Business broadband for guest Wi-Fi: the 2026 UK guide

1. Why UK businesses need proper guest Wi-Fi in 2026

Guest Wi-Fi is now an expectation rather than a perk for most UK customer-facing businesses. In 2026, customers reasonably expect free Wi-Fi in cafes, restaurants, hotels, salons, gyms, retail shops, and waiting rooms; many will choose alternatives where it is missing, and the business risk of not offering Wi-Fi often outweighs the cost of providing it properly. At the same time, offering guest Wi-Fi without proper setup creates four genuine business risks that did not exist a decade ago.

• Slowed business systems: Without traffic separation and bandwidth controls, a single guest streaming 4K video can degrade card payment terminals, EPOS systems, cloud-based booking software, and staff video calls. This is the most common day-to-day complaint about poorly configured guest Wi-Fi.
• UK GDPR compliance risk: Any business that captures guest data through a captive portal (email, name, device ID) must comply with UK GDPR (Data Protection Act 2018). Maximum fines reach £17.5 million or 4 percent of annual global turnover, whichever is higher (ICO, 2025), with smaller penalties commonly issued for everyday breaches.
• Legal liability for guest activity: Under the UK Digital Economy Act 2010, businesses can be held responsible for copyright infringement carried out over their connection. A 2024 ICO case saw a Manchester pub fined £8,000 for downloads carried out by a guest on its open Wi-Fi. Without connection logs, the business cannot identify the responsible user and bears the liability itself.
• Cybersecurity exposure: Guest devices on the same network as business systems (printers, CCTV, point-of-sale, office computers) create a path for malware to spread from a compromised guest device to business-critical equipment. This is why network segmentation matters as much as the broadband connection itself.

The good news is that all four risks are entirely manageable with the right setup, which is what the rest of this guide covers. For most UK SMEs, getting guest Wi-Fi right is a few hours of one-off configuration plus a small ongoing cost (often just the broadband line itself if the router has the necessary features built in).

2. How much broadband do you need for guest Wi-Fi?

The right business broadband speed for guest Wi-Fi depends on three factors: how many concurrent guests typically use the Wi-Fi, what those guests do on the network (browsing and email vs streaming and video calls), and what business systems also need bandwidth on the same connection. As a practical rule of thumb for UK SMEs in 2026, allow around 3 to 5 Mbps download per concurrent guest device for typical usage, plus headroom for business systems that must remain responsive at all times.

3. Network segmentation: separating guest from business traffic

The single most important principle for business guest Wi-Fi is keeping guest traffic completely separate from business systems. This is not optional; it protects card payments, EPOS, CCTV, office computers, printers, and booking software from both bandwidth contention and cybersecurity threats. Modern UK business broadband makes this straightforward with three standard techniques.

1. Separate SSID for guest Wi-Fi: Configure a second wireless network name (such as "MyCafe-Guest") that is broadcast separately from the staff or business network ("MyCafe-Staff"). Guests connect only to the guest SSID; staff and devices connect to the business SSID. Modern business routers and access points support multiple SSIDs natively.
2. VLAN isolation: At a deeper technical level, the guest SSID should sit on a separate VLAN (Virtual LAN) so traffic cannot cross between guest and business networks even if someone tries. This prevents a compromised guest device from reaching card payment terminals, CCTV, office computers, or printers.
3. Client isolation on guest network: Within the guest network itself, enable client isolation so guest devices cannot see or communicate with each other. This stops a malicious guest from attacking other guests on the same network. Most business-grade Wi-Fi systems and many consumer routers support this as a single setting.

4. Captive portals and how they work

A captive portal is the splash page that guests see when they first connect to your Wi-Fi, before being given internet access. In 2026, a properly designed captive portal handles four functions simultaneously: it presents your terms and conditions for guest Wi-Fi use, captures explicit UK GDPR consent for any data collected, optionally builds a marketing list (with separate opt-in), and logs the connection so the business can identify users if a legal request requires it.

