Information Commissioner's Office
Be wary of public Wi-Fi
Blog posted by: Simon Rice, Group Manager for Technology.
If you’re among the many who make use of free Wi-Fi services in our shops, hotels, train stations and airports, you may have noticed how different the sign-up process can be – ranging from just a simple click, to completing a lengthy form before you get online.
With so many organisations responsible for public Wi-Fi and the widely differing requests for personal information we decided to take a look at some of the Wi-Fi networks available on the UK high street. The results highlighted that while some networks did not request any personal data, others asked for varying amounts. In one case, this included a full name, postal and email address, mobile number, gender, as well as asking for a date of birth. Only the gender question was optional, the rest mandatory.
It was also the case that those Wi-Fi networks who requested personal data, generally also processed this for marketing purposes too. Some provided users with the choice to receive electronic newsletters and updates, with either an opt-in, or opt-out tick box. Others offered no choice at all during the sign-up process – the only choice was to not use the service.
What does the law say?
The Data Protection Act (DPA) does not contain any obligation for Wi-Fi network providers to force users to register, or otherwise provide personal data in order to use a free service. In fact, the DPA states that personal data must only be collected for specified purposes, as well as being adequate, relevant and not excessive.
But of course these specified purposes can include direct marketing which may result in the collection of personal data.
What should you do?
Once you connect to the right Wi-Fi network, be sure to take the time to read the information given by the provider. This should describe why they want your personal data.
It’s acceptable for a Wi-Fi provider to ask for an email address, with the intention to send you marketing material, but they need to be up front about this, and importantly, you need to agree to it.
You should only give out personal data which you are happy to share, if you are in any doubt… stop! One clear finding from our review highlighted that there are many providers of Wi-Fi services, so you should choose the one you are most comfortable with. If you don’t want to give out your primary email address, it may be useful to create an alternative to use for these services.
You should be aware that there are other security risks with using the internet in a public place. All Wi-Fi providers reviewed operated in an ‘open’ mode, which means that it does not encrypt traffic. There is a risk that anyone else connected to the same network can intercept your traffic. As a rule of thumb, look for a ‘HTTPS’ or padlock in your web browser, and you should think carefully before sharing information such as your bank details or passwords, especially if there is not a secure connection. If in doubt, wait until you get home.
Although not seen in this review, some networks can allow access if you log in with a social media account. Doing so will often require you to grant certain permission to the operator, such as granting them access to your profile or post messages on your feed.
What has the ICO done?
We have contacted the Wi-Fi network providers who were part of the review, to let them know of improvements they would need to make in their practices and if necessary we can take enforcement action to remedy breaches of the DPA or PECR.
If you think an organisation is not providing you with enough information about how they process your information, or that the data is not relevant or excessive, you can report your concerns on our website.
Latest News from
Information Commissioner's Office
Director’s Update – Looking at the future of Freedom of Information (FOI) through ICO2515/07/2022 12:25:00
This is the third in a series of updates from Warren Seddon, Director of FOI and Transparency.
UK Information Commissioner sets out focus on empowering people through information14/07/2022 11:25:00
The Information Commissioner’s Office (ICO) has set out a commitment to safeguard the information rights of the most vulnerable people, including regulatory work around children’s privacy, AI-driven discrimination, the use of algorithms within the benefits system and the impact of predatory marketing calls.
Behind the screens: ICO calls for review into use of private email and messaging apps within government11/07/2022 15:10:00
The Information Commissioner’s Office (ICO) has today called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps.
ICO and NCSC stand together against ransomware payments being made11/07/2022 12:25:00
Solicitors are being asked to play their part in keeping the UK safe online by helping to tackle the rise in organisations paying out to ransomware criminals.
ICO and Personal Information Protection Commission, South Korea, sign Memorandum of Understanding06/07/2022 10:10:00
The Information Commissioner’s Office (ICO) and the South Korean Personal Information Protection Commission (PIPC) have a strong relationship which recognises their shared common mission to uphold people’s information rights, while supporting digital innovation and economic development.
ICO sets out revised approach to public sector enforcement30/06/2022 15:05:00
The Information Commissioner’s Office (ICO) has today set out a revised approach to working more effectively with public authorities.
Statement in response to the government’s announcement on the upcoming Data Reform Bill17/06/2022 13:10:00
The government has published its response to a consultation on the upcoming Data Reform Bill.
Information Commissioner calls for an end to the excessive collection of personal information from victims of rape and serious sexual assault31/05/2022 14:05:00
The UK Information Commissioner has called on the criminal justice sector to immediately stop collecting excessive amounts of personal information from victims of rape and serious sexual assault cases.
ICO fines facial recognition database company Clearview AI Inc more than £7.5m and orders UK data to be deleted24/05/2022 09:10:00
The Information Commissioner’s Office (ICO) has fined Clearview AI Inc £7,552,800 for using images of people in the UK, and elsewhere, that were collected from the web and social media to create a global online database that could be used for facial recognition.