European hoteliers are ahead of the U.S. hotel industry in complying with the European Union’s General Data Protection Regulation, but the culture around personal data protection in the U.S. is starting to change, both within the industry and state governments.
GLOBAL REPORT—The European Union’s General Data Protection Regulation went into effect in May 2018, but many companies outside of Europe are still playing catch-up.
The GDPR was implemented last year and every company it applied to should have been fully compliant by then, said Finn Schulz, principal at Schulz Consulting, an independent technology consultancy in the EU.
“The (U.S.) hotel industry more looked at it as a starting point,” he said. “Slowly, surely, they’re getting the processes in place.”
Because it was clear that the GDPR would apply to European hotels, European hoteliers are much further ahead in being compliant with the data privacy law, said Sandy Garfinkel, attorney at Eckert Seamans and chairman of the firm’s data security and privacy group. The U.S. hotel industry has been a mixed bag, with many companies conducting an analysis to determine whether they would need to comply with the GDPR. There was some resistance to the idea, he said.
Because many of the large hotel brands have international exposure, they realized a great deal of the personal data they collected would fall under GDPR protections. As a result, the brands have driven a lot of the change in the U.S.
“They saw a lot more potential exposure and decided, for the most part, to make their systems compliant, which included franchisees in some forced compliance behaviors,” he said. “In the U.S., GDPR culture started from the top down from the brands and made its way down to compliance at the hotel level among individual owners and managers.”
One of the requirements of the GDPR is the right to be forgotten, which means requesting personal data be deleted. When someone in the EU makes such a request, he or she typically sends that request to the larger brand company, Garfinkel said. The brand will take the steps it needs to delete that information from their reservation and management systems, but it will then forward that request to the individual hotels where those guests stayed, he said.
“That’s happening more and more now,” he said. “The brands are directing responses, which are coming in more and more frequently. The hotels feel compelled to participate because of the brands’ demands.”
Lessons from GDPR
GDPR has changed the general culture in the U.S. regarding personal data privacy, Garfinkel said. One example of this is how hotel companies are approaching the data they’ve kept on guests, he said. Through their own marketing departments and third-party marketing companies, hoteliers have collected vast stores of information about guests they never thought about before, he said.
“Suddenly, they have to pay attention to that,” he said. “They’re keeping the data too long. Somebody with a request comes in, and hotels have ask themselves, ‘Are we able to find it and delete it or modify it as the GDPR requires?’”
The hotel industry is now thinking about the data it collects in ways it never had to think about it before, he said. Hoteliers now must know where the data is kept, how accessible it is and whether it can be changed in its current system, he said.
Data processing agreements are also undergoing a shift, Garfinkel said. In every contract, there’s some degree of data security language that would end up in agreements between hotel companies or with vendors, he said. Now there’s a mandated formulated language for those contracts, which means hotel companies are suddenly paying attention to this section of the contracts, he said.
“If a European supervisory authority comes knocking and wants to audit a company, do you have the right data processing agreements with anyone who touches the personal data you do business with?” he asked.
Not every U.S. hotel company has felt compelled to fully comply with the GDPR in the strictest sense, Garfinkel said. That’s likely due to some of those companies determining they don’t have the budget to go through the entire compliance protocol or doesn’t think it should have to, he said. Instead, they likely do some patchwork compliance, handling what is most visible to everyone else and responding to the most frequently seen issues, he said.
Those who have gone through full compliance have found that once they’re up and running with their systems, maintenance is much less burdensome than the process of becoming compliant, he said.
“Now that it’s in place, monitoring and updating is a much more minor task,” he said. “It does have to be attended to, but the infrastructure is in place.”
One of the side effects of having better personal data security measures in place as a result of the GDPR is the public’s general trust in complying companies increases, Schulz said. Most companies that comply see the privacy regulation as a burden that requires extra work and makes marketing more difficult, he said. However, they’re also starting to see this will help sustain their companies.
“If you’re not treating guests’ personal data with respect, you can lose them,” he said.
It’s a balance to get the benefits out of the GDPR, he said. Hotel companies should have a label to state they are GDPR compliant, he said, adding that data privacy is being seen as “the new green.”
“People are understanding that it has a value,” he said.
New data protection laws
Schulz was part of HTNG’s workgroup on GDPR, which will now look at global privacy regulations, he said. The group is just starting and is identifying the different governments with new laws in the works or going into effect, he said. California’s new Consumer Privacy Act is the next data protection act to go into effect and is the most comprehensive outside of the GDPR at the moment, he said.
Other states and Washington, D.C., are considering data privacy laws as well, he said.
China currently has a privacy group, he said, and Russia and Brazil are also considering data privacy legislation.
Similar to GDPR, the CCPA isn’t confined by the borders of the state, Schulz said. Within certain revenue thresholds and business practices, the law applies to any company doing business with a California resident or household, giving it geographic scope akin to the EU regulation. The California government approved the law in June 2018, and it will go into effect 1 January 2020.
Companies that paid attention to the GDPR are ahead of the game, or at least will be, when coming into compliance with the CCPA, Garfinkel said. Though the two laws aren’t exactly the same, the infrastructure put in place for the GDPR will help.
“There are already studies and articles out that indicated that companies that are GDPR-compliant will have an easier time complying with the CCPA,” he said.
The personal information protected under the CCPA is broadly defined, and the term California consumers is broadly defined as well, he said. There is an amendment that would remove employees from that definition, but it hasn’t passed yet, he said.
“I think there are companies that can safely escape the reach of the CCAP because they don’t meet any of the three threshold criteria because they don’t have sufficient connection to the state, but by and large in the hotel industry … many are finding out they connect with California sufficiently will be brought under the auspices of this law,” he said.
Though the effective date approaches, there is still unsettled business in terms of what the CCPA will ultimately look like, Garfinkel said. There will be both pro-consumer and pro-business clarifications issued as well as a vote on the aforementioned vote on whether employees are included in the protections, he said. Other states are watching what California is doing and will benefit from the growing pains the CCPA is undergoing when they consider their own pieces of legislation, he said.
“The ripples started with GDPR with extraterritorial application, he said. “California is often the trendsetter among U.S. states in many respects, particularly with consumer laws. We will see over the years coming in the future a lot of states will implement something much more demanding than what the current data privacy and security infrastructure looks like.”