Captivo
Start Free
All posts
June 3, 2026 5 minLaw No. 5651ComplianceGuest WiFi

Turkey's Law No. 5651 & Guest WiFi Logging: A Guide for Businesses

If you offer internet to customers, guests or visitors in Turkey — in a cafe, hotel, mall or office — you have a legal responsibility under Law No. 5651. This guide explains what the law requires, who it covers, and how to stay compliant with minimal effort.

In short: Businesses offering open internet to guests must keep connection logs (who connected and when) and retain them for a set period. This is achieved with a captive portal plus a logging system.

What is Law No. 5651?

Law No. 5651 regulates the obligations of parties that provide internet access. For businesses, the key point is this: as a mass-use provider, you must keep access logs for the internet you offer to your guests.

Who is covered?

Almost every business offering paid or free internet to guests falls under it:

  • Hotels, motels, guesthouses and accommodation facilities
  • Cafes, restaurants and bars
  • Malls, plazas and business centers
  • Gyms, salons, waiting areas
  • Companies offering a guest/visitor network in their offices

What must be logged?

The goal is to be able to later determine who made an access and when. In practice, the core records to keep are:

  • Connection start and end time (timestamp)
  • The IP address assigned to the user
  • Device identifier (MAC address)
  • The data that identifies the user (e.g. an SMS-verified phone number)

Preserving the integrity of the records (so they can't be altered afterwards) and having accurate timestamps also matters.

How long must it be retained?

The minimum retention period for access logs is two years. Records must be stored securely during this time and made available on request. At the end of the period — in line with data-protection principles — unnecessary data should be deleted.

Relation to data protection: Law No. 5651 makes you keep records; privacy law (KVKK) requires those records (since they contain personal data) to be processed securely and deleted when the period expires. Both obligations must be managed together.

The risk of non-compliance

Businesses that fail to keep records or meet their obligations may face administrative fines. More importantly, being unable to produce logs for a crime committed over your network can shift responsibility directly onto the business.

How to become compliant

Compliance is achieved by placing a captive portal (a welcome/login screen) in front of the guest network, then identifying and logging every connection. A typical flow:

  1. The guest joins the WiFi network and is redirected to the portal that opens automatically.
  2. They identify via phone number (SMS verification), room number or voucher.
  3. After verification they go online; a connection record is created at this point.
  4. Records are kept time-stamped and securely for two years.

Compliance with Captivo

Captivo automates this entire process. It provides a branded welcome portal with SMS verification; keeps connection records time-stamped and encrypted, retains them for two years, and deletes them automatically when the period expires. It offers exportable reports for audits. It integrates with your existing pfSense or OPNsense setup in minutes — no new hardware needed.

To make your hotel's, cafe's or business's guest WiFi legal and modern, explore our solutions or create a free account.

This content is for general information only and is not legal advice. For your specific situation, consult a legal professional.

Make your guest WiFi legal and modern

Try the compliant captive portal — free.

Start Free