WiFi ডেটা সংগ্রহ: আপনার নেটওয়ার্ক কী ডেটা সংগ্রহ করে এবং কীভাবে এটি ব্যবহার করবেন

WiFi Data Collection: What Data Your Network Captures and How to Use It A Purple Enterprise Briefing — Approximately 10 Minutes --- INTRODUCTION & CONTEXT [~1 minute] Welcome to the Purple Enterprise Briefing. I'm your host, and today we're cutting straight to the point on a topic that every IT manager, network architect, and venue operations director needs to get right in 2026: WiFi data collection. Not the theory. Not the academic overview. The practical reality of what your managed network is capturing right now, what you're legally required to do with it, and — critically — how to turn that data into measurable business value. Whether you're running a hotel chain, a retail estate, a stadium, or a public-sector venue, your guest WiFi infrastructure is generating a continuous stream of intelligence. The question isn't whether to collect it. The question is whether you have the architecture, the compliance posture, and the analytics platform to use it properly. Let's get into it. --- TECHNICAL DEEP-DIVE [~5 minutes] So, what does a managed WiFi network actually capture? Let's break this down into four distinct data categories, because conflating them is where most organisations get into trouble — both technically and legally. The first category is device identifiers. Every device that comes within range of your access points broadcasts a probe request. That probe request contains, at minimum, a MAC address — the hardware identifier burned into the network interface card. From the MAC address alone, you can derive the device manufacturer using the OUI — the Organisationally Unique Identifier — which is the first three octets. So before a user has even connected, you already know whether they're carrying an Apple iPhone, a Samsung Android, or a Windows laptop. Once they associate with your SSID, you also capture the device type, operating system version, and supported protocol capabilities — whether the device supports Wi-Fi 6, Wi-Fi 6E, or is still running on older 802.11ac. Now, a critical caveat here: since iOS 14 and Android 10, both Apple and Google have implemented MAC address randomisation by default. This means passive probe capture is less reliable for persistent device tracking than it was five years ago. The workaround — and this is important — is authenticated session data, which brings us to category two. Session data is captured the moment a device authenticates and associates with your network. This includes connection timestamp, session duration, bytes transferred, SSID, BSSID — which is the specific access point MAC — RSSI or received signal strength indicator, and the DHCP-assigned IP address. This data is generated at the RADIUS server level if you're running IEEE 802.1X enterprise authentication, or at the captive portal controller if you're running a consumer-grade guest network. The session data is your baseline for understanding network utilisation, throughput capacity planning, and per-user bandwidth consumption. Category three is login and identity data — and this is where the commercial value really starts to accumulate. When a guest authenticates through a captive portal — whether that's email registration, social login via Google or Facebook OAuth, or a custom form — you're capturing first-party identity data. That means name, email address, date of birth if you ask for it, marketing consent flags, and the authentication method used. This is the data that powers your CRM integrations, your email marketing workflows, and your loyalty programme triggers. Critically, this is also the data that sits squarely within the scope of GDPR and UK GDPR — so your lawful basis, consent records, and data retention policies need to be airtight before you start building on top of it. Purple's guest WiFi platform handles this at the point of capture — presenting a branded splash page, recording granular consent, and pushing the identity record directly into your CRM or marketing automation platform via webhook or native integration. That's the difference between raw data and actionable intelligence. The fourth category is movement and presence data. This is derived analytics rather than raw capture, but it's built on the session and device data we've already discussed. By correlating RSSI readings from multiple access points, you can triangulate device position to within two to five metres, depending on your access point density. This gives you dwell time per zone, visitor flow paths, repeat visit frequency, and peak occupancy windows. For a retail environment, that translates directly into merchandising decisions. For a hotel, it informs F&B staffing. For a stadium, it's the foundation for queue management and concession placement optimisation. This is what Purple's WiFi Analytics platform does — it takes the raw session and presence data from your existing infrastructure and surfaces it as actionable venue intelligence. You don't need to rip and replace your access points. You need the right data layer on top. Now, let's talk about the compliance architecture, because this is non-negotiable. GDPR and UK GDPR require that any personal data — and email