Before you join the Wi-Fi hotspot at your local cafe, you might want to make sure it won’t follow your footsteps—literally—after you leave.

Ostensibly “free” Wi-Fi hotspots are in hundreds of thousands of businesses and public spaces across the United States. They’re in shopping malls. In airports. In chain restaurants. In local cafes. As a result, it’s easier than ever to get online. If your notebook or phone lacks a reliable data connection, you can still connect to a hotspot. But this convenience often comes at a price: your personal data and privacy.

When you use “free” Wi-Fi, there’s a good chance it’s managed by a third-party provider—which gets you online in exchange for your valuable sign-on data. The sign-on information that hotspots require will vary, but often includes your email address, phone number, social media profile, and other personal information. All can be used to target you with advertising and gain insights on your habits.

As Emory Roane, policy counsel at Privacy Rights Clearinghouse, told PCWorld: “Read through the Wi-Fi Terms of Use for any of these businesses and you’ll almost certainly realize that there’s still no such thing as a free lunch.”

That’s probably not a surprise to most Wi-Fi hotspot users. But what might surprise you is that some hotspot providers are taking data collection a step further, and quietly tracking millions of users’ whereabouts even after they’ve left an establishment. These hotspots are part of America's burgeoning location-based Wi-Fi marketing industry.

PCWorld spoke to privacy experts and Wi-Fi location-analytics companies to learn more about how this technology works, and what you can do to avoid being tracked.

Wi-Fi location tracking and you

PCWorld reviewed the privacy policies of a dozen Wi-Fi hotspot providers and found that they commonly ask users to agree to location tracking when they sign on. Some phrases that tip off this practice are “location data,” “location history,” “your location,” “device identifiers,” and “MAC address” (more on this later).

We reached out to all of the Wi-Fi companies, but only two with major operations in the United States responded to questions about tracking hotspot users. These networks, Zenreach and Euclid, log the locations of millions of smartphone and laptop owners who pass within range of their hotspots—even when these people don’t sign on.

Euclid Euclid tells businesses the location a customer visits the most and how likely they are to visit again.

According to Zenreach’s privacy policy, “Later, when the user’s device returns to this client location or enters the Wi-Fi range of another Zenreach router (of any Zenreach client), we automatically recognize the device and record the visit in our record for that device.”

According to Euclid’s privacy policy, “General Visit Information is collected as your mobile device moves across different Locations that use our technology.”

To give you an idea of a hotspot network’s scope, Zenreach counts Peet’s Coffee, Five Guys, IHOP, and KFC among its larger clients, according to its website. KFC has nearly 4,500 locations nationwide, so these networks can span broad swaths of urban areas.

How it works: Data collection begins at the captive portal

Zenreach These templates from Zenreach’s captive portal builder show you how a Wi-Fi hotspot’s sign-in form can appear.

When you connect to public Wi-Fi, you’ll usually be greeted with a sign-in form, also known as a “captive portal.” This is where you provide personal information and consent to terms of service to get online.

In the case of Zenreach, “by clicking ‘go online,’ you agree to our terms of use and privacy policy,” allowing them to track your location over time. Euclid is more explicit, saying, “you agree to provide this device’s location” next to where you can tick a box to consent.

Euclid Euclid’s captive portal notes they track location.

What distinguishes location-based marketing hotspot providers like Zenreach and Euclid is that the personal information you enter in the captive portal—like your email address, phone number, or social media profile—can be linked to your laptop or smartphone’s Media Access Control (MAC) address. That’s the unique alphanumeric ID that devices broadcast when Wi-Fi is switched on.

Dieter Holger and Rob Schultz/IDG

As Euclid explains in its privacy policy, “... if you bring your mobile device to your favorite clothing store today that is a Location—and then a popular local restaurant a few days later that is also a Location—we may know that a mobile device was in both locations based on seeing the same MAC Address.”

MAC addresses alone don’t contain identifying information besides the make of a device, such as whether a smartphone is an iPhone or a Samsung Galaxy. But as long as a device’s MAC address is linked to someone’s profile, and the device’s Wi-Fi is turned on, the movements of its owner can be followed by any hotspot from the same provider.

“After a user signs up, we associate their email address and other personal information with their device’s MAC address and with any location history we may previously have gathered (or later gather) for that device’s MAC address,” according to Zenreach’s privacy policy.

This can reveal a detailed profile of someone’s daily habits. Where they shop, where they live, and what places they frequent at certain times could be laid bare by this data.

Euclid This panel from Euclid shows some of the data available to businesses on a customer traveling between their venues.

