The Regulatory Landscape Has Shifted
When GDPR came into force in May 2018, enforcement against small hospitality operators was sparse. Regulators focused on large-scale data breaches, high-profile tech companies, and systematic non-compliance at scale. A café with a poorly designed WiFi consent form was, in practical terms, low on the enforcement priority list.
That has changed. Since 2022, data protection authorities across the EU have shifted enforcement focus to include systematic consumer-facing consent violations at volume. A café may be small; a café franchise with 200 locations using identical non-compliant consent flows represents a systematic issue and has been the subject of investigations in Germany, France, and the Netherlands. Individual venue operators have received fines of €2,000–€15,000 for WiFi-related consent violations in 2024 and 2025.
Understanding what compliance requires — and what it does not require — is now a practical business necessity for any hospitality operator running a WiFi marketing programme.
Consent for WiFi Marketing: The Legal Basis
GDPR requires a lawful basis for processing personal data. For WiFi marketing, two bases are commonly cited: legitimate interest and explicit consent.
Legitimate interest applies to the WiFi session itself — logging that a device was on your network for security and network management purposes is a legitimate interest. You do not need explicit consent to know that a device was connected.
Explicit consent is required for marketing communications. If you want to send an email to a guest, you must have their unambiguous, affirmative consent to do so. This means: - A clearly worded checkbox asking if they want to receive marketing - The checkbox must be unticked by default (pre-ticked boxes are explicitly illegal under GDPR) - Consent must be separate from the WiFi access grant — you cannot make marketing consent a condition of accessing the internet - The consent statement must name your organisation and describe what marketing they will receive
This last point is often violated in generic portal setups: "By connecting, you agree to our terms and conditions" does not constitute valid marketing consent under GDPR Article 7.
What Pre-Ticked Boxes Cost You
The pre-ticked consent checkbox is the most common GDPR violation in hospitality WiFi deployments and the easiest to fix. Under Article 7 of GDPR and the Court of Justice of the EU's ruling in the Planet49 case (2019), consent obtained through pre-ticked boxes is invalid. Any marketing email sent to a contact whose consent was captured this way is sent without lawful basis.
The practical risk: a single complaint to a DPA (Data Protection Authority) about an unsolicited marketing email triggers an investigation. If your consent flow uses pre-ticked boxes, the investigation will likely result in a fine, plus a mandatory audit of all contacts captured via the non-compliant flow, plus potential requirement to delete the affected data.
VoqadoWiFi portals use unchecked, opt-in consent boxes by default. This is not configurable to a pre-ticked state. The system is designed to produce legally valid consent at the point of capture.
Data Minimisation: Collect Only What You Need
GDPR's data minimisation principle (Article 5(1)(c)) requires that personal data collected be "adequate, relevant and limited to what is necessary." For a WiFi marketing programme, the necessary fields are: email address (for marketing), and optionally first name (for personalisation). That is it.
Collecting date of birth, phone number, home address, or any other field not required for the stated purpose requires a separate justification. If you collect date of birth for birthday marketing, document this in your privacy notice and ensure the birthday marketing is described in the consent statement. If you collect phone numbers but only use email, stop collecting phone numbers.
The data minimisation principle also applies to session data retention. WiFi session logs should be retained for the minimum period necessary for their purpose: typically 12 months for marketing analytics, 30 days for network security logs. Retaining data indefinitely without a defined retention schedule is a compliance gap.
Right to Erasure Implementation
GDPR Article 17 gives individuals the right to have their personal data deleted. For venue operators, this means having a clear, documented process for responding to erasure requests:
1. A contact emails requesting deletion of their data 2. You identify all systems where their data is held: VoqadoWiFi CRM, Mailchimp audience, any POS system, any spreadsheet backups 3. You delete from all systems within 30 days 4. You send a confirmation to the requester
VoqadoWiFi processes erasure requests through the dashboard: search by email, select "delete contact," and confirm. The deletion propagates to all stored session data and contact records. You must separately delete the contact from your email marketing platform (Mailchimp, Klaviyo, etc.) — this is not automated by default but can be configured via webhook.
Maintain a log of erasure requests and responses. In the event of a DPA audit, this log demonstrates good-faith compliance practice.
DPA Registration by Country
Some EU member states require organisations that process personal data to register with their national DPA:
- Austria: Registration required for certain data controllers via DSB - Germany: No centralised registration, but venue operators are required to appoint a DPO if processing data of more than 250 persons, or systematically processing sensitive data - France: CNIL registration required for some processing activities via notification procedure - Ireland: DPC registration recommended but not mandatory for most SMEs - Netherlands: AP does not require registration but mandates maintaining a Record of Processing Activities (Art. 30 GDPR) - UK (post-Brexit): ICO registration required for most data controllers; annual fee of £40–£60 depending on organisation size
Check your national DPA's current requirements. The ePrivacy Regulation (currently under revision in the EU) will, when enacted, add specific requirements for electronic communication including WiFi networks — operators should monitor the legislative timeline through their national DPA or a GDPR advisory service.
Practical Compliance Checklist for Venue Operators
This checklist covers the most common compliance gaps in hospitality WiFi marketing:
- [ ] WiFi marketing consent checkbox is unticked by default - [ ] Consent statement names your organisation explicitly - [ ] Consent for marketing is not a condition of WiFi access - [ ] Privacy policy is linked from the portal and accessible without connecting - [ ] Privacy policy documents: what data you collect, why, for how long, and how to request deletion - [ ] Data retention schedule is defined (e.g., session logs 12 months, contact data 3 years from last visit) - [ ] Erasure request process is documented and tested - [ ] Mailchimp (or equivalent) unsubscribe is functional and tested - [ ] Record of Processing Activities (Art. 30) is maintained if you process data of EU residents - [ ] DPA registration status confirmed for your country
VoqadoWiFi's compliance documentation templates (available in the dashboard under Compliance > Documents) include a GDPR-ready privacy notice template, a Record of Processing Activities template, and an erasure request response template — all pre-filled with VoqadoWiFi's specific data processing activities to reduce your documentation burden.
Compliance is not a barrier to effective WiFi marketing. It is the foundation that makes WiFi marketing trustworthy, durable, and legally defensible. The venues that take it seriously build lists of genuinely engaged contacts; the venues that cut corners build liability.