A raft of new data privacy laws have come into force over the past few years, and many have had a major impact on the hospitality industry. This January, hotels need to be aware of another piece of legislation — the California Consumer Privacy Act (CCPA).
Hot on the heels of Europe's General Data Protection Regulation (GDPR), the CCPA is regarded as one of the toughest data privacy laws in the US. In the following post, we'll explain what the CCPA is and how it might affect your hotel once it's introduced.
The California Consumer Privacy Act (CCPA) is a piece of legislation that has been created to protect the personal data rights of California residents. It passed into law on June 28, 2018 and comes into full effect on January 1st, 2020.
Which hotels does the CCPA apply to? The CCPA applies to all hotels that do business with Californian residents — even it that hotel is based outside of the state. However, hotels will only be affected if they meet one or more of the following criteria:
As such, only larger hotels and chains are likely to be affected.
The CCPA has many similarities with the GDPR. Both share the same broad intentions: to give consumers more ownership and control over how their personal data is collected, used, and shared.
It's worth noting that the financial penalties associated with the CCPA won't be as severe as those of the GDPR. While the maximum GDPR fines are either 20 million euros or 4% of gross revenue, (whichever is larger) the CCPA will impose a fine of up to $7,500 USD for each violation.
While that should come as some reassurance, hotels should be prepared for a potential surge in opportunistic lawsuits (something we've seen happen following the Americans with Disabilities Act).
The CCPA doesn't go as far as the GDPR in scope, but it does contain a number of crucial differences worth highlighting. These include:
The similarities and differences of the GDPR and CCPA are fully outlined in a guide by DataGuidance and Future of Privacy Forum.
However, to summarize, here are some of the key privacy rights the CCPA will grant Californian consumers:
Consumers are now extremely sensitive to how their personal information is handled. And for good reason. In the travel industry alone, Marriott, Cathay Pacific, and most recently British Airways, have all been hit by hackers, leading to the personal details of hundreds of millions of customers being exposed.
Suffice to say, as a hotelier, reassuring your own guests has never been so crucial.
The CCPA should be seen as a chance to do just that. By widely communicating that your hotel is fully compliant, you'll send out a clear message that you're protecting your guests' data and respect their privacy. This will help you build trust and give consumers the confidence to book.
If your hotel has made all the necessary changes to be GDPR compliant, you're well on your way to meeting the CCPA regulations. But as mentioned, both pieces of legislation differ on specific details.
Below, we've outlined some of the practical steps you can take to protect your guests' data. However, we recommend seeking out legal advice to make sure that your hotel is fully compliant.
Following the introduction of the CCPA, your guests will have more control over their data. This may encourage some to ask what personal data you've collected from them and how you're using their data. They might also request that you delete their personal details. Your staff need to be confident and well-informed so they know how to deal with these situations in the appropriate manner.
Do you have a firm grasp on how your hotel collects, stores, and shares personal information? Now's the time to get crystal clear on these procedures. For clarity and robust compliance, you might want to create a document that shows the lifecycle of all your data flows. Include how data is collected and managed and make sure your staff understand and have access to this document for future reference.
As per our recent post on data protection, your hotel should conduct a comprehensive assessment of your digital security and IT infrastructure. An act of cybercrime could lead to a potential lawsuit and serious damage to your reputation. It's imperative that you identify any weaknesses in your system to reduce the chances of this happening.
Before the CCPA comes into effect, evaluate your partnerships with third-party suppliers, such as software companies and vendors. While most marketing software should be able to take care of the opt-in/opt-out process, this isn't guaranteed.
At Travel Tripper/Pegasus, ALL of our products will be fully CCPA compliant.
Following the introduction of the CCPA, other states across the US are planning to bring in their own data privacy laws. One thing is certain: the importance of protecting customer data is only going to grow. The steps you take today will help to safeguard your reputation and give your guests the confidence to book with you.
Click here to view the original version of this release.
370 Lexington Ave, Suite 1601
New York, NY 10017
Nate Lane is a senior global director of business development, product development, and agency operations with 10+ years of experience driving growth and innovation as an "intrapreneur". He's an avid mountain biker, a coffee and craft beer enthusiast, and a proud family man.