Stacey Gray, policy counsel at the Future of Privacy Forum, told PCWorld that associating a MAC address with someone’s movements between locations reveals “highly sensitive” information.

“Analyzing MAC signals from mobile phones can be valuable for retailers and others to calculate wait times, understand peak versus off-hours, or assign staff,” Gray said. “However, location data is highly sensitive when linked to an individual over time and across venues.”

Neither Euclid or Zenreach would provide PCWorld with exact figures on how many people’s data they’re collecting. But Euclid claims more than 120 million monthly active devices globally and said that the majority are in the US.

Zenreach told PCWorld that most of its hotspots are in the US—and it's the most well-funded of the Wi-Fi startups in the nation, having raised $80 million for a $210 million valuation as of March 2017, according to Crunchbase.

When asked to respond to people who might find Wi-Fi location tracking invasive, Zenreach co-founder Kai Umezawa highlighted the convenience, pointing out how his company makes it easy to get online.

“After customers log in to the Wi-Fi at a merchant location, we can recognize that device at any Zenreach network location,” Umezawa said. “The benefit for users is one-click access to Wi-Fi in any of these locations.”

Zenreach Zenreach lets businesses send automated emails based upon how many times a customer has visited.

All the hotspot providers PCWorld reviewed say they take data security seriously. A Euclid spokesperson said the company immediately anonymizes collected location data by “de-personalizing” or “hashing” it in non-human readable format when stored. That said, Euclid still processes and provides identifiable data to businesses on users' visits between locations they own.

Zenreach didn’t respond to multiple emails asking if they anonymize personal data collected over Wi-Fi, and the company's privacy policy makes no mention of doing so.

How the data is used differs from provider to provider, and where it might end up is another question entirely. Many promise never to share it. Others have more opaque policies, or, in the case of Zenreach, may outright share data with clients, affiliates, and other third parties. Euclid may also share data with advertisers, but only in “hashed” form.

How to protect yourself from being tracked by ‘free’ Wi-Fi

If you’re concerned about data being collected by free Wi-Fi hotspots, there are some simple steps you can take to protect your personal information.

Don’t use “free” Wi-Fi: The most obvious solution to protecting your data from free Wi-Fi networks is not to use them at all. Alternatives include using the data services from your cellular provider, or signing up for a more secure hotspot service like Boingo.

Disable Wi-Fi when you’re not using it: Enabling Wi-Fi lets these hotspots track you (and also drains your battery faster). There’s really no reason to keep your Wi-Fi on unless you need to connect.

Read the privacy policy: It’s tempting to skip reading the privacy policy, but if you take a few minutes to do so, you can learn how the Wi-Fi service is collecting your data and where it might end up. Keywords to look for are “MAC address,” “location,” “collect,” and “share.”

Opt-out of location tracking and delete your data: Location analytics companies let you opt-out of location tracking and delete your data, though some opt-outs are easier than others. How to opt out can be found in a privacy policy. You’ll be given a chance to review the policy before you sign into a captive portal, or you can find it on the hotspot provider’s website.

You’ll need to get your MAC address to opt-out of any location tracking. On an iPhone, you can find it under Settings > General > About, where it’s listed as your Wi-Fi Address. On Android, tap the menu key and go to Settings > Wireless & Networks or About Device. Press the menu key again and hit Advanced, and then you should see your device’s MAC address.

You can then provide your MAC address to opt-out of many, but not all, location-tracking services through the Future of Privacy Forum’s Smart Places web portal. This is a one-stop shop many location analytics companies work with voluntarily. (Companies should say in their privacy policies if they’re associated with the Future of Privacy Forum.)

Not all location analytics companies are associated with the Smart Places web portal, including Zenreach. In these cases, you’ll need to find a Wi-Fi hotspot provider’s email in its privacy policy and contact the company directly with your MAC address on hand. You should be able to request to opt-out, receive the data they have on you, and have it deleted. See the screenshot below from Zenreach’s policy:

Zenreach Like in the case of Zenreach’s privacy policy, you can usually find the email address for opting out of location data collection at the end of a company’s privacy policy.

Randomize your MAC address on Android: Since version P, Android has added a feature that allows you to randomize your smartphone’s MAC address to improve privacy. This lets you generate a new MAC address for every Wi-Fi hotspot you connect to, effectively stopping these companies from tracking you. You can switch on MAC randomization under Developer Options.

There's no need to go through a similar process on iPhones and iPads running iOS 11 and up, which automatically randomize their MAC address when scanning for Wi-Fi.

