Wi-Fi and privacy: what is collected and what happens to your data?

How does Wi-Fi tracking work?

Mobile devices such as smartphones and tablets regularly broadcast Wi-Fi signals, even when they aren’t connected to a network. They do this to detect available Wi-Fi networks in the vicinity. Sensors can pick up and analyze these signals.

Nowadays, smartphones use MAC randomization: the device regularly and randomly changes its broadcast identification number (MAC address). This has made passive tracking — where a sensor picks up signals from devices that aren’t connected — more difficult than it was a few years ago.

However, as soon as a device actually connects to a network, it typically uses a consistent address within that same network. The sensor processes this address along with the signal strength, the device’s location, and the time of the measurement. From that point on, recognition during return visits is possible.

What can be collected?

There is a distinction between what is possible without an active connection and with an active connection.

Without a connection — passive tracking — it’s mainly about counting devices and mapping general foot traffic. Based on the collected data, a data analyst can provide information about the number of devices within the sensor’s range and people’s movement patterns. Companies use this to generate business data on shopping behavior and foot traffic. Due to MAC randomization, it has become increasingly difficult for passive tracking to follow individual devices over longer periods. However, counting and mapping foot traffic remains possible.

With an active connection — for example, via a captive portal, the login page that appears with public Wi-Fi — significantly more can be collected. Captive portals are used to collect email addresses, among other things. With this contact information, organizations can keep the user informed about their services after they’ve connected. Depending on the terms the user agrees to, this can be expanded to include name, visit frequency, time and duration of visits, and locations visited. With recurring connections, it’s possible to recognize a visitor as the same person.

In addition to MAC addresses and location data, there are additional techniques that allow tracking to remain possible even when MAC randomization is active. Think of fingerprinting based on signal patterns, the IP address after connection, or login details provided via a captive portal.

What happens if a visitor gives permission?

If a visitor agrees to the privacy terms of a Wi-Fi network, they give the provider the right to process the collected data for the purposes described in those terms. These purposes vary greatly per provider. In practice, this can involve linking visitor data to loyalty programs, sending targeted offers based on location or visit frequency, or reselling anonymized or aggregated data to third parties such as market research firms or retailers’ associations.

What does the law say?

The General Data Protection Regulation (GDPR) states that a legal basis is required for processing personal data. Article 6, paragraph 1 of the GDPR lists six possible bases, including consent from the person involved, the performance of a contract, and the legitimate interest of the organization.

If the provider wants to rely on consent, that consent must be given in advance and must be based on specific information, without any ambiguity. A checkmark next to general terms of use often does not meet this requirement. In practice, captive portals frequently fail to meet the requirements for valid legal consent.

If the provider relies on consent, it must be given freely, specifically, informed, and unambiguously. Access to Wi-Fi is regularly made dependent on accepting terms, which means the consent is not free. Additionally, there is often a lack of clear choices per purpose, such as marketing, and the information about data usage is insufficiently transparent. As a result, the consent obtained is often not legally valid under the GDPR.

The Data Protection Authority has clarified that counting visitors in (semi-)public spaces using tracking technologies is only permitted under very strict conditions. There is a high threshold for commercial purposes: according to the Data Protection Authority, commercial purposes cannot simply serve a legitimate interest when it comes to tracking people in public spaces.

Wi-Fi roaming and traceability

Wi-Fi roaming forms a separate category. This involves automatically connecting to Wi-Fi networks at different locations based on a unique identifier. Privacy agreements vary by roaming platform.

Within the federated OpenRoaming platform, the identity provider can determine what form of identity is shared with the network. In privacy-friendly configurations, an anonymous identity is used, where no directly traceable data is shared. In other configurations, however, a unique, traceable identifier can be used (for example, a pseudonym or an account-linked ID), making a user recognizable to the network upon repeated use. This means that a user who automatically connects to a network via OpenRoaming is traceable in certain configurations — provided they gave permission to share a permanent ID during the initial registration.

Publicroam distinguishes itself from this by fully safeguarding privacy. The service does not allow users to be asked for permission to link visitor data to loyalty programs or to use data commercially in any other way. Publicroam uses a governance model in which privacy is contractually secured. Agreements have been made with affiliated organizations regarding the use of the service and the processing of data. These state that only data necessary for authentication and to ensure the service works properly is collected. These agreements apply to all participants within the network. As a result, user privacy remains structurally protected — regardless of the location where the connection is made.