In a society with a high demand for digital connectivity “on the move,” there is an increasing demand for public WiFi services to be made widely available. Businesses are understandably keen to meet that demand; however, there are a number of key areas of legal compliance which WiFi providers should be aware of before offering such services to the public.
a) Data Retention and the Stored Communications Act (SCA)
In the US, while there is no single federal mandate for public WiFi data retention, laws like the Stored Communications Act (SCA) and other federal guidelines aim to assist in the prevention and detection of organized crime and terrorism by regulating how communications service providers retain and disclose certain communications data, including internet user data. These standards can place obligations on providers to retain certain user data generated or processed in the US for 12 months from the date of the communication in question. The definition of communications providers can include public WiFi providers; however, specific requirements often depend on federal and state directives. Note that authorities may require cooperation unless the data in question is already retained in the US under other standards by another provider.
b) Data Protection Obligations
In addition to potential data retention obligations, public WiFi providers need to be aware of their obligations under the CCPA/CPRA and state privacy laws, which are triggered whenever they process personal data about individuals. These laws govern all use of personal data, including its storage and transmission. They may require a WiFi provider to comply with regulations enforced by the FTC and state attorneys general, and to comply with a whole host of other obligations, which includes the obligation to take appropriate technical and organizational measures to protect the security of all personal data it processes. This imposes a further layer of obligation (and cost) upon public WiFi providers if they are retaining personal data, such as data about individual users. A serious breach of these regulations can result in a penalty of up to $500,000.
c) Digital Millennium Copyright Act (DMCA): Online Copyright Infringement
The DMCA, among other things, places obligations upon “Internet Service Providers” (ISPs) aimed at tackling online copyright infringement. These obligations include notifying users upon receiving a copyright infringement report relating to their account and providing anonymous copyright infringement lists to copyright owners. Initially there was concern that public WiFi providers would also be subject to these obligations.
In June 2012, the FCC published a revised draft code to underpin the initial obligations of ISPs introduced by the DMCA. In an interim statement, the FCC made it clear that WiFi providers would initially be outside the scope of the code, which would only apply to ISPs with over 400,000 subscribers in the US. The basis for this was that the costs of participation for WiFi providers would be disproportionately high compared to the expected results to be achieved. The FCC has, however, stated that they will consider extending the coverage of the code if they deem it to be necessary upon reviewing the scope of the code in the future. This is therefore something that public WiFi providers should look out for.
By making their internet connection available to public users, WiFi providers have little or no control over what those users access, which exposes them to potential liability if material is illegally downloaded by public users via their connection. To try and minimize such liability, providers are advised to clearly demonstrate that they have taken steps to try to prevent copyright infringement by ensuring that users must register to use their service and by imposing clear terms and conditions of usage on users.
Conclusion: A Way Forward?
Although the government will be keen not to overload public WiFi providers with regulatory obligations in light of the significant benefit the expansion of these communications services can bring to the economy, this is necessarily balanced by the need to regulate this industry in order to protect data privacy, assist in the fight against organized crime, and to reduce the online infringement of intellectual property rights. As the availability of public WiFi increases, so does the threat to these interests, making it likely that regulation will continue to increase.
A guest blog by Emily Turner, Squire Patton Boggs Associate


