Think of your favourite coffee shop or restaurant. Not one of the big ones, but that small independent coffee shop you often find yourself in, or that small family run restaurant that has the best starters around. It might be worrying to know that you could be at risk in almost 50,000 of those outlets throughout the UK.
We’ve all been there before. No data, maybe very little charge on your phone, and desperate to get in contact with somebody. Thanks to the small coffee shops that let you just sit in, spend just a couple of pounds, and make use of their free Wi-Fi, and occasionally some free electricity! Did you know there’s a raft of considerations that these establishments need to take into account before, and while offering free Wi-Fi to customers?
Sometimes there’s a password to get through before you can check your emails in your favourite café. Other times you might need to offer up your email address to update your Facebook profile during lunch. Occasionally you can just jump straight in with ease and check the latest match score on your phone. Businesses asking for your email address and asking for terms and conditions to be accepted are more likely to be following the rules than those who just have a password hanging up on the wall. Within those terms and conditions there may be a variety of clauses that attempt to absolve the establishment you’re in from any liability should anything untoward happen to you (such as your card details being stolen, or if you’re involved in any form of copyright infringement).
How many of us read through those conditions? An experiment in London revealed a handful of people to have accessed a seemingly harmless, but random, public Wi-Fi hotspot, and in doing so agreed to a “Herod clause” which meant they would have to give up their first born child in return for use of the public Wi-Fi.
But what is the primary reason these businesses throw these fairly hefty terms at you?
Usually, they’ll be covering themselves under laws such as:
• The EU General Data Protection Regulation (GDPR)
This will help to ensure businesses are gaining the correct consent to market legitimately to you or use any other data from your time connected to their Wi-Fi.
• Anti-Terrorism, Crime and Security Act 2001
Ensuring a small business isn’t entangled in any dubious activity. This is why it’s so crucial businesses know who is making use of their connection and able to keep a secure log of what customers are up to.
• Digital Economy Act 2010
Or to ask you to agree to use the Wi-Fi in a manner consistent with other legislation such as the Anti-Terrorism, Crime and Security Act 2001, or the Digital Economy Act 2010.
Most of this legislation is often aimed at large corporations to safeguard consumers, particularly GDPR legislation. Unfortunately, the law does not distinguish between large and small businesses, meaning small independents can also fall foul of these laws too. Changes to Data Protection legislation carry the possibility of substantive penalties for any wrongdoing. With the maximum penalty being either €20 million or 4% of annual worldwide turnover; whichever of the two is higher. So although it may be favourable for a business to have a log of exactly who is accessing their public Wi-Fi and what they are using it for, in order to comply with Anti-Terrorism acts, this may need to be careful balanced against the GPDR implications of holding and retaining data.
Caught on the wrong side
The Information Commissioner’s Office (ICO) actually reference the potential for public Wi-Fi within small businesses as a possible GDPR breach. Here is an extract from the ICO’s website as a scenario for non-compliance:
“A café decides to provide free Wi-Fi to its customers. To access the Wi-Fi the customer must provide their name, email address and mobile phone number and then agree to the café’s terms and conditions.
Within the terms and conditions, it states that by providing their contact details the customer is consenting to receive marketing communications from the café. The café is therefore making consent to send direct marketing a condition of accessing the service.
However, collecting their customer’s details for direct marketing purposes is not necessary for the provision of the Wi-Fi. This is not therefore valid consent.”
We can look to examples of previous cases to understand the potential implications of falling short on compliance. For example, a managed pub was fined £8,000 after somebody made use of their public Wi-Fi to download copyrighted content. You’d be forgiven for thinking that small businesses offering free Wi-Fi access are doing so as a positive gesture for their customers, and hopefully helping to increase loyalty and affinity with their small establishment. Who knew that in doing so, businesses could find themselves wound up in lengthy legal battles?
How often could you be at risk? Let’s put it to the test
When reading cases of businesses being caught out by these legalities, it may look unfortunate that in these instances businesses didn’t have the appropriate safeguards in place. So how many other businesses could also be at risk?
We decided to put this to the test, looking at a random sample of small to medium eating and drinking establishments within a small town in the British Isles, and studying their public Wi-Fi offering to customers.
By visiting a sample of pubs, bars, and restaurants, we checked whether we could just jump on their Wi-Fi, whether we needed a password, and whether we were presented with a splash page to login to.
The remaining 75% of Wi-Fi connections were all password restricted, but with the password available to customers; either on request, or up on a board somewhere within the establishment. Once logged in with this password, you are straight into the web with no need to review any terms and conditions, and no record of who’s using that connection. To comply with Payment Card Industry Security Standards, it is recommended that small businesses ensure their public Wi-Fi offering is delivered over a separate network to the one processing card transactions. Considering 61% of payment card security breaches specifically impacted small businesses, it may be due to a lack of knowledge and preparedness that small businesses are the most commonly targeted in card data breaches.
Without the right provision in place, providing customers access to in-store Wi-Fi could give somebody the opportunity to access critical business systems. If a card machine is sharing the same connection, or a till system or security cameras are attached to the same internet connection; it could be easier than you think for a man-on-the-street to compromise these systems and gain access to crucial business data. Every business that processes card payments must confirm that they are following Payment Card Industry Security Standards, businesses that allow customers to jump on the same network as their card machine may fall foul of this requirement and risk the potential for a significant number of chargebacks, or, even risk losing their entire card takings in these instances.
Everyday customers also risk their card details being exposed and stolen over open Wi-Fi networks that are also being used by card machines.
With over 7,000 independent coffee shops across the UK, and over 74,000 independent restaurants and bars it is safe to say we are fairly spoilt for choice. This number is only set to rise going forward, particularly as the new office shifts towards home and small independents, like your friendly local barista.
Worrying to think that almost 50,000 small independent businesses could be at risk of noncompliance, and potentially hefty fines. With an inevitable shift to more flexible working arrangements post-COVID, these independent businesses could see their Wi-Fi offering to be a source of competitive advantage. Making sure the right tools are in place to protect both businesses owners, and their customers, could be the difference between a thriving business, and a whopping fine that could tip an independent over the edge.