addresses, names, and persistent device identifiers all qualify — must be collected under a documented lawful basis, typically consent or legitimate interest. You need a privacy notice at the point of capture, granular consent options, and a mechanism for users to exercise their rights: access, rectification, erasure, and portability. PCI DSS is relevant if your guest network shares any physical or logical infrastructure with your payment processing environment. The answer here is network segmentation — your guest SSID must be on a separate VLAN, with firewall rules preventing any lateral movement toward the cardholder data environment. This is a Requirement 1 and Requirement 6 issue, and it comes up in every QSA audit. IEEE 802.1X with WPA3 Enterprise is the authentication standard for any deployment where you need per-user credentials, certificate-based access, or integration with an identity provider like Active Directory or Azure AD. For pure guest networks, WPA3 Personal with SAE — Simultaneous Authentication of Equals — provides forward secrecy and protects against offline dictionary attacks, which WPA2-PSK does not. --- IMPLEMENTATION RECOMMENDATIONS & PITFALLS [~2 minutes] Right, so you understand what's being captured and the compliance framework. Let's talk about what actually goes wrong in production deployments. The most common failure mode I see is what I call the data lake problem. Organisations deploy a guest WiFi platform, start capturing session and identity data, and then do nothing with it because they haven't defined the use cases upfront. You end up with a growing database of email addresses and session records that nobody is querying, and when the ICO comes knocking, you can't justify the retention period because there's no documented purpose. Define your use cases before you deploy. If you're capturing email for marketing, you need a marketing workflow. If you're capturing movement data for footfall analytics, you need a dashboard and an owner. The second pitfall is misconfigured consent. I've seen deployments where the splash page presents a single checkbox that bundles together terms of service, privacy policy, and marketing consent. Under GDPR, those must be separate, unbundled, and individually actionable. A single checkbox fails the granularity test and exposes you to enforcement risk. Purple's platform enforces this by design — separate consent flags, separate audit records. Third pitfall: no data retention policy. Under GDPR's storage limitation principle, you cannot retain personal data indefinitely. Define your retention windows — typically 12 to 24 months for marketing data, 90 days for raw session logs — and automate the deletion process. Manual purging is not a compliance strategy. On the positive side, the organisations getting the most value from WiFi data collection are those who've connected the data pipeline end to end: from the captive portal, through the CRM, into the marketing automation platform, and back into the analytics dashboard. That closed loop is what turns a WiFi network from a cost centre into a revenue-generating asset. --- RAPID-FIRE Q&A [~1 minute] Let me run through the questions I get asked most often. "Can I capture WiFi traffic without a captive portal?" — Technically yes, at the session metadata level. But without authenticated identity, you're limited to anonymous device data. For commercial use cases, you need the portal. "Does MAC randomisation break my analytics?" — It affects passive probe-based tracking, but not authenticated session data. Once a user logs in, you have a persistent identity record regardless of MAC randomisation. "Do I need a DPA with my WiFi platform provider?" — Yes. Under GDPR Article 28, any third party processing personal data on your behalf requires a Data Processing Agreement. This is non-negotiable. "Can I share WiFi data with third-party advertisers?" — Only with explicit consent for that specific purpose. Bundling it into your general terms of service is not sufficient. --- SUMMARY & NEXT STEPS [~1 minute] To bring this together: your managed WiFi network is capturing four categories of data — device identifiers, session data, login and identity data, and movement and presence data. Each category has different commercial value and different compliance obligations. The organisations winning with WiFi data are those who've built the full stack: compliant capture at the edge, identity resolution in the middle, and actionable analytics at the top. If you're evaluating or upgrading your guest WiFi infrastructure, the questions to ask are: Does the platform enforce GDPR-compliant consent by design? Does it integrate natively with my CRM and marketing stack? Does it surface footfall and presence analytics without requiring additional hardware? And does it support IEEE 802.1X and WPA3 for enterprise authentication? Purple's platform is built to answer yes to all four. You can explore the guest WiFi and analytics capabilities at purple.ai. Thanks for listening. If you found this useful, share it with your network architect or venue operations team. Until next time. --- END OF SCRIPT Total estimated runtime: approximately 10 minutes at a measured professional pace.