The California Consumer Privacy Act (the "CCPA" or the "Act") is a piece of consumer privacy legislation which was signed by California Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The Act is, far and away, the strongest privacy legislation enacted in the United States at the moment (although there are a number of contenders for that honor), giving more power to consumers to control the collection and use of their private data, and is poised to have far-reaching effects on data privacy.
It is estimated that more than 500,000 companies are directly subject to the CCPA, many of them smaller and mid-size business, where the detailed requirements of the Act - disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements - is daunting. As discussed below, many hotels and hotel companies will be directly impacted by the Act, either because their qualify as a "business" as defined in the CCPA, or because they are associated with companies - brands and management companies - that are subject to the Act. Hotel owners, managers and brands that have not grappled with the requirements of the CCPA need to move quickly to do so, or risk potential liability under the penalty provisions of the Act.
In early 2018, Alistair McTaggart, a California real estate developer, led an effort to include a new privacy law - the Consumer Right to Privacy Act of 2018 - on the November 2018 California ballot. By June 2018, supporters of the initiative had gathered enough signatures to earn a place on the November ballot. In response, California legislators, working with California businesses and other interest groups, negotiated and passed a substitute bill - the CCPA - in exchange for an agreement to drop the more restrictive text in the Consumer Right to Privacy Act from the November ballot.
The Act is aggressive, and cites the March 2018 disclosure of the misuse of personal data by Cambridge Analytica, as well as the congressional hearings that followed which highlighted the fact that any personal information shared on the internet can be subject to considerable misuse and theft. This prompted the California legislature to move rapidly to protect Californians' right to privacy by giving consumers much more control of their personal information.
Because the Act was adopted so quickly, and because it was driven by the original proposition, the Act, as entered into law, does not have the kind of guidance that helps us understand how to implement the concepts in the Act. The California Attorney General has, as required under the Act, submitted proposed regulations that assist in complying with the Act, but much more needs to be done for businesses to feel comfortable in plotting a means of compliance. It is likely that our understanding of the Act, and how businesses can comply with the Act, will evolve over the coming years.
In order to understand the impact of the Act, and how to address its many changes, businesses need to understand how it reflects an evolution in consumer attitude toward the ownership and use of personal information.
In the United States, there have been few limitations on the collection or use of personal data. There are some exceptions - financial information is regulated under the Gramm-Leach-Bliley Act, health information is governed under the Health Insurance Portability and Accountability Act , and children's information is addressed under the Children's Online Personal Privacy Act. But in general, personal information - names, addresses, and other identifying information - may be collected and used without significant restriction, and consumers did not typically object.
The advent of computers and the increased ability to collect, store, process and monetize information, has changed consumers' attitudes. Companies increasingly base their business models on the ability to collect and utilize information. This is not limited to firms like Facebook and Google; a variety of firms monetize the information they collect, both by direct marketing and by sharing, or selling, the data to others. Along with the "legitimate" use, came less savory forms, like credit card fraud and identity theft. As a result, individual consumers are increasingly concerned about how their personal data is shared.
Hotels should be particularly aware of this shift, since hotels are among the businesses most targeted by bad actors, and reports of data theft are regularly reported.
Behind these changes is a significant shift in the treatment of personal information. Increasingly, the belief is that an individual should have control over his or her identifying data, and not just a limited selection of financial data, but a broad array of information - essentially, anything that could be used to identify an individual. This would include not just names, addresses and other obvious data points, but also biometric and location data, of which many of us are unaware are being collected.
The Act is applicable to many businesses, whether located inside or outside California.? The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California - ?a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria:
Moreover, the Act defines a business as entities with shared control, who use common trademarks or identifiers. It is thus likely that a wide variety of hotels, hotel managers and hotel brands will have to comply with the Act.
In addition, the Act requires covered businesses to impose obligations on their vendors and service providers, and businesses that are required to comply with the Act cannot do so without the active participation of their business partners. Just as brands and management companies that became subject to the European Union's General Data Protection Regulation (the "GDPR") require hotel owners to assume burdens under the GDPR, they will require their owners to comply with the CCPA - even if the hotel itself might not fall within the purview of the Act.
