Earlier this year, Hospitality + Leisure Trend Watch published an article exploring the impact of the EU General Data Protection Regulation (GDPR) on hospitality and leisure (“hospitality”) brands. Travel brands operating in the United States must also comply with the U.S. privacy framework.
Personal information is a rich tool enabling the hospitality and leisure industry to understand and drive loyalty and behavior, personalize customer experience, and differentiate their brands. Evolving technologies and partnerships with established businesses and new entrants offer exciting ways to amass and leverage personal data, creating opportunity and risk. This article explores the intersection of industry trends, technology and the U.S. privacy framework.
U.S. Privacy Framework
Unlike the EU, the U.S. has no national privacy law. Instead, federal or state sectoral laws apply. In certain circumstances, including marketing, brands may be subject to applicable industry self-regulatory codes.
The U.S. also lacks a national data protection authority. Instead, the U.S. Federal Trade Commission (FTC) aggressively exercises its broad consumer protection powers under Section 5 of the FTC Act to protect individuals from deceptive or unfair privacy practices. The FTC’s framework is based on Fair Information Practice Principles, with notice and choice at the core. The FTC is empowered to enforce some statutes, including the Children’s Online Privacy Protection Act (COPPA) and the federal “CAN-SPAM” (anti-spam) Act. The FTC’s enforcement actions, reports and best practices offer guidance about what it considers to be a “reasonable” privacy or cybersecurity practice. Therefore, hospitality brands should be familiar with these decrees, reports and best practices. Class action lawyers closely monitor developments, paying particular attention to settlement remedial measures and best practices to inform legal theories.
In the absence of federal law, several states have effectively established national requirements (e.g., California – privacy policies; Massachusetts – information security policies; Illinois, Texas and Washington – prior consent for biometrics). Forty-eight states, D.C., Guam, Puerto Rico and the Virgin Islands have prescriptive data breach notification laws. Separately, the National Advertising Initiative and Digital Advertising Alliance enforce self-regulatory codes for online marketing and other practices against members, with referrals to the FTC in certain circumstances.
Living in the Future
“Big data,” artificial intelligence (AI) and machine learning enable brands to understand behavior, including how and where people spend money and previously unforeseen patterns and anomalies in reservations, destinations and other activities. This information is aggregated by new entrants offering valuable intelligence to enable fully integrated, personalized experiences. These businesses may use lodging, ride sharing, entertainment, fitness, in-room and other data for booking, notifications, alerts or other services. Facial recognition and voice biometrics may be used for identity authentication or to offer predictive customer service. This confluence of data, technology and new partnerships enhances the customer experience. It also exposes intimate details about customers’ daily lives, which, in turn, exposes them to potential identity theft, cyber and other crimes. The law has not kept up, and the lack of legal or regulatory bright lines can actually increase legal exposure. As a result, general counsel wrestle with uncertainty about the rules for collecting, sharing, aggregating and using personal data. Understanding the data ecosystem is essential to formulating an effective compliance strategy.
The Internet of Things
The IoT is the system of interconnected devices with the physical world (e.g., vehicles, point of sale devices, TV monitors, wearables, personal devices) with software, sensors and internet connectivity that enable these objects to capture and exchange user data. Any device connected to the internet is subject to misuse; even de-identified pieces of IoT data can be combined to identify an individual and expose their information. If a hacker steals this data, or if an algorithm makes the wrong assumption about a customer, liability for resulting harms may be unclear.
Relatedly, in the interconnected travel ecosystem, a hotel or booking website may be the only business with a direct customer relationship. As more back-end service providers partner with consumer-facing hospitality brands, who is responsible for providing notice and implementing customer choice? Hospitality brands must know their own data practices in relation to those of their business partners, including “what,” “how,” “with whom” and “where” data is collected, stored, shared and secured. Adequate vendor due diligence must also be performed. Once data relationships and practices are understood, hospitality brands will be better positioned to contractually structure, establish and manage privacy obligations in compliance with the U.S. privacy framework.
