CCPA and the Hospitality Sector
An important implication to CCPA California Consumer Protection Act law is that it does not limit itself to companies that are headquartered in California.
comparatively it applies to any company that carries out business in the state of California. Additionally, any business that collects personal information, which in many cases is defined in terms much broader than the terms used by GDPR, must adhere to CCPA guidelines.
The scope of personal information covers anything that can be associated with an individual from financial, medical information to internet activity, IP addresses and even inferences that are drawn from the data. Anything that can be associated with or identifies an individual could be covered.
Additionally, the CCPA defines “sale” as any transfer to a third party for consideration. This includes the transfer of information between brands operating under the same parent company. Knowing how consumer data is transferred within your organization will become very important with this law.
WHAT DOES IT MEAN FOR HOSPITALITY?
Hotels today are collecting all kinds of large volumes of personal data that could be sensitive in nature. The CCPA sheds light on how hotels now need to think about how they are managing this data, who has access to it, and who it is shared with: OTAs, car rental companies, travel excursion companies, etc. Hotels need to know where this data goes to better understand if it falls under the CCPA’s term of the sale of information.
Types of Organizations to Which the CCPA Applies:
Any for-profit organization that collects consumers’ personal data, does business in California, and satisfies at least one of the following three requirements:
- Has annual gross revenues in excess of $25M
- Possesses the personal information of 50k or more consumers, household or devices on an annual basis
- Earns more than half of its annual revenue from selling consumers’ personal information
Individuals to Which the CCPA Applies: California residents – including both consumers and employees
MAJOR THEMES OF COMPLIANCE:
Right to disclosure – This is the right to be informed before or the time that personal information is collected, as well as the type of information being collected and why it is being collected. Additionally, consumers under this law have the right to request a data trail of what information was collected about them and how it was used after the fact.
This presents two significant problems for hotels. First, hotels will need to be able to track every data point they have collected on individuals including where the data was sent and how it was used.
With hundreds if not thousands of data points collected on every individual, this is daunting. Second, hotels will be tasked with verifying the identity of the requester to ensure this isn’t a form of fraud.
Right to deletion – Consumers have the right to request that a business delete all of the information they have on file about them. However there are nine exceptions to this right both under GDPR and similarly under the CCPA. Unfortunately, consumers will often try to use this right as a way of abusing the system or creating what they think will be a loophole.to escape obligations example to escape payment for services. such as bat bills, room service, cancelled bookings etc
Right to opt out – This refers to the consumers’ right to opt out of the downstream “sale” of their personal information.
Right to non-discrimination – Businesses can’t deny goods or services to consumers who exercises their right to privacy.
The right to opt out and the right to non-discrimination provides a particularly troubling issue for hotel loyalty programs. In fact it’s impossible to comply, For example, a hotel needs a person’s stay information to be able to give them the benefits that come along with his stay from a loyalty perspective. There is currently an amendment pending that could exclude loyalty programs specifically, but if the amendment doesn’t pass, this could put significant stress on loyalty programs.
What are the penalties ?
There are two possible outcomes.
- In the case of a data breach, individuals will be given the opportunity to leverage a class action lawsuit on the basis of statutory damages. This means that consumers will not have to prove they suffered any damages, they will only have to prove their information was exposed and the company did not have reasonable security measures in place. Damages will range between $100-$750 per person per incident. So if 10,000 California residents are impacted by a breach, that’s a minimum of $1 million besides all of the additional costs associated with data breaches.
- The attorney general can come after hospitality companies for any breach of the law which will usually result in a fine. The hospitality company will be given 30 days before the fine is imposed to fix whatever the offence was.
Hospitality Sector Vendor Risk
For many hospitality companies, their partnerships with vendor members could pose a significant risk. However, the CCPA offers specific provisions that hotel companies can include in their contracts with service providers so that they are not liable if the service provider misuses the consumer data. This is a protection built into the law.
Our Ten advisory steps hospitality companies could take to minimize their risk. They include:
1) Assess your CCPA compliance
2) Complete CCPA assessments
3) Map the flow of personal data to perform key CCPA tasks
4) Streamline and comply with CCPA consumer rights
5) Meet the “Do not sell my personal information” requirement
6) Enable location specific cookie banners
7) Review vendors for CCPA contract obligation accountability
8) Comply with California data breach notification laws
9) Train employees
10) Enable reporting and metrics; keep evidence of consumer reports