GDPR: One Year Later
It all started across the pond, when the European Union’s 2018 General Data Protection Regulation (GDPR) took effect on May 25, 2018.
It mandated that companies do more to protect the personal data of consumers.
In short—if hoteliers marketed to European Union citizens without the proper permission, then they were in violation and could be fined.
How that might have looked in practice: If a hotel captured the email of an EU citizen using the wifi on property. And then sent an email to them without having captured the proper consent, they would be in violation.
Initially, the new law made hoteliers hit the panic button.
“Some hoteliers were rightly concerned,” said Stephen Rosen, Partner at Tambourine. “Because they felt all of their existing data was at risk. Other hoteliers were concerned because they didn’t really understand what GDPR was or how to adhere to it operationally.”
In other words: They wanted to take it seriously, but they didn’t know how. And not knowing was scarier than the steps it actually took to be compliant. Things like:
- Removing EU citizen email addresses from existing marketing database.
- Updating website forms with proper consent
- Changing data collection policies at the front desk.
One year later, the fallout of GDPR can be seen in hefty lawsuits with the EU targeting deep-pocketed tech giants like Google and Facebook, as well as mega-chain Marriott (recently slapped with a $123 million fine for its 2018 data breach).
But what about U.S. based Independent Hotels?
Well, the fact is, the cost of mounting an international lawsuit against a small business in the U.S. has likely discouraged many EU citizens from filing a suit. And while that may work in the short term, change is on the horizon with The California Consumer Privacy Act (CCPA).
“If hoteliers didn’t get serious about GDPR, they may be in for a rude awakening when The California Consumer Privacy Act goes into effect on January 2020″.
Think of GDPR As A Fire Drill For The California Consumer Privacy Act (CCPA)
While GDPR was implemented across multiple countries, CCPA is currently implemented at the state level, with California paving the way with what will likely become the first in a series of similar legislation in states like Florida and New York.
While CCPA is limited to protecting California residents, all U.S. businesses are subject to compliance.
“My main concern with the California Privacy Act is that it’s very plaintiff-friendly in California,” said Rosen. “So on the day that the CCPA launches, the hotel industry should be ready to deal with lawsuits and complaints. Just like with ADA compliance, this creates an opportunity for an avalanche of lawsuits.”
“The good news,” says Rosen. “Is that CCPA is fundamentally based on GDPR. So if you’ve done all of the hard work to comply with GDPR, then you should have a great head start before the law goes into effect.”
Understanding The California Privacy Act (CCPA)
Signed into law on June 28, 2018, the CCPA is a bill enhancing privacy rights and consumer protection for California residents. It takes effect on January 1, 2020. The CCPA provides Californians with the right to:
- Know what personal data is being collected about them.
- Know if their personal data is sold or disclosed, and to whom.
- Refuse the sale of personal data.
- Access/view their personal data.
- Obtain equal service and pricing if they’ve exercised their privacy rights.
The CCPA applies to all businesses and for-profit entities that collect consumers’ personal data, do business in California and satisfy one of the following:
- Annual gross revenues exceeding $25 million.
- Possession of personal information of 50,000 or more customers, households or devices.
- More than half of the annual revenue is derived from the sale of customers’ personal information.
Anyone familiar with the language of the GDPR requirements will see its commonalities with the CCPA. Some business’ responsibilities under the new law include:
- Providing methods for submitting data access requests, including a toll-free phone number, at a minimum.
Placing a “Right to Say No to the Sale of Personal Information” link on the homepage of the business’ website, directing users to a page where they or an authorized agent can opt-out of the sale of their personal data.
- Obtaining parental or guardian consent for minors under the age of 13, and affirmative consent from minors between ages 13 and 16, for data sharing.
- Refraining from soliciting data opt-in consent for 12 months after a California resident has opted out.
Weighing The Dangers
According to experts, CCPA compliance is not something to take likely. Businesses will be fined up to $7,500 for each intentional violation and $2,500 for each unintentional violation.
In addition, businesses that are victims of data breaches may face class action lawsuits in which they must pay between $100 and $750 in statutory damages per California resident and incident, or actual damages, whichever is greater.
Although the fines for companies in violation of the CCPA are lower than those under GDPR, the sheer volume of potential claimants is the thing to worry about.
In addition, the cost of filing a lawsuit here in the U.S. would be much lower for each plaintiff.
Ready, or Not?
One thing hoteliers learned definitively during their preparation for GDPR is that they need to take inventory of every channel where they might be collecting data. For instance, they not only need to consider how they collect data through their digital marketing? (i.e. website and advertising.) But they also need to consider how they collect data from their on-property or other offline channels. (i.e. the front desk, wifi channels, etc.)
Click For More On CCPA
Click For More On GDPR