Captive portals come in three broad flavours for UK SMEs in 2026:

• Built-in router captive portals: Many UK business broadband routers (BT Smart Hub 2, Vodafone Ultra Hub, Sky Business Hub, Virgin Media Business Hub) include a basic captive portal feature. These cover the minimum requirement for terms acceptance and optional email capture, but typically lack advanced features like social login, branded splash pages, and UK GDPR compliance tooling. Suitable for very small UK premises.
• Third-party captive portal services: Specialist UK and international platforms such as Purple, Stampede, Reach, Cloudi-Fi, IronWiFi, Spotipo, and StayFi provide branded splash pages, social login, marketing integration, audit logs, and built-in UK GDPR compliance features. Pricing typically starts at £5 to £25 per month per location for SME-tier services. This is the standard choice for hospitality, retail, and customer-facing UK businesses.
• Enterprise Wi-Fi platforms: Cisco Meraki, Aruba Instant On, Ubiquiti UniFi, Mikrotik, and TP-Link Omada all include captive portal features at the access point or controller level. Suitable for larger premises with dedicated business Wi-Fi infrastructure. Typically a one-off hardware cost with optional cloud subscription for advanced features.

5. UK GDPR compliance for guest Wi-Fi data

UK GDPR (the UK Data Protection Act 2018, which mirrors EU GDPR with UK-specific adjustments) treats any personal data collected through guest Wi-Fi captive portals as regulated personal data. This includes email addresses, names, phone numbers, device identifiers (MAC addresses), IP addresses, and timestamps. The Information Commissioner's Office (ICO) has issued guidance and enforcement notices to UK businesses where guest Wi-Fi data has been mishandled, and maximum penalties reach £17.5 million or 4 percent of annual global turnover, whichever is higher (ICO, 2025).

The five practical UK GDPR requirements for guest Wi-Fi in 2026:

1. Lawful basis for processing: Most UK SMEs rely on either consent (explicit guest opt-in via captive portal) or legitimate interests (basic connection logging for security and legal compliance). Document which basis you rely on for each type of data.
2. Transparent privacy notice: The captive portal must include or link to a privacy notice in plain English explaining what data you collect, why, how long you keep it, who has access, and how the guest can exercise their rights (access, rectification, erasure).
3. Granular consent management: Any marketing consent must be separate from Wi-Fi access consent. An unticked checkbox is required (no pre-ticked boxes per ICO guidance). Wi-Fi access cannot be conditional on accepting marketing; offer a "connect only" option clearly.
4. Data minimisation: Only collect data you genuinely need. For most UK SMEs, that means an email address (if any marketing is planned), a name (optional), and the standard connection log data (timestamp, MAC address, IP allocated). Avoid collecting phone numbers, demographic data, or social profile data unless you have a clear justification.
5. Defined retention periods: Document how long you keep each type of data. For UK SMEs, sensible defaults are 30 to 90 days for connection logs (sufficient for security and most legal compliance scenarios), and indefinite retention for marketing email lists with regular cleaning of inactive subscribers. Captive portal services typically automate this.

6. UK legal obligations: Digital Economy Act and connection logs

UK businesses providing public Wi-Fi take on a small set of legal obligations under the Digital Economy Act 2010 and the Investigatory Powers Act 2016. These are practical and entirely manageable but need to be documented and implemented properly to protect the business from liability.

1. Digital Economy Act 2010 (copyright protection): Designed to reduce online copyright infringement. Without proper guest identification and connection logs, a UK business can be held responsible for copyright violations carried out over its Wi-Fi. Maximum fines under this Act reach £50,000 (Digital Economy Act 2010, ICO). A documented case saw a Manchester pub fined £8,000 because someone had downloaded copyrighted material on its open Wi-Fi and the pub could not identify the user.
2. Investigatory Powers Act 2016: Sets the framework for retention of communications data in the UK. Specific retention obligations apply to public communications providers and large operators; smaller UK SMEs offering guest Wi-Fi are typically not subject to the most stringent requirements but should retain basic connection logs for security and legal compliance. Practical guidance is to retain connection logs (timestamps, MAC addresses, IP allocations) for 30 to 90 days minimum, up to 12 months for businesses with higher security exposure.
3. Acceptable Use Policy (AUP): A clearly stated AUP, presented through the captive portal and accepted before guests get access, transfers some liability for guest activity from the business to the guest. The AUP should prohibit illegal activity, copyright infringement, harassment, and other obvious misuse, and should make clear that the business may revoke access for breaches.
4. Network access controls: Practical technical measures (DNS-level filtering of malware and adult content, blocking known illegal-content sites, blocking peer-to-peer protocols if appropriate) demonstrate due diligence and reduce the risk of guest activity bringing the business into disrepute or legal trouble.
5. Data subject access requests: If a guest later asks what data you hold about them (a Subject Access Request under UK GDPR), you must be able to retrieve and provide it within one month. Captive portal platforms typically include export tools for this; built-in router captive portals often do not.

