CCPA & WiFi Marketing: California Compliance Guide
Key Takeaways: The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to WiFi data collection at California venues and gives consumers the right to know, delete, correct, and opt out of the sale or sharing of their personal information. Unlike GDPR, CCPA does not require opt-in consent for data collection — it uses an opt-out model. But "sharing" personal data for cross-context behavioral advertising (including Facebook Custom Audience syncing) triggers opt-out requirements. Penalties reach $7,500 per intentional violation. This guide covers what CCPA/CPRA requires for WiFi marketing deployments and how to implement compliance.
California is the largest US state by population (39 million residents) and by economic output ($4.1 trillion GDP). If your clients operate venues in California — or serve California residents at venues anywhere — CCPA/CPRA applies to their WiFi data collection.
CCPA (effective 2020) established the baseline. CPRA (effective January 1, 2023) strengthened it with new categories, new rights, and a new enforcement agency: the California Privacy Protection Agency (CPPA). Together, they create the most comprehensive privacy law in the United States.
According to the CPPA's 2025 enforcement report, 47 formal investigations were initiated in 2025, with average penalties of $185,000 per enforcement action. The CPPA has specifically flagged location-based data collection as an enforcement priority for 2026.
Does CCPA apply to my WiFi deployment?
CCPA applies to a "business" that:
- •Operates for profit
- •Collects consumers' personal information
- •Does business in California or targets California residents
- •Meets one or more thresholds:
- •Annual gross revenue over $25 million, OR
- •Buys, sells, or shares personal information of 100,000+ consumers/households/devices annually, OR
- •Derives 50%+ of annual revenue from selling or sharing personal information
For WiFi marketing: The 100,000 device threshold is the most commonly triggered. A venue processing 300+ daily WiFi connections (typical for a busy restaurant or retail location) captures over 100,000 device records annually. The venue operator — or the reseller acting on behalf of the venue — likely meets this threshold.
Even if the venue itself does not meet the thresholds, the WiFi platform provider (MyWiFi Networks) processes data across all clients, which aggregates above the thresholds. This means the platform has CCPA compliance obligations regardless of individual venue size.
Service provider vs. third party
Under CCPA, the entity relationships matter:
- •Business: The venue operator who controls the purpose and means of data collection
- •Service provider: The reseller or platform that processes data on behalf of the business, governed by a service provider agreement
- •Third party: Any entity that receives personal information for its own purposes (not on behalf of the business)
WiFi marketing platforms should operate as service providers with a written service provider agreement (SPA). If the platform uses guest data for its own marketing purposes (separate from serving the venue), it may be classified as a third party — which triggers consumer opt-out rights.
What personal information does WiFi capture under CCPA?
CCPA defines "personal information" broadly. WiFi data collection captures several categories defined in Section 1798.140(v):
| CCPA Category | WiFi Data Examples |
|---|---|
| Identifiers | Email address, phone number, name, device MAC address |
| Internet activity | Browsing history post-portal, session duration, bandwidth |
| Geolocation data | AP-based zone location within venue |
| Inferences | Visit frequency, guest segment, churn prediction |
| Electronic network activity | RADIUS session data, connection logs |
Sensitive personal information (CPRA addition): Precise geolocation (latitude/longitude within 1,850 feet) is classified as "sensitive personal information" under CPRA, triggering additional rights including the right to limit use and disclosure. WiFi zone-level data (which AP served the connection) may or may not qualify as precise geolocation depending on the AP density and zone size.
Consumer rights under CCPA/CPRA
Right to know (Section 1798.100)
Consumers have the right to know what personal information is collected, the categories of sources, the business purpose, and the categories of third parties with whom the information is shared.
Implementation: The venue's privacy notice (linked from the captive portal) must disclose all categories of personal information collected, the specific business purposes for each category, and any third parties or service providers that receive the data.
Right to delete (Section 1798.105)
Consumers can request deletion of their personal information. The business must comply within 45 days (extendable by 45 days with notice).
Implementation: Establish a process for receiving, verifying, and executing deletion requests. MyWiFi's guest management tools support per-guest data deletion. Ensure deletion propagates to all systems: the platform database, CRM, email service provider, and any offline exports.
Right to correct (Section 1798.106 — CPRA)
Consumers can request correction of inaccurate personal information.
Implementation: The venue must be able to update guest records upon verified request.
