What Hotels Need to Know about the California Consumer Privacy Act

Data privacy laws can be daunting for hoteliers. They can be hard to understand even if you have a background in data. Last year, we broke down GDPR for hoteliers. Today, we’re tackling a similar piece of legislation, the California Consumer Privacy Act for hotels.

It’s important for hoteliers to understand that these laws are a good thing. The implementation of data privacy laws ensures guest confidence. They’re also a great time to reflect on your practices and make updates which will give your guests more confidence when staying with you and giving you their personal data.  In fact, GDPR, which was feared by many European hoteliers, may have helped hoteliers, not hurt them.

The California Consumer Privacy Act (CCPA), explained

The California Consumer Privacy Act, signed into law on June 28, 2018 is a bill designed to protect the rights of California residents when it comes to how their personal data can be used. It includes the following requirements for data collection and how that may affect hoteliers. The law is set to go into effect January 1, 2020, but it will include a one-year lookback. This means you will need to be able to explain any data you have collected on a guest since January 1, 2019.

,

The right to know what data is being collected about them

This simply means you must disclose to the customer the categories and specific pieces of personal information the business has collected and what they will be used for. To stay in compliance, it’s important for you to update your privacy policy and make sure you know what you are collecting.

For example, IP address and device identifiers, which help you store “proof” of consent in DOI campaigns, are considered personal data, and thus need to be disclosed to the person you are capturing it from.

The right to access their personal data

Guests will have the right to know and receive access to any data you have collected about them. If you’re a Revinate customer, you’re already covered.  Both our Guest Feedback and Marketing products offer this feature. You can provide this information on the property or group level.

The right to erase their personal data

Simply put, this means that guests have the right to have their profile and all related data erased.  This essentially erases that guest’s entire existence with that hotel. Revinate Marketing and Revinate Guest Feedback offer properties the ability to delete a guest from its records. Deleting a guest means:

• They will no longer appear in segments, stats or the guest database
• They will be added again if they make a new reservation
• They will be added to a log of deleted guests
• The property will be reminded to remove the guest from the Property Management System

Again, our Support Team will also be able to do this on the backend for both Revinate Marketing and Revinate Guest Feedback upon request.

The right to opt-out of data selling

This gives guests the option to choose not to allow their data to be sold and to receive the same service for the same price as those who do not opt out. This aspect of the law shouldn’t apply to hotels. Hoteliers aren’t likely to sell guest data and guests should receive the same service whether they opt out of you selling their data or not.

Do I need to get proof of consent to market to my guests?

No. Double opt-in campaigns are not required. Unlike GDPR which aggregated and replaced a series of other privacy laws, CCPA is intended to be applied alongside existing state and federal privacy laws, such as CAN-SPAM.

What fines can I expect with CCPA?

We have good and bad news for you. The good news? The fines are not as heavy as with GDPR. GDPR has strict fines for repeated and flagrant misuse of private data: 20 million euros or 4% of gross revenue (whichever is larger). For CCPA, the fines are significantly smaller. However, the biggest concern in California is the potential for civil suits, which could potentially go to court for millions, not to mention the headache of a civil suit.

Does CCPA apply to me?

CCPA only applies to businesses that fulfill at least one of the following criteria:

• Receives the personal information of at least 50,000 California customers per year
• Has annual gross revenue in excess of $25 million
• Derives 50 percent or more of its annual revenues from selling consumers’ personal information

CCPA and other laws

I did a lot of work for GDPR…that will cover me, right?

No. While these are both data privacy laws and both are designed to protect the rights of consumers, they differ in the details. You should do your due diligence and ensure you are complying with both laws, and your privacy policy is updated as such. There are some similarities: the right of access, right to erasure, and clearer measures of showing which data you are capturing and why exist in both. However, there are differences. Be sure to consult legal counsel to make sure you are in compliance.

More similar laws are on the way

You may wonder if this will be the last data law you have to update policies for. The answer, most likely, is no.  Canada is reassessing their data privacy laws and quite a few other states and countries are currently working on similar laws of their own. The tide of increased consumer privacy is just beginning, so expect more laws to come. The good news is, Revinate is here to help you track your guest data and keep it secure.
As always, please seek legal advice from a professional to ensure you are in compliance.