California’s new consumer data privacy law has far-reaching effects beyond Silicon Valley, meaning hoteliers in and outside of the state might fall under its jurisdiction.
REPORT FROM THE U.S.—When California passed its new data privacy law, legislators mostly aimed it at the tech companies based there, but the law applies to more than just Silicon Valley.
The California Consumer Privacy Act gives new rights to residents of California, such as being informed about the personal data companies collect about them and why and allows them to request the deletion of personal data, to opt out of the sale of personal information and to access personal information in a readily usable format. Under the law, personal information includes aspects such as consumers’ personal identifiers, location, biometric data, internet browsing history, psychometric data and any inferences companies might make about them.
The new data privacy law applies to companies that make at least $25 million annually in revenue and buy, receive, sell or share the personal information of 50,000 customers each year, said Robert Braun, partner and co-chair of the cybersecurity and privacy group at Jeffer Mangels Butler & Mitchell. Hotel companies will need to comply with the law because, by the nature of their business, they are information banks, he said. It will also sweep up a number of hotel-oriented businesses, too, such as online travel agencies and reservation systems companies.
The law itself doesn’t go into effect until 1 January 2020, he said, and while that leaves time for companies to come into compliance, it also allows the law to become more complicated.
“This is definitely something you have to start thinking about,” he said. “You have to have a little bit of patience about it. The law itself anticipates and requires a number of regulations to be adopted. One key regulation to be adopted is if a consumer asks to see their information or to delete it, it has to be a verifiable request. That’s left up to the attorney general to determine.”
California’s new law isn’t as broad or detailed as the European Union’s General Data Protection Regulation, Braun said, so those who are compliant with the GDPR won’t have too difficult a time complying with this. The GDPR is based on certain principles, one of which is that an individual owns his or her own personal information and has the last say on how it’s used.
“If you look at how (California’s) law is written, they are really hitting that note as well,” he said. “Who has the ultimate right to the information? It’s the individual.”
However, there are such broad gaps in culture and law in how things work in the U.S. compared to Europe, Braun said, so there’s likely to be some conflict between the two data privacy regulations.
Despite the fact that Americans have a healthy level of cynicism regarding their government, that is nothing compared to what it is in Europe, he said. The privacy laws there were driven by World War II and the Cold War, he added.
“They had regimes that were incredibly invasive to people’s privacy and that used it in extreme ways,” he said. “In the U.S., we don’t have that same history.”
At a high level, the California Consumer Privacy Act covers a number of issues regarding the sale of consumers’ data, HTNG CIO Patrick Dunphy said, and that’s something the GDPR doesn’t address as much at that level.
Similar to the GDPR, he said, many hospitality companies will need to adjust their business practices and software processes. They’ll need to determine how to address consumer complaints, requests for information and requests for deletions. Many of these issues are part of the GDPR, he said, so those who have made moves to comply with the EU regulation will familiar with the path.
There’s an implied requirement under California’s law for companies to set up a toll-free number for consumers to call to address any issues they have under the law, Dunphy said. Companies will need to make sure their websites address the specifics of California’s law, and they need to have clear and concise policies regarding any data transacted with third-parties between now and the 12 months preceding the consumer getting involved with the company.
“They need to evaluate their partnerships with other companies, including vendors and software providers, to see if any cascading requirements come with that,” he said.
The larger a company is, the more complicated it will be to handle all of this information, Dunphy said. Most marketing software can handle the opt-in and opt-out consent management, but other systems might not be able to. Companies should work with their vendors to request this functionality and implement it once it’s available, he said.
Beyond Silicon Valley
When something like this happens in California, it tends to have an effect on the rest of the country, Braun said. The state itself is big, both in its population and economy, but it has an extraterritorial aspect in that it protects Californian consumers wherever they might be. That means it’s not just California hotels dealing with California residents, he said, but any hotel across the country where a Californian is traveling.
Because of the size of California and its economies, most companies by default will serve a customer from California at some point, Dunphy said, which means all hotel companies will need to determine whether they need to comply with the law. While they might not reach the $25-million revenue threshold, collect data of more than 50,000 Californian residents or sell their data, it’s possible hotel companies’ relationships with brands, vendors and other third-parties would make them need to comply.
“You need to be very careful when you evaluate those specifics as well as any new requirements moving forward,” he said.
When California makes large changes, other states tend to follow, Braun said. States such as Illinois, Massachusetts and New York are considering similar laws, he said.
Because of the recent data privacy scandals and the GDPR, other states and the federal government are taking a greater interest in consumers’ data privacy rights, Dunphy said. As more states adopt these, they won’t all be exactly the same, and those differences could be minor or much larger, making it difficult for companies to address them all.
As a result, many hotel companies will decide to comply with the most stringent regulations in their constituency, he said, even in jurisdictions with no privacy restrictions.
“That reflects the global nature of the hospitality industry and the reach of the internet,” Dunphy said.