An educational session at HITEC 2019 in Minneapolis, Minn. took a deep dive into the California Consumer Privacy Act (CCPA) and its potential effect on the hospitality industry. Similar to the European Union's General Data Protection Regulation (GDPR), the CCPA is meant to address consumer data privacy rights for California residents. The CCPA was passed in June 2018 with a start date of Jan. 1, 2020. The session was hosted by Chris Keaton, privacy consultant at OneTrust and Doron Goldstein, Co-Chair Privacy, Data, & Cybersecurity Practice at Katten Muchin Rosenman LLP.
An important nuance to the law is that it does not limit itself to companies that are headquartered in California. Rather it applies to any company that does business in the state of California. Additionally, any business that collects personal information, which in many cases is defined in terms much broader than the terms used by GDPR, must adhere to CCPA guidelines. The scope of personal information covers anything that can be associated with an individual from financial, medical information to internet activity, IP addresses and even inferences that are drawn from the data. Anything that can be associated with or identifies an individual could be covered.
Additionally, the CCPA defines "sale" as any transfer to a third party for consideration. This includes the transfer of information between brands operating under the same parent company. Knowing how consumer data is transferred within your organization will become very important with this law.
What does it mean for hospitality?
Hotels today are collecting all kinds of large volumes of personal data that could be sensitive in nature. The CCPA sheds light on how hotels now need to think about how they are managing this data, who has access to it, and who it is shared with: OTAs, car rental companies, travel excursion companies, etc. Hotels need to know where this data goes to better understand if it falls under the CCPA's term of the sale of information.
Types of Organizations to Which the CCPA Applies:
Any for-profit organization that collects consumers' personal data, does business in California, and satisfies at least one of the following three requirements:
- Has annual gross revenues in excess of $25M
- Possesses the personal information of 50k or more consumers, household or devices on an annual basis
- Earns more than half of its annual revenue from selling consumers' personal information
Individuals to Which the CCPA Applies: California residents – including both consumers and employees
Major themes of compliance:
Right to disclosure – This is the right to be informed before or the time that personal information is collected, as well as the type of information being collected and why it is being collected. Additionally, consumers under this law have the right to request a data trail of what information was collected about them and how it was used after the fact.
This presents two significant problems for hotels. First, hotels will need to be able to track every data point they have collected on individuals including where the data was sent and how it was used. With hundreds if not thousands of data points collected on every individual, this is daunting. Second, hotels will be tasked with verifying the identity of the requestor to ensure this isn't a form of fraud. One possible scenario is that a person who was formerly a spouse or some other close relation tries to stalk an unsuspecting individual by making this type of request using information they may have had access to when their relationship was on good terms, such as social security numbers, date of birth, and other personal information.
Right to deletion – Consumers have the right to request that a business delete all of the information they have on file about them. However there are nine exceptions to this right both under GDPR and similarly under the CCPA. Unfortunately, consumers will often try to use this right as a way of abusing the system or creating what they think will be a loophole.
For example, in Europe, a woman booked a ballroom for an event, paid the deposit, and held the event. Afterwards the hotel went to collect the remaining balance for the food, alcohol and ballroom rental. The woman refused to pay and sent a demand for them to delete the information they had on her, including her credit card information. She did this thinking she couldn't be forced to pay the remaining balance of the bill. When the hotel refused, she sent a complaint to the EU regulator. In the end, the regulator sided with the hotel, but it was a major headache and cause for concern for the hotel.
"You'll likely get similar requests that are absurd. Understand that it will happen and put a process in place to address those types of requests," Goldstein says.
Right to opt out – This refers to the consumers’ right to opt out of the downstream "sale" of their personal information.
Right to non-discrimination – Businesses can't deny goods or services to consumers who exercises their right to privacy.
The right to opt out and the right to non-discrimination provides a particularly troubling issue for hotel loyalty programs. In fact it’s impossible to comply, says Goldstein. For example, a hotel needs a person's stay information to be able to give them the benefits that come along with his stay from a loyalty perspective. There is currently an amendment pending that could exclude loyalty programs specifically, but if the amendment doesn't pass, this could put significant stress on loyalty programs.
What if everything goes wrong?
There are two possible outcomes.
1. In the case of a data breach, individuals will be given the opportunity to leverage a class action lawsuit on the basis of statutory damages. This means that consumers will not have to prove they suffered any damages, they will only have to prove their information was exposed and the company did not have reasonable security measures in place. Damages will range between $100-$750 per person per incident. So if 10,000 California residents are impacted by a breach, that's a minimum of $1 million besides all of the additional costs associated with data breaches.
Currently there is no guidance on what "reasonable security" means. Three years ago the attorney general in California said that CIS Controls were considered the minimum standard of security. So if hotels were to base their security on the CIS Controls, they may have some protection under the law.
2. The attorney general can come after hospitality companies for any breach of the law which will usually result in a fine. The hospitality company will be given 30 days before the fine is imposed to fix whatever the offense was.
For many hospitality companies, their partnerships with vendor members could pose a significant risk. However, the CCPA offers specific provisions that hotel companies can include in their contracts with service providers so that they are not liable if the service provider misuses the consumer data. This is a protection built into the law.
At the end of the session, the speakers provided 10 steps hospitality companies could take to minimize their risk. They include:
1) Assess your CCPA compliance
2) Complete CCPA assessments
3) Map the flow of personal data to perform key CCPA tasks
4) Streamline and comply with CCPA consumer rights
5) Meet the "Do not sell my personal information" requirement
6) Enable location specific cookie banners
7) Review vendors for CCPA contract obligation accountability
8) Comply with California data breach notification laws
9) Train employees
10) Enable reporting and metrics; keep evidence of consumer reports