For most UK SMEs, choosing a managed captive portal service (Purple, Stampede, Reach, Cloudi-Fi, IronWiFi, Spotipo) handles the technical side of all these obligations automatically. The business still needs to write a privacy notice and AUP and review them periodically, but the day-to-day compliance work is automated.

7. Hardware options: router built-in vs business access points

UK SMEs have three hardware paths for guest Wi-Fi in 2026, each suited to different premises sizes and user counts.

For a small UK cafe with 5 to 15 concurrent guests, the router built-in option is often perfectly adequate, especially when paired with a low-cost captive portal service for compliance. For a busy restaurant with 30 to 50 concurrent guests, a single business access point plus captive portal service is usually right. For a hotel, gym, or co-working space with 50+ concurrent users, a multi-AP business Wi-Fi system or a fully managed service is typically the best fit.

8. Sector setup: cafes, takeaways, and small hospitality

For UK cafes, takeaways, coffee shops, and small hospitality venues, the typical setup that works well in 2026 looks like this. This pattern handles 5 to 30 concurrent guests reliably while keeping card payments and EPOS responsive.

1. Choose business broadband with FTTP at 100 to 300 Mbps, ideally symmetric if Trooli, Hyperoptic, Community Fibre, or another altnet is available. This gives ample headroom for guest streaming plus business systems.
2. Configure two SSIDs on the business router: "Cafe-Staff" (for EPOS, card terminals, CCTV, staff phones, and the till computer) and "Cafe-Guest" (customer-facing). Set a strong password on the staff SSID; the guest SSID can be password-protected via the captive portal.
3. Enable VLAN separation between the two SSIDs so guest traffic cannot reach business equipment. Most modern UK business routers support this in a few clicks.
4. Add a captive portal using a UK SME-tier service (Purple, Stampede, Spotipo) with a branded splash page that displays your cafe logo, terms and conditions, GDPR-compliant consent, and an optional newsletter signup. Pricing typically £5 to £25 per month per location.
5. Set bandwidth limits per guest device: 5 to 10 Mbps download, 1 to 2 Mbps upload per device. This prevents one guest from saturating the connection while leaving plenty for normal browsing and email.
6. Enable client isolation on the guest SSID so guest devices cannot see or attack each other.
7. Display the Wi-Fi password and captive portal URL visibly (table cards, menu, posters) so guests can connect without asking staff. A QR code linking to the network is a 2026 standard touch.
8. Document the AUP and privacy notice and make them accessible from the captive portal. Most third-party captive portal services provide UK-compliant templates.

This setup typically takes 2 to 4 hours to configure initially, with ongoing cost of just the broadband line plus captive portal subscription (often around £30 to £60 per month total for a small cafe). See our business broadband for cafes and takeaways guide for more sector-specific guidance.

9. Sector setup: hotels, B&Bs, and short-let accommodation

Hotels, B&Bs, and short-let accommodation in the UK have higher guest Wi-Fi expectations than most other sectors because guests use the connection in their rooms, often for streaming Netflix and video calls, sometimes for work. Setup needs to handle 30 to 200+ concurrent devices across multiple rooms with consistent coverage.

