A raft of new data privacy laws have come into force over the past few years, and many have had a major impact on the hospitality industry. This January, hotels need to be aware of another piece of legislation — the California Consumer Privacy Act (CCPA).
Hot on the heels of Europe’s General Data Protection Regulation (GDPR), the CCPA is regarded as one of the toughest data privacy laws in the US. In the following post, we’ll explain what the CCPA is and how it might affect your hotel once it’s introduced.
The California Consumer Privacy Act (CCPA) is a piece of legislation that has been created to protect the personal data rights of California residents. It passed into law on June 28, 2018 and comes into full effect on January 1st, 2020.
Which hotels does the CCPA apply to? The CCPA applies to all hotels that do business with Californian residents — even it that hotel is based outside of the state. However, hotels will only be affected if they meet one or more of the following criteria:
They receive annual gross revenues of at least $25 million
They collect, buy, receive, share, or sell personal data of at least 50,000 California residents each year (this includes households and devices)
At least 50% of their annual revenue is generated from selling the data of California residents.
As such, only larger hotels and chains are likely to be affected.
How does the CCPA differ to GDPR?
The CCPA has many similarities with the GDPR. Both share the same broad intentions: to give consumers more ownership and control over how their personal data is collected, used, and shared.
It’s worth noting that the financial penalties associated with the CCPA won’t be as severe as those of the GDPR. While the maximum GDPR fines are either 20 million euros or 4% of gross revenue, (whichever is larger) the CCPA will impose a fine of up to $7,500 USD for each violation.
While that should come as some reassurance, hotels should be prepared for a potential surge in opportunistic lawsuits (something we’ve seen happen following the Americans with Disabilities Act).
Key differences in detail
The CCPA doesn’t go as far as the GDPR in scope, but it does contain a number of crucial differences worth highlighting. These include:
Personal information under the GDPR relates to EU citizens/consumers, but the CCPA extends personal information to include both the consumer and household.
The CCPA has firmer restrictions for the commercial sharing of personal information
A core component of the GDPR is that a “legal basis” is required for the processing of all personal data. This is not the case for the CCPA.
The CCPA requires that the homepage of the business includes a link with the title “Do Not Sell My Personal Information”. However, this only applies to businesses that sell personal customer information to third parties.
The similarities and differences of the GDPR and CCPA are fully outlined in a guide by DataGuidance and Future of Privacy Forum.
However, to summarize, here are some of the key privacy rights the CCPA will grant Californian consumers:
The right to opt-out of their personal information being sold
The right to request information
The right to request deletion of their personal information in certain circumstances
Addressing guest concerns: the age of data uncertainty
Consumers are now extremely sensitive to how their personal information is handled. And for good reason. In the travel industry alone, Marriott, Cathay Pacific, and most recently British Airways, have all been hit by hackers, leading to the personal details of hundreds of millions of customers being exposed.
Suffice to say, as a hotelier, reassuring your own guests has never been so crucial.
The CCPA should be seen as a chance to do just that. By widely communicating that your hotel is fully compliant, you’ll send out a clear message that you’re protecting your guests’ data and respect their privacy. This will help you build trust and give consumers the confidence to book.
Top tips to be CCPA compliant
If your hotel has made all the necessary changes to be GDPR compliant, you’re well on your way to meeting the CCPA regulations. But as mentioned, both pieces of legislation differ on specific details.
Below, we’ve outlined some of the practical steps you can take to protect your guests’ data. However, we recommend seeking out legal advice to make sure that your hotel is fully compliant.
Know how to handle requests for data
Following the introduction of the CCPA, your guests will have more control over their data. This may encourage some to ask what personal data you’ve collected from them and how you’re using their data. They might also request that you delete their personal details. Your staff need to be confident and well-informed so they know how to deal with these situations in the appropriate manner.
Create a data collection document
Do you have a firm grasp on how your hotel collects, stores, and shares personal information? Now’s the time to get crystal clear on these procedures. For clarity and robust compliance, you might want to create a document that shows the lifecycle of all your data flows. Include how data is collected and managed and make sure your staff understand and have access to this document for future reference.
Conduct an assessment of your security and IT infrastructure
As per our recent post on data protection, your hotel should conduct a comprehensive assessment of your digital security and IT infrastructure. An act of cybercrime could lead to a potential lawsuit and serious damage to your reputation. It’s imperative that you identify any weaknesses in your system to reduce the chances of this happening.
Work with partners that are compliant with the CCPA
Before the CCPA comes into effect, evaluate your partnerships with third-party suppliers, such as software companies and vendors. While most marketing software should be able to take care of the opt-in/opt-out process, this isn’t guaranteed.
At Travel Tripper/Pegasus, ALL of our products will be fully CCPA compliant.
Time to prepare for the California Consumer Privacy Act
Following the introduction of the CCPA, other states across the US are planning to bring in their own data privacy laws. One thing is certain: the importance of protecting customer data is only going to grow. The steps you take today will help to safeguard your reputation and give your guests the confidence to book with you.