Bradford 01274 350 800
Leeds 0113 849 4000
Huddersfield 01484 915 000

New guidelines for businesses offering Wi-Fi

The Information Commissioner’s Office (ICO) has issued new guidance setting out how businesses offering Wi-Fi access to their customers and employees may use Wi-Fi analytics in a way which complies with the Data Protection Act 1998 (DPA 1998).

What are Wi-Fi analytics?

Many electronic devices, including smartphones, tablets and laptops, are Wi-Fi enabled. When the Wi-Fi is switched on, the device will continually search for Wi-Fi networks within range by broadcasting “probe requests”, which contain a unique identifier called a media access control (MAC) address.

Businesses offering Wi-Fi access can collect these probe requests and extract the MAC addresses for further processing. Signal strength can also be monitored to estimate the location of a device. The information gathered can be used to track the behaviour of a device over time. It is possible for a specific individual to be identified from the information, allowing businesses to analyse that individual’s behaviour. This is known as Wi-Fi analytics.

A key point to note, and the main concern of the ICO, is that a device does not have to be connected to a Wi-Fi network for data to be collected; the Wi-Fi feature being switched on is enough. This means that data can be collected covertly without the data subject’s knowledge.

What are Wi-Fi analytics used for?

The information gathered can be used to monitor how often someone visits a business, how busy the business is at certain times of the day, and can generally be used to monitor a person’s behaviour. Wi-Fi analytics are used by businesses to inform their store layout, and even shape their marketing strategy by targeting specific products to individuals.

How can businesses ensure compliance with DPA 1998?

  1. Consent – businesses need to get consent from the individuals whose devices are providing data. Because of the nature of the data collection, this is not straightforward. The ICO guidance recommends that businesses conduct a privacy impact assessment to consider the level of information being collected in order to identify and reduce risks. Individuals should also be given the opportunity to opt-out if they don’t want data to be collected from their device.
  2. Transparency – it is important that businesses be clear and transparent about what they are doing. Where possible, they should notify individuals about any data collection. This could be done in a number of ways, including by putting up signs at the entrance to the business premises.
  3. Proportionality – data collection must be proportionate, i.e data should be collected and used only for the specified purpose. It should not be collected from passers-by or be kept for longer than necessary.
  4. Anonymise MAC addresses – this prevents individuals being identified.


For further information or help with understanding your obligations under the Data Protection Act, please contact a member of our Commercial team.

About the Author

Luisa D'Alessandro


As head of the commercial team Luisa has a wealth of commercial law experience and advises clients…

View Profile View all