How to leverage SMS marketing service to increase return visits

Executive summary

SMS marketing delivers a 98% open rate, with 90% of messages read within three minutes of delivery [Sakari, 2025]. For venue operators running Guest WiFi across hotels, retail estates, or stadiums, the data capture infrastructure already exists. The missing step is converting that anonymous network traffic into a verified, consented SMS subscriber list. Purple Engage captures phone numbers at the captive portal, enforces a double opt-in verification flow, and automates campaign dispatch based on physical presence analytics. The result: conversion rates between 21% and 30%, and an ROI of $21 to $41 for every $1 spent on SMS. This guide covers the end-to-end architecture, from access point to SMS gateway, the compliance requirements under GDPR and TCPA, and the segmentation strategies that separate relevant offers from spam. Two worked examples show exactly how a hotel group and a retail chain deploy this in practice.

Technical architecture: from access point to SMS gateway

The data pipeline for an SMS marketing service begins at the wireless controller. Whether you deploy Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, or Fortinet access points, the mechanism is consistent: the controller intercepts unauthenticated HTTP traffic and redirects the device to the captive portal hosted by Purple.

The captive portal is the data capture layer. To build an SMS subscriber list, you configure the portal to present a phone number field alongside the standard email or social login options. The critical architectural decision here is the verification method.

Double opt-in verification flow

A single opt-in, where the user enters a number and taps connect, is insufficient for two reasons. First, it allows users to enter fictitious numbers to bypass the login screen, polluting your CRM with unreachable contacts. Second, it does not satisfy the "prior express written consent" standard required by the TCPA for US venues, nor the "unambiguous indication" standard under GDPR for UK and European venues.

The double opt-in flow resolves both problems:

1. The visitor enters their mobile number and selects the SMS marketing opt-in checkbox (unchecked by default).
2. Purple Engage triggers a POST request to the SMS gateway API (e.g., Twilio or Infobip).
3. The gateway sends a one-time password (OTP) to the device via SMS.
4. The visitor enters the OTP on the portal. A successful entry confirms the device is in the visitor's possession.
5. Purple logs the consent record, including the timestamp, IP address, portal version, and the exact consent text displayed.
6. The RADIUS server authenticates the session and grants network access.

This flow ensures every phone number in your database is reachable, verified, and accompanied by an auditable consent record.

Hardware integration and RADIUS authentication

Purple operates as a cloud overlay on top of your existing hardware. The captive portal redirect is configured at the wireless controller level using standard RADIUS change of authorisation (CoA) messages. When the OTP is validated, Purple sends a RADIUS CoA packet to the controller, which moves the device from the unauthenticated VLAN to the internet-access VLAN. This is hardware-agnostic and does not require firmware changes to the access points.

For venues running Guest WiFi across multiple sites, the Purple platform centralises the subscriber database, meaning a guest who opts in at a Manchester location is identifiable when they visit a London site.

Compliance frameworks: GDPR and TCPA

Running an SMS marketing service without a well-structured compliance architecture exposes your organisation to substantial fines. The Information Commissioner's Office (ICO) can issue fines of up to £17.5 million or 4% of global annual turnover under UK GDPR. In the US, TCPA violations carry statutory damages of $500 to $1,500 per unsolicited text.

GDPR requirements (UK and EU)

Under GDPR, consent for SMS marketing must be:

• Freely given: The opt-in cannot be a condition of accessing the WiFi. The checkbox must be optional.
• Specific: The consent must explicitly state that the user agrees to receive SMS marketing messages from the named organisation.
• Informed: The privacy policy must be accessible from the portal and must explain how phone data is stored and used.
• Unambiguous: Pre-ticked checkboxes do not constitute valid consent. The user must take an active, conscious-choice opt-in.

Purple stores the full consent record, including the version of the privacy policy displayed at the time of opt-in. When a user replies STOP, Purple automatically updates the profile and suppresses future messages, maintaining a synchronised suppression list.

TCPA requirements (United States)

The TCPA requires "prior express written consent" for automated marketing texts. The FCC's 2025 one-to-one consent rule further tightens this: consent obtained for one business cannot be shared with or sold to another. For multi-brand venue operators, this means each brand requires its own consent record.

Every SMS you send must include:

• The sender's identity.
• A clear opt-out instruction (e.g., "Reply STOP to opt out").
• Disclosure that message and data rates may apply.

For a detailed review of data platform architecture underpinning these requirements, see our customer data platform guide .

Segmentation strategy: using location analytics to drive relevance

Batch-and-blast SMS campaigns produce high opt-out rates. The 53% of subscribers who unsubscribe cite over-frequency as their primary reason [Sakari, 2025]. The antidote is relevance, and relevance requires segmentation.

Purple's WiFi Analytics platform tracks device MAC addresses across the venue network, building a behavioural profile for each visitor:

Using Purple Engage, you configure these segments as dynamic rules. When a visitor's behaviour matches a rule, the platform automatically dispatches the pre-configured SMS. No manual intervention is required.

