On the site, you clearly and clearly state that you have nothing to do with the published data, that the user who posted the information is responsible for them. And, of course, if the institution writes to you and asks you to delete their password, delete it. And then there will be no problems.

The point of such a site is 0.0001%, it will work only in those institutions where the admins are so stupid that they put an ordinary primitive router on the guest network, in normal cafes the radius server distributes passwords: they are session (each check has its own password), one password is allowed connect only one device (the second one will not pass authorization), the password lives for a certain time (no more than a day), the one who first received the password (at the time of receipt was photographed by a recording surveillance camera) will be responsible for all actions from under this account

If no non-disclosure papers were signed, then why not.
Passwords are not stolen, they are brought by themselves.
So that's all right.

If you have data by which you can identify the user who left the password, and you yourself indicate in the agreement what the user carries for the information left on the site, then you are, in principle, clean before the law. Just at the request of the wi-fi owners, you will have to remove such information from the site, and at the request of the authorities, you will also have to present data about the user who posted the information on your site. If you are hosting only "anonymous", then the demand will be from you, as from the owner of the resource. Somewhere recently on Habré it was discussed.

The fact that information is provided to someone somewhere on a piece of paper personally, and not published on the coffee shop website in a public form, as it clearly hints that the cafe is against unlimited uncontrolled distribution.
And maybe - and even FOR, if it will increase the interest of visitors to them.
How much against in each case, whether it can be ignored and how to deal with if they run into - other authors have already described.

In Ukraine - create at least 5 points in a cafe, and write passwords at the entrance or write that without passwords.

If I were you, I wouldn’t worry about this at all, but would simply silently use hotspots and guest ARs for shadow purposes, if you really want to go to the side of the black hats.