How Consumer Privacy Laws Impact the Hospitality Space
By Dana Kravetz Managing Partner, Michelman & Robinson, LLP | November 17, 2019
This article was co-authored by Scott Lyon, Partner, Michelman & Robinson, LLP
With a population just shy of 40 million people, California is by far the most populous state in the nation. How big is the Golden State? Consider this: California's economy-around $2.7 trillion-is the fifth largest in the world, putting it ahead of the United Kingdom, India, France, South Korea and even Russia.
Bottom line: Californians represent a significant percentage of consumers, not just in San Diego, Los Angeles, San Francisco and cities and towns in between, but throughout the U.S. Which should give hoteliers pause when pondering this additional fun fact: California is also home to the nation's strictest privacy law, the California Consumer Privacy Act (CCPA), which comes online January 1, 2020.
Privacy, a topic once reserved for the "do not disturb" signs that hang on hotel room doors across the globe, is now (or should be) front and center on the radar screens of hospitality executives everywhere. And that's because of statutes like the CCPA and similar domestic legislation in places like Colorado and Nevada, as well as the General Data Protection Regulation (GDPR) that became effective in the European Union on May 25, 2018. These laws create certain rights and restrictions with regard to the personal information (PI) and data collected from folks in California, Colorado, Nevada, the EU and every other jurisdiction that has (or may soon have) comparable privacy laws on the books.
For owners and management of hotels visited by customers hailing from these places, it's extremely important that they understand the nature of this new wave of privacy legislation and how it impacts their businesses. This article aims to place the privacy picture in better focus, with an overview and breakdown of the CCPA and GDPR, the two most significant privacy laws, to date.
California's pending privacy law gives Californians new valuable rights concerning their PI. Broadly, pursuant to the CCPA, consumers in California are entitled to know what PI is being collected about them; whether it's being sold and to whom; to access a copy of their PI; to delete any and all PI collected; and to opt-out of its sale. Likewise, consumers are protected against discrimination if they invoke these rights.
While the majority of the CCPA has been fully fleshed out in its statutory form, the California Attorney General is expected to issue clarifying regulations in the coming months, which will presumably include procedures for verifying a consumer's identity when processing CCPA requests. In the meantime, the CCPA- and its applicable amendments-prompt several questions of particular interest to hoteliers:
1. Does the CCPA apply to me?
If your business collects information from California residents and 1) has more than $25 million in annual gross revenue; 2) buys, receives, sells or shares for commercial purposes the PI of 50,000 or more consumers, households or devices; and/or 3) derives 50% or more of its revenue from the sale of consumers' PI, then yes, you're subject to the mandates of the CCPA.
2. What's the definition of personal information?
PI includes anything that's capable of being associated, or could reasonably be directly or indirectly linked with a particular consumer or household, including a name, alias, postal address, unique personal or online identifier, internet protocol address, email address, account name or social security, driver's license or passport number. Of note, the CCPA doesn't restrict a business's ability to collect, use, retain, sell or disclose information that's either publicly available or doesn't specifically identify a particular consumer (for example, the number of customers fitting a specific demographic profile in a particular zip code, or a customer profile with all identifying data sets removed).
3. What must hoteliers disclose to California residents?
4. What are the opt-out requirements?
California consumers can prohibit businesses, including hotels, from selling their PI. To comply with this opt-out option, companies must conspicuously post their privacy policies online as well as provide a link that specifically reads, "Do Not Sell My Personal Information." Unless the business operates exclusively online, the business must also provide a toll-free number for consumers to make opt-out requests. Furthermore, the CCPA expressly prohibits businesses from discriminating against consumers who exercise their rights, such as refusing to book rooms on their behalf or charging different rates for accommodations. The law does, however, allow businesses to offer financial incentives to consumers relating to the sale of their PI.
5. What happens if I violate the CCPA?
It's first important to know that the power to enforce the law rests almost exclusively with the Attorney General of California. Proposed amendments to create a private right of action regarding privacy obligations have, thus far, failed. Nevertheless, even innocent violations of the statute can be costly-the AG can recover a civil penalty of up to $2,500 per infringement. In cases of intentional violations, the civil penalty can be up to $7,500 per violation. While this obviously hasn't been tested yet, it's believed that a "violation" (not defined in the CCPA) will be calculated on a "per consumer," not "per incident," basis, which means an unintentional violation affecting 1,000 customers could expose a hotel operator to up to $2.5 million in civil penalties.
Taken together, it's clear that to the extent qualifying hoteliers collect and process PI from California residents, they'll be obligated to comply with the CCPA. And even though there's not a private cause of action for CCPA enforcement at present, it's absolutely foreseeable that the right to bring such an action may be adopted sometime going forward because the California AG will have a tough time effectively enforcing the statute as currently written. Which means that hoteliers that skirt the law could find themselves facing hefty exposure. The upshot: where California customers and their PI intersect, hotel owners and operators must prioritize CCPA compliance.
