New Challenges for Hotels: The New California Privacy Rights and Enforcement Act of 2020
By Robert E. Braun, Partner, Jeffer Mangels Butler & Mitchell, LLP
On November 3rd, Californians voted to approve Proposition 24 which amends the California Consumer Privacy Act to include expanded consumer rights and greater privacy protections.
Bob Braun, senior member of JMBM's Global Hospitality Group® and Co-Chair of the Firm's Cybersecurity & Privacy Group, explains the major provisions of the Act and discusses the challenges hotels face as they look to address its requirements.
Many races and initiatives that California voters considered on November 3 are still undecided, but Proposition 24, the California Privacy Rights Act of 2020 (the "CPRA") isn't one of them. The California electorate approved Proposition 24 by a comfortable margin - 56% of Californians voted in favor.
Like its predecessor the California Consumer Privacy Act of 2018 (the "CCPA"), the impact of the CPRA won't be felt immediately. It goes into effect on January 1, 2023, and many of its provisions are unclear and will require study. But hotel companies with a presence in California will need to consider its requirements, and given the scope of the law, addressing its requirements early will be essential.
New Sheriff in Town
Perhaps the most significant development in the CPRA is the establishment of a new agency, the California Privacy Protection Agency, dedicated to handling enforcement and compliance with privacy regulations. This makes California the first state with an agency focused solely on enforcing privacy laws. This new agency will replace the California Attorney General in interpreting and enforcing the CCPA. The ultimate impact of the agency will develop as its members are selected and interpret its mandate, but it is clear from the CPRA that it has broad authority to bring civil and criminal actions.
Select Key Provisions
The CPRA is an extension and modification of the CCPA. It adds a number of new definitions and provisions that, in some cases, extend the scope of the CCPA and, in other cases, clarify the requirements of the CCPA. The result is that hotel companies that already comply with the CCPA will need to revisit their policies and procedures to ensure compliance with the CPRA, and any firms that have not yet considered CCPA compliance have a steep learning curve. Key provisions include:
- Sensitive Data. The CPRA adds a definition of "sensitive data," which includes government-issued identifiers, account log-in credentials, financial account information, precise geolocation, contents of certain types of messages, genetic data, racial or ethnic origin, religious beliefs, biometrics, health data, and data concerning sex life or sexual orientation, and allows consumers the ability to limit the use and disclosure of sensitive data. Notably, many of these categories of data are likely to come into the possession of hotel firms.
- Data Breach Liability. The liability for data breaches under the CCPA has been expanded to include a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the hotel failed to maintain reasonable security. Thus, hotels that rely on loyalty programs and automated check-in programs can be fertile soil for class actions. Given the prominent role of hotels in the data breach landscape, the stakes for hotel companies doing business in California is much higher.
- Annual Audits and Risk Assessments. Under regulations to be adopted by the new Agency, businesses that undertake high-risk processing will be required to have annual audits and regular risk assessments. In particular, such regulations would require businesses whose processing presents significant risks to consumer privacy or security to perform a thorough and independent cybersecurity audit annually. For an industry currently suffering financial stress, this is an unwanted additional cost and liability.
- Automated Processing Limitations. A new concept of "profiling" has been added to the CCPA, consisting of "any form of automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements." The Privacy Agency is required to develop regulations addressing access and opt-out rights for this kind of technology, similar to the requirements of the EU's General Data Protection Regulation. Again, hotel companies rely on the development of consumer profiles for marketing purposes, and the CPRA could have an oversized impact on hotels.
- Limits on Sharing Personal Information. In addition to restrictions on the sale of personal information, the CPRA extends many of those limits to the "sharing" of personal information. This change will expand the obligations of companies to comply with opt-out and similar requests. Since the hospitality industry has many intertwined relationships depending on the sharing of data, these new rights will fall heavily on hotels and companies associated with the hospitality business.
- Data Minimization. Similar to the GDPR, the CPRA adds concepts of data minimization, requiring companies to limit the personal information they collect to the type of information that is necessary for their operations, and to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information, or the criteria used to determine that period.
- Service Providers, Contractors and Third Parties. The CPRA places new contractual and direct obligations on service providers, contractors and third parties. In particular, the CPRA adds and revises existing definitions in the CCPA, and adds a new definition for contractors, which focuses on the business providing data pursuant to a written contract, prohibiting the contractor from sharing or selling the personal data, processing it for any purposes other than those specified in the contract or combining it with data received or collected through other means, with some limited exceptions. Moreover, the CPRA contractually extends the data protection obligations of the act to service providers, contractors and third parties, and requires service providers and contractors to cooperate with and assist businesses in providing requested personal information in response to consumer requests, and complying with correction or deletion requests. As with the new rules on sharing of data, hotel companies will need to reconsider their various relationships to ensure that they do not run afoul of the new requirements.
What Should You Do Now?
As we learned from the CCPA, an effective date in two years is a short time when it comes to compliance with complex privacy laws. Hotels will need to take concrete steps to comply with the CPRA, including:
- Data Inventory. The requirements for identifying sensitive personal information and establishing policies for the treatment of sensitive personal information, including homepage links and opt-out procedures, make data mapping one of the most important first steps to comply with the new law. Similarly, a hotel company needs to determine if its use of personal information constitutes profiling under the CPRA, and if it does, adopt policies and procedures for the disclosure, use and opt-out of automated decision-making technology. Compliance with the CPRA is impossible without a firm knowledge of the hotel's data profile.
- Upgrading Systems and Network Security. The expansion of the private right of action for unauthorized access to email address, passwords and security questions makes a review of existing systems and network security essential. Watch for hotel brands to impose additional cybersecurity obligations on owners to comply with these requirements.
- Data Retention. Now is the time to review and update data collection and retention policies. Hotels have good reasons for collecting and retaining data, but the CPRA demands that they be rationalized and documented.
- Vendor and Third Party Agreements. As noted above, the revisions to authorized arrangements with vendors, contractors and service providers makes updating agreements with third parties that collect or use personal information for the company a high priority. Given the wide variety of vendors used in the hospitality industry - OTAs, employment companies, training facilitators, point-of-sale platforms and more - this must be seen as a high priority.
These are, of course, just the beginning steps to compliance with the CPRA. For hotels that have not yet addressed their obligations under the CCPA, a full compliance program will be necessary, and as we have learned, two years may be just enough time to do so.
The JMBM Global Hospitality Group, in coordination with the JMBM Cybersecurity and Privacy Group, works with hotel companies throughout the world to assist in compliance with privacy and data security requirements. For more information on our services, contact Robert Braun ([email protected]) or Jim Butler ([email protected]).
Further information about cybersecurity issues
If this article was of interest, you may also wish to read other articles by Bob Braun on "Data Technology, Privacy & Security," which include the following:
- Hotel Managers and Owners Be Warned - You are Responsible for Your Hotel's Data Security
- The California Consumer Privacy Act - What Hoteliers Need to Know Now
- Avoiding Hotel Data Breaches With a Risk Assessment Audit™ - Lessons From the Marriott International "Glitch"
- California Adopts the California Consumer Privacy Act of 2018
- GDPR: What you need to know about the EEU's new data privacy rules
- Cyberattacks on Hotels — What Should Hotel Owners and Operators Do?
- Hotel Cybersecurity: Protecting your guests and your property from vendor data breaches