Fi services.

By Shane Buckley, CEO at Xirrus.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.