"Because a device’s MAC address now changes when disconnected from a Wi-Fi network, it can’t be used to persistently track a device by passive observers of Wi-Fi traffic, even when the device is connected to a cellular network," according to Apple's iOS Security Guide.

However, Apple also says "Wi-Fi scans that happen while trying to connect to a preferred Wi-Fi Network aren’t randomized," meaning a hotspot a device has connected to previously will be able to detect the device's actual MAC address.

Don’t sign in with social media: It may be convenient and quicker to sign in with Facebook, Twitter, or LinkedIn, but it’s also ideal for data harvesters. Your social profile, especially your Facebook “likes,” reveals a wealth of information about you.

A study published in 2015 by the National Academy of Sciences found that it takes just 10 Facebook “likes” for a computer model to know your personality better than a colleague does. In a previous 2013 study by the same researchers, also published by the NAS, the scientists used Facebook “likes” to predict whether someone was black or white with 95-percent accuracy, male or female with 93-percent accuracy, gay or straight with 88-percent accuracy, and Democrat or Republican with 88-percent accuracy.

Wi-Fi regulations on the horizon?

Unlike the United States, the European Union restricts individual, profile-based location tracking via Wi-Fi hotspots under the General Data Protection Regulation (GDPR), which went into effect in May, 2018.

GDPR considers device identifiers like MAC addresses “individually identifiable information,” entitling people with rights to have their personal data processed securely and deleted, and requiring explicit user consent in the captive portal for location tracking.

“Exact location is considered as very sensitive information across Europe. Companies tracking user location need to, among others, provide easily understandable notice and obtain explicit user consent,” Alja Poler De Zwart, EU-based privacy and data attorney at law firm Morrison Foerster, told PCWorld.

“Companies who do not abide by these rules, risk regulatory enforcement action, including the GDPR-style fines,” Poler De Zwart added.

Descrier/Flickr Since 2018, the 28 members of the EU have tightened their data and privacy laws.

Netherlands-based SpotOn Wi-Fi, a hotspot provider operating mostly in Europe, with some business in the United States, immediately anonymizes MAC addresses it associates with personal info to comply with GDPR.

“Without associating a MAC address to a social profile we wouldn’t be able to provide seamless roaming between cloud-based access points or create email campaigns that target guests with more than X visits,” Niek Giavedoni, founding director of SpotOn Wi-Fi, told PCWorld.

Giavedoni confirmed that the ability to track identified users via their devices is present in SpotOn Wi-Fi’s systems and other Wi-Fi networks, but he said it would be a privacy violation to track the locations of individual profiles through Wi-Fi in the EU.

“We are very much aware of the technical possibilities, the competitors that use it, and privacy concerns that come along with it,” he said.

Similar restrictions could make their way to the United States.

Government officials are grappling with how to safeguard personal data in the wake of Facebook’s Cambridge Analytica scandal, creating an opportunity for EU-like constraints on Wi-Fi location tracking to enter law. U.S. Senators Richard Blumenthal (D-CT) and Edward Markey (D-MA) are working on a federal “privacy bill of rights” to provide people with more protections and controls over data given over the web. Their offices didn’t respond to questions about their positions on Wi-Fi location tracking in time for publication.

States are taking action, too. California passed a sweeping privacy bill in June that goes into full effect in 2020. The bill guarantees Californians the right to know what data is being collected about them and whether it’s being sold or disclosed, and to refuse the sale of their personal information.

“Unique personal identifiers” are among the data types the bill covers, which include MAC addresses. But the rights the bill guarantees Californians are often already offered by companies voluntarily, and the bill still doesn’t restrict the location tracking that companies like Zenreach and Euclid employ.

Prayitno/Flickr California is the first state to pass its own data privacy bill, which will go into full effect in 2020.

Wi-Fi privacy regulations have actually taken a step backward at the federal level since the election of president Donald Trump, former Federal Communications Commission (FCC) staffer Marc S. Martin told PCWorld.

“One of the first acts by the Republican-controlled Congress and the Trump administration shortly after the president was inaugurated was to rely on the Congressional Review Act to repeal the FCC’s Broadband Privacy Rules,” said Martin, a partner at law firm Perkins Coie.

“Following that step, the Trump administration FCC repealed the FCC’s 2015 net neutrality rules,” he added.

Martin said because of these two repeals, there are currently “no prescriptive federal privacy rules or regulations governing Wi-Fi service providers in the United States.”

“It will take a new act of Congress, signed by the President, to adopt any new federal privacy rules governing public Wi-Fi service providers,” Martin said.