The question of data privacy was top-of-mind at the recent Georgetown University Annual Hotel & Lodging Legal Summit. The second annual event took place in Washington D.C. from October 24-25. More than 200 participants represented hotel owners, management companies, outside counsel and lodging-related business.
The security of hotel guests’ sensitive information was the topic in what the agenda described as “An Overview of How Data Privacy Laws Governs Hotels’ Collection and Use of Guests Information.” Collecting guest information is par for the course for hotels. They use this data for everything from marketing to loyalty to improving and customizing customer service. The Summit’s agenda notes, “Every hotel operator should understand data privacy laws regulating the collection and use of a guest’s information."
However, the consensus from the panel was that there are no easy answers to stay on the right side of the law when it comes to data privacy. The panel was moderated by Chris Zoladz, founder of Navigate LLC, a Germantown, Md., -based consultant on compliance issues. He was joined by: Harvey Kellman, VP & Assistant General Counsel, Marriott Intl., Douglas H. Meal, Ropes & Gray, LLP, Federal Trade Commission (FTC) attorney John Krebs, Cynthia O’Donaghue, Reed Smith, LLP, and Kim E. Richman, Reese Richman, LLP.
At the outset of the discussion, Zoladz asked the audience if they had ever dealt with privacy issues. About a quarter of the audience raised their hands.
"There’re a lot of privacy implications for the lodging industry," Zoladz states. Referring to FTC cases against Facebook and Google, he adds, “Thankfully we’re not in the press, at least not very often."
In June of last year, the FTC filed a complaint in U.S. District Court against Wyndham Worldwide Corp. and three subsidiaries for alleged security failures that resulted in fraudulent charges on consumer accounts. According to the FTC, the hotel franchisor had misrepresented that its data was secure, and had been cited three breaches in less than two years.
Wyndham is one of the few hotel companies charged with unfair and deceptive practices for privacy violations under Section 5 of the FTC Act. In a motion filed this year to dismiss the complaint, the company asserted that the FTC lacked regulatory authority. The FTC has opposed the motion and oral argument before the District Court of New Jersey was scheduled for November 7.
The worth of data
There has been a shift in the perception of the value of guest information, one panelist indicated. “The days are long past when two sophisticated negotiators would simply argue over who owns it,” says Marriott’s Kellman. “A guest’s information today is both an asset and a liability, which raises questions of responsibility for data breaches.”
Kellman found nothing wrong with the practice of collecting a customer’s information, however. "A highly personal guest experience isn’t just about pillow preferences," he explained, which would also include food allergies, disabilities, and serious medical data. “Obviously, don’t feed a guest peanuts if he’s allergic to them,” he warns. Rather, Kellman advises to proceed with caution. Moderator Zoladz emphasized the importance of the industry having the "proper controls to make sure information is protected."
Maintaining compliance for safeguarding intel
FTC’s John Krebs said hoteliers should "take reasonable steps" to know what they are collecting, how they are using the data, what are they saying in collecting it, and how are they dealing with third party controls. What’s more, they may not understand a third party's technology and not describe it properly in privacy disclosures.
The FTC reviews every complaint on alleged violation of privacy laws, said Krebs but not every one results in an investigation. The FTC has revised COPPA (Children’s Online Privacy Protective Act), which requires parental consent for disclosure of data on children up to age 13, Krebs said, and hoteliers should review their marketing practices for compliance. “Even though we’re not marketing to kids," Zoladz comments, “some hotels and resorts collect information such as their age and allergies for children’s programs.”
There are no simple solutions to avoid running afoul of the law, said Marriott’s Kellman. “A hotel may hire a ‘trusted third party’ for e-mailing, but a breach might happen despite adequate security and due diligence," he notes.
In a case study example, Zoladz asked the panel if the hotelier owns all customer data on transactions, must it share the data in co-marketing? "The hotel company can’t cede ownership of guest data to a franchisee," Marriott attorney Kellman replied. "The owner has the right to reap the benefit; the brand owns the data."
As for a takeaway point, Counsel Jeffrey Leiser of the Waterford Group, Stamford, Conn. which manages hotels, said "We need to reevaluate our internal policies for potential exposure and keep on top of them from year to year. Things can change."