Do Not Disturb: Navigating Guest Privacy Around Vaccination Status

The fact that vaccination efforts have been gathering significant momentum in recent weeks is undoubtedly a positive development. In the US, at least, the nationwide rollout of vaccinations is so far ahead of schedule that by April 19th, 90% of Americans will be eligible for a COVID-19 vaccine.

For hotels and accommodation providers curtailed by measures such as social distancing and maximum occupancy requirements, as well as reduced customer confidence, this is a particularly positive sign. However, as vaccination becomes more ubiquitous, hospitality businesses will also face an incredibly tough question. Before they spend a night at your premises, should guests be made to prove they are vaccinated or currently test-negative for COVID-19?

While the Biden administration has ruled out a federal vaccine “health passport,” dozens of different solutions for proving and processing an individual's vaccination and COVID-19 status are currently in development. The market for these tools is driven both by changing vaccine verification requirements at the state level and the increasing appetite for COVID-19 safety solutions in the private sector.

As a result, for many hotels and accommodation providers, navigating customer health status is likely to be an increasingly pertinent problem for the foreseeable future. Unfortunately, dealing with this issue will also be complex and fraught with nuance. A significant reason why is privacy.    

How Vaccine Passes Work

Because a federal vaccine database does not exist, all vaccine and health passports (whether paper or digital) rely on a user uploading a vaccination record provided by a vaccination site such as a pharmacy. This record is then verified by a "passport provider," generally a private company, and connected to an individual's account. A verified individual can then show proof of vaccination or a recent negative test to a business or organization through a linked website, app, or scannable document.

From a privacy point of view, this operational methodology is highly problematic. All forms of COVID-19 health status verification entail a third-party organization storing and processing an individual's test results or vaccine information — meaning that an individual's data is centralized in the hands of third parties. As a result, storing and processing customer data may also increase some businesses' vulnerability to data breaches and place customer data at risk of being shared with other parties.

The Inherent Privacy Trade-Off

While vaccine passport providers all claim to have impregnable systems in place to protect user data, regardless of what system individuals and organizations choose to deploy, their use in hospitality businesses will at least somewhat infringe guest privacy. This privacy infringement will arise because participating businesses will need to insist on receiving proof of vaccination status and ultimately discriminate against certain individuals.

While some level of discrimination may be sensible in light of the continued threat from COVID-19, the accompanying privacy infringement may also be highly off-putting to the growing number of Americans who place a premium on protecting their privacy. According to a recent study by The Pew Research Center, over half of all American consumers will not use a product or service they fear may impinge their privacy. When it comes to vaccine passports, privacy is also a leading concern Americans have about their widespread use.

Mitigating the Privacy/Safety Trade-Off

For hospitality businesses in areas that will either not require or, as has already happened in states like Texas and Florida, ban mandatory vaccination verification, deciding whether to make vaccination compulsory for customers will be a divisive issue.

Nevertheless, with most businesses now depending on increased consumer confidence, many are likely to adopt health verification solutions to speed up bookings and minimize the necessity for other restrictions. However, as health verification becomes widespread, hospitality businesses still need to ensure that it is made equitable to all customers and has minimal impact on guest privacy.

On one level, technology should not be a barrier to access, and for less digitally savvy guests, hospitality businesses should consider alternative arrangements, such as rapid antigen testing at entry. When possible, it is also essential to timebox any mandatory vaccination requirements and communicate reasons, procedures, and privacy protection measures that your business will give customers who consent. To reassure and attract privacy-focused guests, navigating these concerns means that hospitality businesses also need to strive towards curating a robust privacy-focused culture within their operations.

Final Thoughts

As vaccination continues at pace, decreasing infection rates may lead to a reduced need for proof of vaccination. An optimistic view is that state-level requirements for vaccine passports may be temporary. However, because some states and regions are likely to keep developing verification systems, whether to prepare for future outbreaks or vet international travelers, maintaining an openness to verification may still be necessary.

As a result, for every business in the hospitality industry, understanding how vaccine passports impact guest privacy and having a strategy to mitigate concerns will remain vital for some time to come.

ABOUT THE AUTHOR

Rob Shavell is CEO of Abine / DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).