Beyond the direct application of law, the hotel industry needs to address its privacy and security concerns. This is a tall order - every major hotel company has been the victim of significant information breaches, and many have been victimized multiple times. At the same time, hotel companies rely heavily on the trust and loyalty of their guests. The drumbeat of negative publicity regarding the ability of hotels to maintain the security and privacy of guest information has a negative impact on the reputation of individual hotels and hotel industry generally, even while one of the main commodities that hotels sell is trust - if guests do not believe they, or their personal information, are safe with a hotel, they will simply not patronize it. The issue goes beyond individual properties - it is an industry imperative.
Personal Information. The Act defines personal information broadly, to include any information that can be used to identify an individual, whether alone, or together with other information, or which can reasonably be derived from the information at hand. It specifically includes information like:
Consumer Protections under the CCPA. The CCPA provides four key rights to consumers:
The Act authorizes the California Attorney General to bring a civil action against a business found to be in violation of any provision of the CCPA that is not cured within 30 days of notice of the alleged noncompliance. The business may be subject to an injunction and a fine of $2,500 for each violation, or $7,500 for each intentional violation.
In addition to the Attorney General, the Act gives consumers a limited right of action under the CCPA, if the consumer's non-encrypted or nonredacted personal information (as that term is defined in the Act, and which is a narrower and more typical definition of personal information found in California's pre-existing breach notification law) is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures. In such a case, the consumer may recover damages in an amount not less than $100 and not greater than $750 per incident, or actual damages, whichever is greater.
Hotels that are subject to the requirements of the CCPA will need to implement new systems and procedures to comply with the statute. Among those steps are the following:
Data Mapping: Businesses need to identify all of the personal information pertaining to California residents and households that they collect, where they obtain it, where it is located, who uses it, and for what purpose. Data mapping is an essential part of allowing a business to determine the information needed to add the newly required disclosures to its privacy policies, to prepare for data access, deletion, and portability requests, to secure prior consent for data sharing from parents or minors, and to comply with opt-out requests from consumers.
Do Not Sell: The Act requires each business to provide a clear and conspicuous "Do Not Sell My Personal Information" link on the business' Internet homepage, as well as its privacy statement and wherever it collects data, directing users to a web page enabling them to opt out of the sale of their personal information. If a business does not sell personal information, it must say so explicitly.
Access Requests: The Act requires each business to designate at least two methods for consumers to submit data access requests, one of which must be a toll-free telephone number. The business must respond to request for data access, deletion, and portability within 45 days, so will need to develop procedures for tracking and responding to requests, and for applying accepted verification procedures.
Verification: A business may only respond to verified requests, so it must establish procedures for properly verifying the identity and authorization of persons who make requests for data access, deletion, or portability, and to opt-out or opt-back-in to data monetization.
Hotels and hotel companies that are subject to the CCPA and that have not started to implement compliance procedures should begin the compliance process without delay. There have been rumors of preemptive federal privacy legislation, but it is clear that nothing will be adopted before the CCPA goes into effect in 2020. Moreover, even if federal legislation is enacted, it will inevitably include many of the same fundamental provisions as those found in the CCPA, such as requirements for transparency, rights of access and deletion, opt-out of selling and/or marketing use of consumer data, and potentially some form of non-discrimination clause.
Hotels should consider finding ways to use the CCPA, and compliance with the CCPA, to their advantage. Privacy, particularly when imposed by statute, is often seen solely as an expense, as a cost of doing business. Hotels can embrace privacy as a means of separating themselves from their competitors. In an environment where privacy is increasingly seen as an important asset, hotels can emphasize their commitment to the same values as their guests.
JMBM Global Hospitality Group®
1900 Avenue of the Stars, Seventh Floor
Los Angeles, CA 90067
Phone: (310) 203-8080
Fax: (310) 203-0567
Robert E. Braun
Robert Braun co-chairs JMBM's Privacy and Data Security Group and is a senior member of the Firm's Global Hospitality Group. Mr. Braun specializes in transactions with an emphasis on data security, privacy and information technology. Mr. Braun's practice includes establishment and development of strategies to implement computer software, cloud computing, computer hardware, communications and e-commerce solutions, designing and implementing privacy and security programs and protocols, as well as remediating security breaches. Mr.Braun has spent more than 20 years representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager.