GDPR Compliance Checklist for Your WiFi Portal

Why This Matters

GDPR (and UK GDPR post-Brexit) requires that you collect personal data — including email addresses — only with explicit, informed consent. A captive portal that pre-ticks a marketing consent checkbox, or bundles marketing consent into the WiFi terms, is non-compliant and exposes you to ICO enforcement action. This checklist ensures your portal meets the legal standard. None of this is legal advice — consult a qualified solicitor for your specific situation — but these steps reflect best-practice implementation.

Step 1: Enable the Explicit Consent Checkbox (NOT Pre-Ticked)

In Portal Builder → Compliance Settings, locate Marketing Consent Checkbox. Ensure Pre-ticked by default is set to OFF. This is a hard legal requirement under GDPR Article 7 and Recital 32: "Silence, pre-ticked boxes or inactivity should not constitute consent." Your checkbox must be unticked when the form loads. The checkbox label must clearly state what the guest is consenting to, in plain English: "I agree to receive marketing emails from [Venue Name] about offers, events, and news." Do not use vague language like "I agree to the terms" to cover marketing consent.

Step 2: Link Your Privacy Policy URL

You must link to your Privacy Policy from the consent text. In Portal Builder → Legal Links, enter your Privacy Policy URL (this should be a page on your website, not a Google Doc or external link that can break). The policy must state: what data you collect, how it is stored, who it is shared with (e.g., Mailchimp as a processor), how long you retain it, and how guests can exercise their rights (access, deletion, portability). VoqadoWiFi provides a legal template under Settings → Legal → Download Template — customise it with your venue name, address, and DPA registration number.

Step 3: Separate Marketing Consent from Terms Acceptance

GDPR requires that consent for marketing is separate from consent to access the service (WiFi Terms of Service). In Portal Builder, you should have two distinct checkboxes: Checkbox 1 — Terms of Service (required to connect — guests cannot proceed without ticking this): "I agree to the WiFi Terms of Use." Checkbox 2 — Marketing Consent (optional — guests can connect to WiFi without ticking this): "I agree to receive marketing emails from [Venue Name]." Guests who untick Checkbox 2 should still be granted WiFi access. They can be stored in your CRM as non-marketing contacts (useful for analytics) but must not receive marketing emails.

Step 4: Configure Data Retention (Auto-Delete)

Go to Settings → Data & Privacy → Data Retention. Set Auto-delete inactive guest records after: 24 months (or 12 months for stricter compliance). This means guests who have not visited and have not interacted with your emails for the set period will have their personal data automatically purged from VoqadoWiFi's database. You'll receive a monthly summary of records deleted. Set Export notification to ON — you'll get an email each time a batch deletion runs, which is useful for audit trails.

Step 5: Enable GDPR Export and Deletion Requests

Under Settings → Data & Privacy → Guest Rights, toggle on Enable Right of Access Requests and Enable Deletion Requests. When enabled, guests can email you a data subject access request (DSAR) and you can fulfil it from the dashboard: go to CRM → Guests → Search by Email → [Guest Profile] → Export Data (for access requests) or Delete Guest (for erasure requests). You must fulfil DSARs within 30 days under GDPR. Log all requests in a spreadsheet with date received, date fulfilled, and type.

Step 6: SMS Consent (If Collecting Phone Numbers)

If you've enabled phone number collection in your portal form, SMS marketing requires a separate explicit consent mechanism. In Portal Builder → Form Fields → Phone Number → Consent Settings, enable the SMS Marketing Consent Checkbox (separate from the email marketing consent). This checkbox must specifically reference SMS: "I agree to receive marketing SMS messages from [Venue Name]. Message frequency varies. Reply STOP to unsubscribe." Omitting this checkbox and sending marketing SMS to collected numbers is a violation of the Privacy and Electronic Communications Regulations (PECR).

Step 7: ICO Registration Reminder

If you're a UK-based venue, you are required to register with the Information Commissioner's Office (ICO) as a data controller if you process personal data. Registration costs £40-£60/year for most small businesses (Tier 1). Register at ico.org.uk/registration. Your Data Protection Registration Number should appear in your Privacy Policy. VoqadoWiFi is listed as a data processor on your behalf — you remain the data controller. This registration requirement applies regardless of whether you use VoqadoWiFi.

Step 8: Test the Consent Flow End-to-End

Connect a test device to your WiFi SSID. On the captive portal, verify: both checkboxes are unticked by default, the Terms checkbox is required (form won't submit without it), the Marketing checkbox is optional (form submits if unticked), the Privacy Policy link opens correctly, the portal is served over HTTPS (padlock in browser address bar). After completing the form without ticking Marketing consent, check the guest profile in VoqadoWiFi CRM — the Marketing Opt-In field should show No. If it shows Yes despite an unticked checkbox, raise a support ticket immediately.