1. Specify business broadband with at least 500 Mbps to 1 Gbps FTTP, symmetric if available. For larger hotels, a leased line with guaranteed bandwidth and stronger SLA is often the right choice. See our business broadband for B&Bs and holiday lets guide for B&B-specific recommendations.
2. Use multiple business-grade access points (typically Ubiquiti UniFi, TP-Link Omada, or Aruba Instant On) distributed across the property to provide consistent room-by-room coverage. Mesh systems can work for very small B&Bs but dedicated wired APs are more reliable for hotels.
3. Configure three networks: "Hotel-Guest" (for room guest devices), "Hotel-Staff" (for booking systems, PMS, card payments, CCTV), and "Hotel-IoT" if needed (for smart locks, thermostats, IoT devices that need their own segment).
4. Implement room-based authentication via captive portal: guest enters surname plus room number, captive portal validates against the property management system (PMS) and grants access. This prevents non-guests from accessing the network and provides accountability.
5. Set per-device bandwidth limits: typically 15 to 25 Mbps download per device for full streaming quality, with potentially higher caps for premium rooms or business guests.
6. Provide clear connection instructions in rooms (welcome card, TV menu, in-room tablet) covering both the Wi-Fi network name and the captive portal authentication.
7. Comply with UK GDPR and Investigatory Powers Act obligations through proper logging at the captive portal level, retained for 30 to 90 days minimum.
8. Consider WiFi 6 or WiFi 6E access points for new deployments; the higher device density and improved performance specifically benefit hotel environments where many devices connect simultaneously.

Hotels with weak Wi-Fi consistently lose business in 2026; review sites and OTAs (booking.com, Expedia) prominently feature Wi-Fi quality scores, and a poor Wi-Fi score can directly affect bookings. This makes investing properly in guest Wi-Fi infrastructure one of the higher-ROI hospitality decisions an independent UK hotel can make.

10. Sector setup: retail shops and salons

UK retail shops and salons typically have lower bandwidth needs per guest than hospitality but higher requirements for keeping card payments and booking systems consistently fast. The priority is protecting business-critical systems rather than maximising guest experience.

1. Choose business broadband at 100 to 300 Mbps FTTP. Card payments, EPOS, cloud-based booking software, and customer database access are the priorities; guest Wi-Fi is a customer-experience nice-to-have.
2. Strong network segmentation is non-negotiable. Card payment terminals (Square, Stripe, SumUp, Tyl, Worldpay), EPOS systems, CCTV, and back-office computers must be on a separate VLAN from any guest network. This is both a PCI DSS requirement (for the card payments side) and a basic security practice.
3. Limit guest bandwidth firmly: 3 to 5 Mbps per device is plenty for browsing while customers wait or browse the shop. No need for high-bandwidth allocations that could slow card payments.
4. Captive portal with email capture can be a useful marketing tool for salons (where customers wait 30 to 60 minutes for treatments) and for retail loyalty programmes. Newsletter signups via guest Wi-Fi captive portal can be a meaningful customer acquisition channel.
5. Salon waiting-room context: guests are generally there for at least 30 minutes, often more. This makes Wi-Fi quality more important than for typical retail browsing. Worth investing in a slightly higher-tier setup if guest experience matters operationally.
6. 4G or 5G backup for card payments specifically: If your card payment terminal supports it, a separate 4G or 5G connection (either built into the terminal like Square Stand or via a dedicated mobile hotspot) keeps card payments working even if the main broadband fails. See our business broadband with 4G backup guide for details.
7. Standard captive portal compliance: UK GDPR consent, AUP, connection logs, the same as for cafes and hospitality.

For UK retail and salons, the right answer is often "good enough" guest Wi-Fi rather than premium guest Wi-Fi, with the budget priority on a fast, reliable business broadband line that keeps card payments and booking software responsive. See our sector guides on retail shops and salons and clinics for more.

11. Sector setup: shared offices and waiting-room businesses

Shared offices, co-working spaces, dental and medical waiting rooms, professional services firms, and similar businesses have a specific Wi-Fi need: visitors expect home-office quality connectivity for the duration of their visit, but the host business has separate operational systems that must always work first.