The CCPA was heavily influenced by the GDPR, which was initially adopted in 2016 and established certain rights of EU residents with regard to their personal data and how it's collected, processed, shared and retained.
Essentially, the GDPR provides individuals living in the EU the right to be informed about their personal data, the right to access it, the right to rectification, the right to be forgotten, the right to restrict processing of personal data, the right to data portability, the right to object to its use, and rights in relation to automated decision-making and profiling.
But how does this European privacy law effect domestic hoteliers? Well, for Europeans who travel abroad, the U.S. remains a popular destination, which is great news for hotel owners and operators, but a potential headache given the reach and mandates of the GDPR, as illustrated by way of the following questions and answers:
1. My company doesn't have any properties in the EU. Do I even have to be concerned about the GDPR?
In a word, yes, with the additional caveat that the deadline for compliance was more than a year ago. The GDPR applies to all cases where any one of the following are based in or operate from the EU: 1) the data controller (the company that collects EU resident data); 2) the processor (the company that processes data for the data controller, such as a website host); or 3) the data subject (the EU resident). There's no minimum threshold for compliance; if an organization collects data online from a single resident located in the EU, it needs to treat that data in compliance with the GDPR.
In more basic terms, if an EU resident stays at a hotel or resort located outside the EU-say, in Florida-that property is likely collecting information that pertains to that guest, and that data must be GDPR compliant.
2. But as a rule, I only collect names, email addresses and IP addresses. Do I still have to comply?
Again, the answer is yes. The GDPR focuses on "personal data" defined as "any information relating to an identified or identifiable natural person," a broad definition that encompasses many categories of information.
3. Can I just get my EU customers to waive GDPR compliance?
No. GDPR rights cannot be waived, though one way to collect, process or use a data subject's personal data is by obtaining his or her consent. Something else to keep in mind: the GDPR creates a "fundamental right" for EU residents to control how their data is collected, processed or retained. This isn't an "absolute right" in the sense that businesses have some right to collect or retain personal data if they obtain prior consent, require the information to fulfill a contract with the data subject, or need the information to comply with a legal obligation (such as a tax or regulatory reporting obligation).
Once more, no. Data subjects must take some affirmative action to indicate their consent, after you've fully informed them why you're collecting their data, how you'll use it, who you'll share it with, and how long you'll keep it. This can be in the form of an unchecked consent box (note: you can't pre-check it for them) or a text field where they can "digitally sign" or enter the words "I consent." All consent must be verifiable, so it's important to maintain records (date, time, IP address, etc.) and keep in mind that consent can later be withdrawn.
5. What if I decide to accept the risk of non-compliance and "roll the dice" in terms of an enforcement action? What's the potential penalty?
GDPR sanctions are severe, much more so than the corresponding CCPA penalties. You may be given a written warning for first or non-intentional cases of non-compliance, but you can also be fined the greater of 20 million euros or 4% of your annual worldwide turnover, depending on the type and severity of the violation. This isn't merely theoretical. Already, some record-breaking fines have been issued by EU data protection authorities, such as the $230 million penalty against British Airways based on a 2018 data breach affecting approximately 500,000 customers.
By virtue of the internet, any hotel with an online presence is a global business. And while that worldwide reach may be a blessing for revenue, with it comes a fair amount of responsibility-in the case of hoteliers serving consumers that are citizens of the EU, the legal obligation to protect data security and privacy as required by the GDPR. For most, this should be old news given that the deadline for compliance is in the rear view mirror, but for hotel owners and operators who've yet to comply (no matter the location of your business), the time is now.
A Patchwork of Consumer Privacy Laws
Commerce today revolves around personal data and its collection. Consumer names, addresses, credit card numbers and the like are routinely stored-and oftentimes shared-by the companies they do business with, subjecting them all to privacy concerns. Legislators worldwide have become mindful of this, and the law is rapidly evolving to ensure that PI and personal data are gathered legally and under strict conditions, and that consumers are protected from its misuse and exploitation. That starts with the CCPA, GDPR and related laws in states such as Colorado and Nevada (not to mention privacy legislation on the horizon in Massachusetts, New York, Maryland, Hawaii and North Dakota).
The takeaway for hoteliers is simply this: with multiple jurisdictions having adopted-or considering adopting-a patchwork of consumer privacy laws, they would be wise to implement comprehensive data privacy programs at an organization-wide level, to ensure uniformity in processes and avoid potential risks from state-specific non-compliance. Translation: the CCPA, GDPR and similar legislation should be top of mind, and for hotel owners and operators who haven't already done so, it's highly advisable that they begin working with privacy specialists on compliance programs straightaway.
HotelExecutive retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.