GDPR consent and personal data management

Consent & Personal Data Mgmt

Aptilo Guest Wi-Fi Cloud Consent & Personal Data Management with Privacy self-management


A Wi-Fi service is an excellent platform for hypertargeted marketing. Our customers have been asking for tools to get end-users’ consent to use their personal data for marketing. They also want to give end-users transparent access to that personal information. In some markets such as Europe, with the General Data Protection Regulation (GDPR), it’s required by law. In all markets, it makes common business sense.

With Aptilo Guest Wi-Fi Cloud ™ (GWC) your back is covered. You get access to our award-winning consent & personal data management features. With our optional module for self-management, you can even minimize the load on your customer service organization. Use the Aptilo GWC Privacy Self-Management™ module to let end-users manage their own consent and personal data.


The Aptilo Guest Wi-Fi Cloud™ has inherent functionality for personal data protection:

  • The time that personal raw data are saved is 30 days
  • Personal session data is aggregated and thus anonymized for analytics
  • Centralized log function
  • Audit log – who has done what in the system, can be requested from Aptilo
  • Automatic purge of accounts after expiration, purge time can be set by customer
  • Support for export of personal data



If saving operational costs is a priority, you most likely want this. It does not get more efficient than our full concept with privacy self-management. The end-users can handle their consent and personal data, so your employees don’t have to.

How users can access privacy self-management

How do users get access to handle their consent and personal data? It’s up to you. Since the self-management is a web link you can use a host of different options:

  • Captive Portal

  • E-mail after login

  • SMS after login

  • Sent from customer care

  • Your website



Do you want to save on the Aptilo privacy self-management option? Do you have other reasons your customer care should handle the process? Then this deployment scenario is for you. Your customer care organization handles all requests from users. They administrate users’ consents and personal data. You must identify end-users when they contact customer care. Our suggestion is that you instruct your customer care to send a random pin code to the end-user via a verified e-mail or SMS address.

Make it as automatic as possible

Some legislations, such as European GDPR, require you to erase all personal data upon request from the end-user. You must do so within 30 days (GDPR).

Since Aptilo GWC is set to erase all personal session data after 30 days, your customer care do not have to take any specific action. You will still reap the benefits of aggregated and anonymized analytics. But, there will be no trace of personal data left after the 30 days.

You may also set user accounts to purge after 30 days. This way your customer service organization does not even have to delete the account. They can just say, “We will erase all your personal data within 30 days.”

The best option of all is of course to use our privacy self-management features. Many users would love to let you keep their data, just as long as you are 100% transparent and only send them relevant information and offers.


  • Harmonize laws in EU

  • Overrides local laws

  • In effect since 2016

  • Fines from may 2018

The General Data Protection Regulation (GDPR) is intended to strengthen data privacy for all individuals within the European Union (EU). It has been in place since 2016 ([EU] 2016/679). What’s new is that EU will enforce this law with heavy fines starting May 25, 2018.

The fines for a business can be 4% of worldwide sales up to 20 MEUR. The GDPR overrides any local data privacy laws within Europe. Anyone that is collecting and/or processing any personal data within the European Union must comply with GDPR.

Many countries around the world have similar laws and those without legislation will be inspired by the European GDPR.


  • Give consent

  • View my data

  • Correct my data

  • Export my data

  • Be forgotten

GDPR gives individuals more control over their personal data provided to companies operating in the European Union (EU), wherever they are based.

As a provider of Wi-Fi services, you must get users’ explicit consent on exactly how you will use their personal data. Upon request, you must also give any user transparent access to view and correct their personal data. One of the most important rights is the right to be forgotten. Upon request, you must delete all personal data, including the ones you may have in backups. You must also be able to provide users with their personal data exported in a machine-readable format.

You must execute these user requests within 30 days. However, Aptilo has taken the stand that you are better off as a business if you can give your users transparent and immediate access. This is why we have built the consent and personal data management features described in the other sections on this page.


All data that directly or indirectly can be tied to a person is personal data. Obvious data like name, address, e-mail and phone number, but also less obvious data. The graphic below includes some examples.

