Information Commissioner's Office
Be wary of public Wi-Fi
Blog posted by: Simon Rice, Group Manager for Technology.
If you’re among the many who make use of free Wi-Fi services in our shops, hotels, train stations and airports, you may have noticed how different the sign-up process can be – ranging from just a simple click, to completing a lengthy form before you get online.
With so many organisations responsible for public Wi-Fi and the widely differing requests for personal information we decided to take a look at some of the Wi-Fi networks available on the UK high street. The results highlighted that while some networks did not request any personal data, others asked for varying amounts. In one case, this included a full name, postal and email address, mobile number, gender, as well as asking for a date of birth. Only the gender question was optional, the rest mandatory.
It was also the case that those Wi-Fi networks who requested personal data, generally also processed this for marketing purposes too. Some provided users with the choice to receive electronic newsletters and updates, with either an opt-in, or opt-out tick box. Others offered no choice at all during the sign-up process – the only choice was to not use the service.
What does the law say?
The Data Protection Act (DPA) does not contain any obligation for Wi-Fi network providers to force users to register, or otherwise provide personal data in order to use a free service. In fact, the DPA states that personal data must only be collected for specified purposes, as well as being adequate, relevant and not excessive.
But of course these specified purposes can include direct marketing which may result in the collection of personal data.
What should you do?
Once you connect to the right Wi-Fi network, be sure to take the time to read the information given by the provider. This should describe why they want your personal data.
It’s acceptable for a Wi-Fi provider to ask for an email address, with the intention to send you marketing material, but they need to be up front about this, and importantly, you need to agree to it.
You should only give out personal data which you are happy to share, if you are in any doubt… stop! One clear finding from our review highlighted that there are many providers of Wi-Fi services, so you should choose the one you are most comfortable with. If you don’t want to give out your primary email address, it may be useful to create an alternative to use for these services.
You should be aware that there are other security risks with using the internet in a public place. All Wi-Fi providers reviewed operated in an ‘open’ mode, which means that it does not encrypt traffic. There is a risk that anyone else connected to the same network can intercept your traffic. As a rule of thumb, look for a ‘HTTPS’ or padlock in your web browser, and you should think carefully before sharing information such as your bank details or passwords, especially if there is not a secure connection. If in doubt, wait until you get home.
Although not seen in this review, some networks can allow access if you log in with a social media account. Doing so will often require you to grant certain permission to the operator, such as granting them access to your profile or post messages on your feed.
What has the ICO done?
We have contacted the Wi-Fi network providers who were part of the review, to let them know of improvements they would need to make in their practices and if necessary we can take enforcement action to remedy breaches of the DPA or PECR.
If you think an organisation is not providing you with enough information about how they process your information, or that the data is not relevant or excessive, you can report your concerns on our website.
Latest News from
Information Commissioner's Office
Statement from Information Commissioner Elizabeth Denham on the NHS COVID-19 app24/09/2020 11:10:00
Statement given by the Information Commissioner Elizabeth Denham on the NHS COVID-19 app.
Blog: Data protection considerations and the NHS COVID-19 app21/09/2020 15:38:00
Information Commissioner Elizabeth Denham talks about the regulatory work the ICO has been involved in regarding the England and Wales NHS COVID-19 app.
Data protection guidance for collecting customer information21/09/2020 12:25:00
The Information Commissioner’s Office (ICO) has published data protection guidance for organisations mandated to collect customer and visitor information.
Accountability Framework: demonstrating your compliance14/09/2020 10:15:00
Ian Hulme, Director of Regulatory Assurance discusses the launch of our new Accountability Framework and how organisations can take part in the next stage of its development.
ICO fines company £130,000 for unauthorised pensions cold calls11/09/2020 09:10:00
The Information Commissioner’s Office (ICO) has issued a fine under a law brought in to stop scammers defrauding people out of their pensions.
Blog: Ten top tips for innovators09/09/2020 09:10:00
ICO are always looking for new and innovative ways to offer advice and support to any businesses involved in data protection because it is imperative that consumers who share their personal data with your organisation are confident that this data will be treated fairly, lawfully and transparently.
ICO’s Children’s Code will help protect children online02/09/2020 10:45:00
A statutory code requiring organisations to provide better online privacy protections for children comes into force today, triggering the start of a 12 month transition period.
2020 Annual Track survey results27/08/2020 15:10:00
As the UK economy adjusts to the impact of COVID-19, it has never been more important for organisations to understand what their customers want and expect.