1. Bandwidth varies dramatically by use case: a co-working space supporting 50 paying members needs 500 Mbps to 1 Gbps with symmetric upload (or a leased line); a dental waiting room serving 5 to 10 visitors per hour needs 100 to 200 Mbps. Match the broadband to the actual user pattern.
2. For co-working spaces specifically, consider a leased line with stronger SLA: members are paying for connectivity quality and an outage during business hours directly affects retention. See our serviced offices guide for more.
3. For waiting rooms, the capable router built-in approach is usually fine: a separate guest SSID on the business router, basic captive portal for terms acceptance, and bandwidth limits to prevent a single guest saturating the line.
4. Patient confidentiality (clinical waiting rooms): ensure the guest network is fully isolated from any clinical system network, including patient management software, prescription systems, or imaging equipment. Healthcare data protection is a strict UK GDPR area.
5. Co-working VLAN strategy: a typical co-working space runs three or four VLANs: members' wired/wireless network, guest/visitor network, IoT for door access and smart office equipment, and printers/shared equipment. Each segment is isolated.
6. Captive portal authentication for co-working: integration with member management software (Nexudus, Cobot, OfficeRnD) provides single-sign-on and member-specific bandwidth allocations.
7. Document and publish acceptable use policy clearly for co-working members and visitors. This is both legal protection and an operational tool to deal with members who abuse the connection.

12. Using guest Wi-Fi for marketing data legally

Guest Wi-Fi can be a meaningful first-party marketing channel for UK customer-facing businesses, but only if the data capture meets UK GDPR requirements and the marketing consent is genuinely separate from Wi-Fi access. Done properly, captive portal email capture builds a high-quality opt-in list of customers who have actually visited the business; done improperly, it is a fast route to ICO complaints and potential fines.

The five rules for legally compliant UK guest Wi-Fi marketing in 2026:

1. Make marketing consent genuinely optional and clearly separate from Wi-Fi access. The captive portal should let a guest connect with no marketing opt-in; an unticked checkbox for marketing is the standard pattern. Do not bundle the two.
2. Be specific about what marketing the guest will receive. "Receive our newsletter and offers" is acceptable; "we may communicate with you" is too vague to constitute valid GDPR consent. State the type, frequency, and channel (email, SMS).
3. Provide value in exchange for the email. "Sign up for our newsletter and get 10 percent off your next visit" works far better than a generic newsletter prompt. Marketing opt-in rates on captive portals with a value exchange typically run 35 to 50 percent; without one, often 5 to 10 percent.
4. Validate emails to keep the list quality high. Most captive portal services include email validation by default; this prevents fake emails from polluting the marketing list.
5. Make unsubscribe trivial and process it instantly. Every marketing email must include a working unsubscribe link. Manage subscribers using a UK-compliant email platform (Mailchimp, Klaviyo, dotdigital, GetResponse).

13. Five questions to ask before launching guest Wi-Fi

1. Will my business broadband line have enough headroom for guest Wi-Fi at peak times? Calculate concurrent device count at peak (lunchtime for cafes, evening for restaurants, mid-morning for salons) and allow 3 to 5 Mbps per guest device plus headroom for business systems. If the existing broadband is already stretched, upgrade before adding guest Wi-Fi rather than after.
2. Are my card payment, EPOS, and CCTV systems isolated from the guest network? This is non-negotiable. Confirm with your IT support or check the router configuration that staff and business systems sit on a separate VLAN from any guest SSID. Get this wrong and a guest device compromise could reach your card payment terminal.
3. Does my captive portal handle UK GDPR consent properly? Check three things: marketing consent is via unticked checkbox; Wi-Fi access is not conditional on marketing consent; a privacy notice is accessible from the splash page. If your current setup fails any of these, you have a UK GDPR compliance gap to fix.
4. What happens to guest connection logs after they expire? Documented retention period (typically 30 to 90 days), automated deletion at the end of that period, and the ability to retrieve logs in response to a valid legal request before they are deleted. Most managed captive portal services handle this automatically; built-in router captive portals often do not.
5. Can I demonstrate compliance if the ICO asks? Have the privacy notice, AUP, captive portal screenshots, retention policy, and a sample of consent records on file. Most UK SMEs never face an ICO request, but the documentation is fast to maintain and protects the business if a question ever does arise.