Personal data according to GDPR


  • Explicit consent

  • Detailed consent

  • Easy to understand

  • access type specific

GDPR is clear about consent. An individual must understand exactly what he/she has consented to for how their personal data will be used. Gone are the days when the personal data consent was buried in a “General Terms” link. A link which few users would click on anyway.

With GDPR, users must give explicit consent to everything concerning their personal data. And, it can’t be “lawyer-speak”. It must be written in a way that’s easy to understand.

All this means that the required consents will differ depending on the access method used. For instance, a Facebook login may require a specific consent for marketing. This consent allow you to send marketing information to the user, tailored to their public Facebook profile (age group and gender etc.). This is why we have built a flexible and comprehensive consent management tool. Learn more about it in the consent management section on this page.


  • Consent with terms

  • mandatory or optional

  • Shown dynamically

  • Multilingual support

  • Revision handling

The consent management features allow you to flexibly handle users’ consent how you will process their personal data. They are built to support legalizations such as the European GDPR. Each consent is defined with a detailed consent text. Aptilo’s solution is also coupled to one or many access methods, such as Facebook login or click-and-connect. This means that the correct consent will always dynamically show up in the Aptilo GWC captive portal. The consent text can be multilingual where the correct language is used based on the browser language.

It is easy to handle a user’s consent over time with the Aptilo GWC consent management features. Revision handling of changed consent improves traceability over time. The tight integration with the Aptilo captive portal makes the task of collecting a user’s consent a breeze. With the Aptilo GWC Privacy Self-Management™, you can even leave it to the end-user to handle their own consents.


Aptilo SMP smart consent pop-up

The consent user interface is designed as a pop-up (safe from pop-up blockers of course). This serves three purposes. The detailed consent information is not visible from the start,  which improves the sign-up rate as the users will not be discouraged from using the service. The important consent information is also more likely to be read by the user if it is clean and consistent in design. Furthermore, it allows you to add new consents and update existing consent texts without making any changes to the portal.

As discussed above, all consents coupled with the access method the user is using will automatically show up in the pop-up. The user can fold down the detailed consent text with a simple click.

You can define consents as mandatory. The “save” button will only be available, and the Wi-Fi service accessible, if the user makes an active choice to all mandatory consents.

Some legislation such as GDPR requires verification of the user’s identity (double opt-in). This is handled by the portal design and flow which will send an SMS or e-mail to the user with a link and a verification code. To gain access, the user either clicks on that link or enters the verification code at the portal.


The Aptilo smart consent pop-up will be triggered also for existing users under certain circumstances.

User selects a new access method

Let’s look at a common scenario. The user starts with a 30-min free anonymous click-and-connect service and agrees to the general terms & conditions. After this, he/she might use the Facebook login to get another 4 hours of access. This will trigger a consent pop-up with the new consent for Facebook login highlighted.

When terms for a consent have changed

It’s likely that the terms text for a specific consent, for instance how e-mail information will be used, will change over time. Here the system will trigger a pop-up the next time the user connects to the service, highlighting both the old and the new updated terms text. The pop-up will not be triggered if the system administrator marks the update as minor, such as correcting a misspelled word.



With the Aptilo GWC personal data management, you can handle users’ personal data including the consent they have given for use of the data. With this tool you can view, correct, export and delete personal data. You can also handle the associated consents. This allows you to offer a Wi-Fi service compliant with legislations such as the GDPR. It provides total transparency as to what data you have stored about the user and how it will be used. It also supports the “forget me” action, erasing all information about the user.

Handled by customer care

Your customer care organization can handle a user’s request over the phone to administrate their personal data and consents. For security reasons, your customer care should identify the user through a random pin code. The pin code can then be sent to a verified e-mail address or mobile phone (SMS).

Privacy self-management

A more cost-effective method is to allow the user to handle their own personal data and consent through the Aptilo Privacy Self-Management™ module. The user will log-in to the self-care web portal using the same access method they used to access your Wi-Fi service.