Right to opt out of sale or sharing (Section 1798.120)
Consumers have the right to opt out of the "sale" or "sharing" of their personal information. Under CPRA:
- •Sale = exchanging personal information for monetary or other valuable consideration
- •Sharing = disclosing personal information for cross-context behavioral advertising
Critical for WiFi marketing: Syncing WiFi-captured email lists to Facebook Custom Audiences or Google Customer Match for ad targeting constitutes "sharing" under CPRA, because the personal information is being disclosed to a third party (Meta, Google) for advertising purposes.
This means: if the venue syncs WiFi guest data to advertising platforms, the venue must provide a "Do Not Sell or Share My Personal Information" mechanism, and consumers who exercise this right must be excluded from the ad audience sync.
Implementation:
- •Include a "Do Not Sell or Share My Personal Information" link on the captive portal or in the venue's privacy notice — the consent management features in the platform support this at the portal level
- •Honor opt-out requests by excluding opted-out consumers from advertising audience syncs
- •Recognize the Global Privacy Control (GPC) browser signal as a valid opt-out request (required by CPRA regulations)
Right to limit use of sensitive personal information (Section 1798.121 — CPRA)
If precise geolocation data is collected, consumers can request that its use be limited to what is necessary for the service. The venue must provide a "Limit the Use of My Sensitive Personal Information" link. The privacy-ready portal builder includes configurable data subject rights links that satisfy this requirement.
Implementation: If WiFi deployment captures precise geolocation (high-density AP deployments with triangulation), provide the limitation mechanism and honor requests.
Implementation checklist
Captive portal requirements
View platform pricing to see which plans include compliance-ready portal templates and consent management tools.
- •
Privacy notice link visible on portal. Before the guest submits any data, a link to the venue's privacy notice must be accessible.
- •
"Do Not Sell or Share" link. If guest data is shared with advertising platforms (Facebook, Google), include the opt-out link on the portal or privacy notice.
- •
GPC signal recognition. Configure the portal or website to detect and honor the Global Privacy Control (GPC) browser signal. When GPC is detected, treat the consumer as having opted out of sharing.
- •
Collection disclosure at point of collection. The portal must disclose the categories of personal information being collected and the purpose of collection. This can be a concise notice: "We collect your email and visit data to provide WiFi access and send promotional offers. See our Privacy Policy."
Privacy notice requirements
- •
Categories of personal information collected. List each CCPA category with specific data types.
- •
Business purposes for collection. State each purpose: providing WiFi access, marketing communications, analytics, advertising audience creation.
- •
Categories of third parties. Disclose third parties that receive personal information: email service providers, advertising platforms, analytics providers.
- •
Consumer rights disclosure. Inform consumers of their rights (know, delete, correct, opt out of sale/sharing, limit sensitive data use).
- •
How to exercise rights. Provide at least two methods for submitting requests: a toll-free number and a web form or email address.
- •
Retention periods. Disclose how long each category of data is retained.
- •
Financial incentive disclosure. If the WiFi offer (free WiFi in exchange for data) constitutes a "financial incentive" under CCPA Section 1798.125, disclose the incentive terms. Free WiFi access in exchange for email may qualify as a financial incentive.
Service provider agreements
- •
Written SPA between venue and reseller. If the reseller processes data on behalf of the venue, a written service provider agreement is required under Section 1798.140(ag).
- •
Written SPA between reseller and platform. MyWiFi Networks provides a CCPA-compliant service provider agreement.
- •
SPA restrictions. The SPA must prohibit the service provider from selling or sharing the personal information, retaining or using it for purposes other than performing the contracted service, and combining it with personal information from other sources.
Data practices
- •
Retention limits. Define and enforce retention periods. CCPA does not mandate specific periods but requires that retention be "no longer than reasonably necessary" for the stated purpose.
- •
Automated deletion. Implement automated purging consistent with retention policy. See our data retention policy template.
- •
Opt-out tracking. Maintain records of consumers who have exercised opt-out rights. Ensure opted-out consumers are excluded from advertising audience syncs and any data sharing.
- •
Annual privacy notice update. CCPA requires the privacy notice to be updated at least annually.
CCPA vs. GDPR: Key differences for WiFi marketing
| Requirement | CCPA/CPRA | GDPR |
|---|---|---|
| Consent model | Opt-out (collect first, allow opt-out) | Opt-in (obtain consent before collection) |
| Marketing consent | Not required for collection; required for sale/sharing opt-out | Required before sending any marketing |
| Scope | California residents | EU residents/visitors |
| Consent checkbox | Not required | Required, unchecked by default |
| Legal basis | Not required (no legal basis framework) | Required (consent, legitimate interest, etc.) |
| Penalties | $2,500/violation (unintentional), $7,500/violation (intentional) | Up to EUR 20M or 4% global revenue |
| Enforcement | CPPA + Attorney General | National data protection authorities |
| Data minimization | No explicit requirement | Required (collect only what is necessary) |
| DPO requirement | No | Conditional (large-scale monitoring) |
Practical implication: A portal deployed in both EU and California markets should implement GDPR-level protections (the more restrictive standard) as the baseline, with CCPA-specific additions (Do Not Sell/Share link, GPC recognition, financial incentive disclosure).