Timing and frequency rules

SMS campaigns require tighter frequency controls than email. Industry data shows that 49% of subscribers prefer receiving promotional SMS no more than once every two weeks [Sakari, 2025]. Configure the following guardrails in Purple Engage:

• Minimum gap between messages: 14 days per subscriber.
• Quiet hours: No messages between 21:00 and 09:00 local time.
• Post-visit delay: Wait at least two hours after a visitor disconnects before sending a return-visit offer. Sending while they are still on-site is poor timing.
• Opt-out suppression: Immediately suppress any subscriber who replies STOP, and do not re-add them unless they explicitly opt back in.

Implementation guide: step-by-step deployment

The following steps apply to a venue operator deploying SMS marketing for the first time using Purple Engage on an existing Guest WiFi network.

Step 1: Audit the captive portal. Review the current login flow. Confirm the portal is hosted by Purple and that you have access to the portal editor. Identify which login methods are currently active (email, social, phone).

Step 2: Add the phone number field. In the Purple portal editor, add a phone number input field with country code selector. Set the SMS marketing opt-in checkbox to unchecked by default. Write the consent language in plain English, naming your organisation and the type of messages the user will receive.

Step 3: Configure the SMS gateway. In Purple Engage, connect your SMS gateway account (Twilio, Infobip, or a compatible provider). Configure the OTP message template and the verification timeout (recommend 10 minutes).

Step 4: Update the privacy policy. Ensure the privacy policy linked from the portal explicitly covers SMS marketing data. State the retention period, the third-party processors involved, and the opt-out mechanism.

Step 5: Build your first segment. Start with the simplest segment: visitors who connected more than 30 days ago and have not returned. This win-back segment has the clearest business case and the lowest risk of over-messaging active visitors.

Step 6: Create the campaign. Write a message under 160 characters. Include the offer, a short URL (use a UTM-tagged link for tracking), and the opt-out instruction. Test the message by sending to a seed list of internal numbers before activating.

Step 7: Measure and iterate. Track click-through rate, redemption rate (via POS or booking system), and opt-out rate. A click-through rate below 5% indicates the offer is not relevant enough. An opt-out rate above 2% indicates the frequency is too high.

For broader context on how Guest WiFi fits into your venue's first impression strategy, see our guide on making a great first impression with your guest WiFi .

ROI and business impact

SMS marketing consistently outperforms email in direct response scenarios. The performance gap is not marginal.

Source: Sakari SMS Marketing Statistics 2025-2026; Textedly Email vs SMS Marketing 2025.

For venue operators using Purple, the acquisition cost of building the SMS subscriber list is near zero, because the data is captured as a by-product of providing Guest WiFi. This pushes the effective ROI significantly above the industry benchmark.

Purple operates across 80,000+ live venues and has collected 29 billion data points. Venues on the Engage plan that activate SMS campaigns report measurable uplift in return visit frequency within the first 90 days of deployment (Purple internal data).

Troubleshooting and risk mitigation

High failed delivery rate: If more than 5% of your SMS messages fail to deliver, the most likely cause is invalid numbers in the database. Audit your portal configuration to confirm the double opt-in OTP flow is active. Numbers that fail OTP verification should not be added to the marketing list.

High opt-out rate: An opt-out rate above 2% per campaign indicates a relevance or frequency problem. Review your segmentation rules. If you are sending the same offer to all subscribers regardless of behaviour, the messages are not relevant enough. Tighten the segment criteria.

RADIUS authentication failures after OTP: If users complete the OTP but do not receive network access, check the RADIUS CoA configuration on the wireless controller. The Purple platform sends a CoA packet to the controller's management IP on UDP port 3799. Confirm the shared secret matches and the firewall permits inbound CoA traffic.

Consent record gaps: If a data subject access request (DSAR) reveals missing consent timestamps, the portal may have been updated without versioning the consent text. Purple logs the consent text version at the time of opt-in. Ensure you increment the version number in the portal settings whenever you change the consent language.

International number formatting: If your venue attracts international visitors, ensure the phone number field uses E.164 formatting (e.g., +44 7700 900123). Incorrect formatting causes silent delivery failures at the gateway level. Validate the format server-side before triggering the OTP.

For multi-SSID network design considerations that affect how Guest WiFi is segmented from staff and IoT networks, see our guide on three SSIDs to rule them all .

References

[1] Sakari. (2025). SMS Marketing Statistics: Data-Backed Insights for 2025-2026. https://sakari.io/blog/sms-marketing-statistics-data-backed-insights-for-2025-2026

[2] Textedly. (2025). Text vs. Email Marketing: Which Channel Gets Better Results? https://www.textedly.com/blog/email-vs-sms-marketing-when-to-use-which

[3] Infobip. (2026). 2026 Guide to TCPA Compliance for SMS in the US. https://www.infobip.com/blog/tcpa-compliance-sms

[4] Purple. (2024). Purple Engage product data. Internal data. 80,000+ live venues, 29 billion data points collected.