By: Kenneth Carnesi, Sr., JD & COO, with 10 years in the Bulk Wi-Fi MSP industry
In a decade of building compliance programs for managed service providers that deliver bulk Wi-Fi to apartments, condos, student housing, and hotels, I have watched one principle quietly become the single most important lever a property-side ISP can pull: data minimization. Not encryption. Not segmentation. Not even your incident response plan. Minimization — the discipline of collecting, processing, and retaining only the personal data you actually need — is what separates the operators who sleep at night from the ones who get a call from a state AG.
Here is why it matters more in our corner of the industry than in almost any other, and what I tell every operator I advise.
We sit on a uniquely toxic data set
A bulk Wi-Fi MSP is not a “normal” ISP. We are typically contracted by the property owner, the residents are not our customers in the traditional sense, and our network sees everything that crosses the property’s pipe. On any given night, our systems can touch resident names tied to unit numbers, government-issued ID from onboarding, payment instruments (where applicable), device MAC addresses, hostnames that frequently embed real names, DHCP leases, DNS queries, NetFlow, captive-portal logs, RADIUS accounting records, location data inferred from AP associations, and — if we are not careful — deep packet inspection artifacts that vendors throw in “for analytics.”
Stitched together, that is a behavioral dossier on every person in the building. It tells you when they wake up and leave, which streaming services they use, when guests visit, and which units have children’s devices. It is exactly the kind of data set that regulators, plaintiffs’ lawyers, and threat actors find irresistible. The less of it you keep, the smaller every one of those problems becomes.
The regulatory floor keeps rising
When I started, “privacy compliance” in this industry mostly meant a CPNI checkbox and a CALEA contact. Today, every operator with a multi-state footprint is navigating GDPR for international properties, CCPA/CPRA in California, and a growing patchwork of state laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and more — most of which now explicitly codify minimization. The FTC has made clear through its enforcement orders that collecting data you do not need or keeping it longer than necessary is itself an unfair practice, regardless of whether a breach ever occurs.
The common thread across every one of these regimes is the same: you must tie each data element to a specific, disclosed purpose, and you must stop processing it when that purpose ends. An MSP that “logs everything just in case” is no longer making a conservative engineering choice. It is creating standing legal exposure.
Breach math is brutal, and minimization is the only real hedge
Encryption helps. Segmentation helps. But the cost of a breach scales with the volume and sensitivity of the records exposed. A captive-portal database with 200,000 resident records — names, emails, unit numbers, MACs, session histories going back five years — is a seven-figure incident before you have paid a single lawyer. The same database, scoped to active residents only, with session logs purged at 30 days and PII tokenized, may not even trigger notification thresholds in several states.
I have run this exercise with operators after the fact more times than I would like. In every case, the variable that drove the cost was not how the attacker got in. It was how much we had sitting there when they did.
Property contracts are starting to require it
The other shift I have seen in the last three years is on the contracting side. Sophisticated property owners — REITs, large hotel brands, universities — now include data minimization, retention caps, and deletion-on-termination clauses in their MSAs. If you cannot prove that you collect only what the service requires, that you can produce a data map on demand, and that you can hard-delete a former resident’s records within a defined window, you will start losing bids. I have personally watched two operators get cut from finalist lists over exactly this.
Minimization, in other words, is becoming a commercial qualification, not just a legal one.
What “doing it” actually looks like
Operators ask me what minimization looks like in practice for a bulk Wi-Fi shop. The honest answer is that it is unglamorous and continuous. The work I push every client to do, in roughly this order:
Map the data first. You cannot minimize what you have not inventoried. Walk every system — RADIUS, DHCP, DNS, captive portal, billing, CRM, ticketing, analytics, vendor portals — and write down every field, where it came from, why you have it, and when it expires. Most operators discover at least three systems they forgot they were feeding.
Tie every field to a stated purpose. If no one can articulate why a field exists, it should not. “Marketing might want it someday” is not a purpose. Neither is “the vendor’s default schema includes it.”
Set retention at the field level, not the table level. Session accounting may need 30 days for support. DNS logs rarely need more than 7. Identity records tied to an active account live as long as the account does, and not a day longer after termination. Automate the deletion; do not rely on a quarterly script that someone will forget to run.
Push minimization upstream into procurement. Every new vendor — analytics platforms, captive-portal providers, AI assistants, marketing tools — wants more data than they need. Negotiate the schema before you sign, not after. Your DPA should name the fields, not just the categories.
Tokenize and aggregate aggressively for anything labeled “analytics.” If the business question is “how many devices connected last month,” you do not need MAC addresses to answer it. If your analytics vendor insists otherwise, find a different one.
Train the engineers, not just the lawyers. The decisions that create exposure are made in pull requests, not in policy documents. Minimization must be a design review criterion; otherwise, it will not stick.
The reframe I leave every operator with
For a long time, our industry treated data as a free byproduct of running the network — something you collected because you could and figured out what to do with later. That model is over. Every record you hold is a liability with a carrying cost: regulatory, contractual, reputational, and, eventually, financial. Every record you do not hold is one you do not have to defend, disclose, delete, or explain.
In bulk Wi-Fi, where the data is unusually intimate, and the regulatory environment is moving faster than most operators’ roadmaps, minimization is no longer a nice-to-have privacy posture. It is the cheapest, most durable risk control we have. The operators who internalize that now will spend the next decade competing on service. Those who do not will spend it on answering subpoenas.
Disclaimer
This article is for general informational purposes only and is not legal advice. It does not create an attorney-client relationship, and it may not reflect the most current legal developments in your jurisdiction. Consult qualified counsel before acting on any of the issues discussed.