Multi-state privacy landscape
California led, but 14 other US states have passed comprehensive privacy laws as of 2025:
| State | Law | Effective | Key Addition |
|---|---|---|---|
| Virginia | VCDPA | 2023 | Consumer consent for targeted advertising |
| Colorado | CPA | 2023 | Universal opt-out mechanism |
| Connecticut | CTDPA | 2023 | Right to opt out of profiling |
| Utah | UCPA | 2023 | Business-friendly, narrower scope |
| Oregon | OCPA | 2024 | Strong data minimization |
| Texas | TDPSA | 2024 | 100K+ device threshold |
| Montana | MCDPA | 2024 | Low threshold (50K consumers) |
| Iowa | ICDPA | 2025 | Limited consumer rights |
| Indiana | INCDPA | 2026 | Broad scope |
| Tennessee | TIPA | 2025 | Revenue threshold |
| Delaware | DPDPA | 2025 | Strong consumer rights |
| New Hampshire | SB 255 | 2025 | Similar to Connecticut |
| New Jersey | NJDPA | 2025 | Strong opt-out rights |
| Nebraska | NDPA | 2025 | Follows Virginia model |
| Minnesota | MCDPA | 2025 | Broad definition of personal data |
According to the IAPP's 2025 US State Privacy Legislation Tracker, 8 additional states have bills in progress.
Practical approach for resellers: Implement CCPA/CPRA compliance as the baseline for US deployments (it is the most restrictive US state law). Layer state-specific requirements for states with unique provisions. A multi-state compliant privacy notice and portal configuration covers all current and pending state laws.
Financial incentive considerations
Under CCPA Section 1798.125, a business may offer a "financial incentive" for the collection of personal information. Free WiFi access in exchange for email or phone number may constitute a financial incentive because the consumer receives something of value (WiFi access) in exchange for personal information.
If free WiFi is classified as a financial incentive:
- •The incentive terms must be disclosed in the privacy notice
- •The consumer must opt in to the incentive (not be forced into it)
- •The business must describe the material terms and the value of the consumer's data
- •The incentive cannot be discriminatory against consumers who do not participate
Implementation: Include language in the privacy notice: "We offer free WiFi access as a service to our guests. Providing your email address to access WiFi enables us to send you promotional offers. The estimated value of this data exchange is [the value of the WiFi service provided]. You may use WiFi without providing marketing consent by [alternative access method]."
FAQ
Does CCPA require consent before collecting WiFi data? No. Unlike GDPR, CCPA uses an opt-out model. You can collect data at the point of WiFi authentication and must provide opt-out mechanisms afterward. However, disclosure at the point of collection is required — the guest must be informed of what data is collected and why.
Does syncing WiFi data to Facebook Custom Audiences violate CCPA? Not automatically, but it constitutes "sharing" under CPRA and triggers the right to opt out. You must provide a "Do Not Sell or Share" mechanism and honor opt-out requests by excluding those consumers from the audience sync.
What is the Global Privacy Control (GPC) and do I need to support it? GPC is a browser-level privacy signal (similar to "Do Not Track" but legally recognized). CPRA regulations require businesses to treat GPC as a valid opt-out of sale/sharing request. If a guest visits the captive portal with GPC enabled, treat them as having opted out of data sharing.
Do I need to delete data if a California consumer requests it? Yes, within 45 days (extendable by 45 days with notice). The deletion must include all systems: WiFi platform, CRM, email lists, analytics databases, and any exported copies.
Can a non-California venue be subject to CCPA? Yes, if the venue serves California residents or collects data from California residents. A New York hotel serving California tourists is subject to CCPA for those tourists' data.
How do CCPA and GDPR interact for venues serving both EU and California guests? Implement GDPR as the baseline (it is more restrictive). Add CCPA-specific requirements: "Do Not Sell/Share" link, GPC recognition, and California-specific privacy notice disclosures. A unified portal with both mechanisms covers both jurisdictions. See our multi-jurisdiction consent guide for implementation details.