Information Commissioner's Office
Printable version E-mail this to a friend

Be wary of public Wi-Fi

Blog posted by: Simon Rice, Group Manager for Technology.

Wi-FiIf you’re among the many who make use of free Wi-Fi services in our shops, hotels, train stations and airports, you may have noticed how different the sign-up process can be – ranging from just a simple click, to completing a lengthy form before you get online.

With so many organisations responsible for public Wi-Fi and the widely differing requests for personal information we decided to take a look at some of the Wi-Fi networks available on the UK high street. The results highlighted that while some networks did not request any personal data, others asked for varying amounts. In one case, this included a full name, postal and email address, mobile number, gender, as well as asking for a date of birth. Only the gender question was optional, the rest mandatory.

It was also the case that those Wi-Fi networks who requested personal data, generally also processed this for marketing purposes too. Some provided users with the choice to receive electronic newsletters and updates, with either an opt-in, or opt-out tick box. Others offered no choice at all during the sign-up process – the only choice was to not use the service.

What does the law say?

The Data Protection Act (DPA) does not contain any obligation for Wi-Fi network providers to force users to register, or otherwise provide personal data in order to use a free service. In fact, the DPA states that personal data must only be collected for specified purposes, as well as being adequate, relevant and not excessive.

But of course these specified purposes can include direct marketing which may result in the collection of personal data.

The ICO’s guidance on direct marketing makes it clear that organisations need an individual’s consent, before they can send marketing texts and emails. For the agreement of a user to receive electronic marketing to be considered valid, it must be specific, fully informed and freely given. This means that consent is unlikely to be considered fully informed, if a statement is hidden within a lengthy privacy policy or notice, which is hard to find, difficult to understand… and in many cases, rarely read.

What should you do?

Once you connect to the right Wi-Fi network, be sure to take the time to read the information given by the provider. This should describe why they want your personal data.

It’s acceptable for a Wi-Fi provider to ask for an email address, with the intention to send you marketing material, but they need to be up front about this, and importantly, you need to agree to it.

You should only give out personal data which you are happy to share, if you are in any doubt… stop! One clear finding from our review highlighted that there are many providers of Wi-Fi services, so you should choose the one you are most comfortable with. If you don’t want to give out your primary email address, it may be useful to create an alternative to use for these services.

You should be aware that there are other security risks with using the internet in a public place. All Wi-Fi providers reviewed operated in an ‘open’ mode, which means that it does not encrypt traffic. There is a risk that anyone else connected to the same network can intercept your traffic. As a rule of thumb, look for a ‘HTTPS’ or padlock in your web browser, and you should think carefully before sharing information such as your bank details or passwords, especially if there is not a secure connection. If in doubt, wait until you get home.

Although not seen in this review, some networks can allow access if you log in with a social media account. Doing so will often require you to grant certain permission to the operator, such as granting them access to your profile or post messages on your feed.

What has the ICO done?

We have contacted the Wi-Fi network providers who were part of the review, to let them know of improvements they would need to make in their practices and if necessary we can take enforcement action to remedy breaches of the DPA or PECR.

If you think an organisation is not providing you with enough information about how they process your information, or that the data is not relevant or excessive, you can report your concerns on our website.

 

Latest News from
Information Commissioner's Office

Click here for more information