Another area of risk for hospitality brands partnering with third parties involves email or text message marketing. This activity is regulated by CAN-SPAM – enforced by the FTC, and the Telephone Consumer Protection Act (TCPA – enforced by the Federal Communications Commission (FCC) and by private class actions. The lynchpin of both laws is consumer control over their data. CAN-SPAM requires all commercial email messages to include an easy “opt-out” from receiving such future messages, which businesses must honor. Noncompliance can result in fines of up to $40,654 per violation. The TCPA requires prior written “opt-in” consent to receive commercial text messages. The TCPA’s private right of action and potential for significant damage awards, ranging from $500 to $1500 per violation, makes it fertile ground for class actions. The FCC may seek penalties of up to $11,052 for each violation, or $33,156 for each day of a continuing violation, up to a statutory maximum of $1,105,241. The proliferation of interconnected partnerships can enhance risks to hospitality brands when implementing marketing campaigns. Understanding respective marketing practices, particularly for joint campaigns, may make it possible to reduce risk by contractually binding third-party partners to CAN-SPAM and TCPA compliance.
The FTC requires enhanced protections for mobile applications such as those used for loyalty cards, member rewards and online check-in. These apps must give “just-in-time” notice and get “affirmative express consent” before collecting geolocation or financial data.
Children’s Data – A Cautionary Tale
COPPA imposes numerous obligations on sites and services directed at children under the age of 13, including obtaining “verifiable” parental consent before collecting “under-13” personal data. Violations are enforceable by the FTC and state Attorneys General, and can result in fines of up to $40,654 per violation and intrusive FTC oversight for up to 20 years. COPPA also applies to sites or services that may not be child-directed if the operator knows that it collects personal information from children under the age of 13. In 2014, Yelp settled charges with the FTC for allegedly collecting information from children under the age of 13 who gave Yelp personal information without first obtaining parental consent. Hospitality sites, online services and mobile apps can similarly attract children and offer opportunities for them to share personal data even if the site or service does not target children. The FTC has a history of aggressive enforcement against child-directed and general audience sites and services. COPPA noncompliance should be considered high risk. Hospitality brands should know when they collect information directly from “under-13” children (or if a third party does so on their behalf), and have a COPPA compliance strategy at the ready.
Build a Wall – and Implement Internal Security Measures
Hospitality brands are attractive targets for cybercriminals because they hold valuable information including travel documentation, payment card, gender, employment and other demographic data. In addition to potential breaches, bad actors have launched brazen ransomware attacks, like locking down digital room keys and demanding payment. Neither the courts nor regulators demand perfect security, but they do expect companies to implement “reasonable” data security measures. In In the Matter of LabMD, Inc., the FTC articulated what it believes constitutes reasonable security, including employing adequate risk assessment tools; monitoring networks for unauthorized intrusion or exfiltration; requiring strong employee passwords for network access; conducting employee data security training; and restricting or monitoring what employees download on work computers.
We need look no further than FTC v. Wyndham Worldwide Corporation, et al.—in which the payment card data of thousands of customers was exposed in three separate breaches—to understand that security incidents can lead to significant legal and reputational harm. Hospitality brands should implement data security measures that reflect the FTC’s guidance “reasonable” security and routinely review and update policies and procedures in light of legal or technology developments.
Hospitality brands that are subject to the patchwork of laws, regulations and best practices that comprise the U.S. privacy framework can manage privacy impacts and legal risk as follows:
- Develop a business strategy that limits data collection to what is necessary to achieve business objectives.
- Know where data is stored and understand jurisdictional requirements.
- Provide notice (consistent with the standards for prior written or just-in-time consent) and implement procedures for honoring customer choice.
- Update privacy policies and marketing materials for new products, services and changes in data practices.
- Perform privacy due diligence on all vendors that access or with whom you share customer data; manage privacy and legal risk by clearly assigning relevant obligations through enforceable contract terms.
- Assess whether you, third party partners or vendors collect information from children under the age of 13; determine if you should implement COPPA controls or if compliance can be contractually assigned to partners or vendors.
- Develop and implement reasonable data security measures without inadvertently creating new vulnerabilities.