Surely, there exists a relation between the consumer and business which is one of give-and-take. Although known yet not much emphasized upon is the fact that while opting for a particular service from a business, a consumer inadvertently engages in sharing certain personal information or details about themselves. In a way, a business can easily collect specific information about a consumer. This might come across as an intrusion or breach of privacy. Keeping this privacy protection in mind, California has passed a Consumer Privacy Act, commonly known as the California Consumer Privacy Act (CCPA).
This new privacy law, Consumer Privacy Act, AB 375 has been passed by California in late June 2018. Taking effect from January 1, 2020, and with further six months’ grace period for its actual enforcement and proper implementation, this bill would “grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used.” In short, according to this law, a customer has the right to request business for the deletion of some personal information. As per the directive, “As the role of technology and data in every day lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses. California law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information.” All in all, the challenge is to secure and protect the breach of private data.
This law prioritizes the protection of private information and endows a customer with some high-end privileges:
• It will enable the customer to demand to see what all information a company has saved about them.
• It will also allow the consumers to view the full list of the third-party apps with which their information is shared.
• It will allow the customers to sue a company if it violates its privacy guidelines, even if there is no breach.
• Californians can easily say a no to the sale of personal information or ask for its
• They can still opt for equal service and price, even while they stick to exercising their privacy rights.
• Consumers can always opt-out of a particular service and the business cannot retaliate by changing their price.
[Note: The Companies do not have to be present in California to abide by the law. In fact, they are not even required to be based in US.]
The European General Data Protection Regulation (GDPR) took effect in May 2018 controlling how the companies and organizations can handle personal data. Surely, it has wider implications but while CCPA is based somewhat on the same lines when it comes to the protection of private data, the latter also goes a step ahead by investing or empowering the users with the new rights, like requesting a business for the deletion of personal information or opt-out completely of the data sale through the third party applications. On the other hand, GDPR controls how companies and websites should handle their data and that they must obtain prior consent from the user before processing any personal data.
While GDPR is more of a ‘privacy by default’ framework for EU, CCPA is more about creating ‘transparency.’ Again, while GDPR locks the door for the users by allowing the incentive of prior consent before data is processed, CCPA opens up the windows for the users to know how their data is being handled and decide whether or not they would like to sell their personal information to the various companies and finally opt-out if they do not feel comfortable.
Thus it’s more of a prior consent vs opt-out that sums up the contrast between the CCPA and GDPR.
CCPA data coverage is surely broader when compared to GDPR’s. Here’s what AB 375 considers as “personal information”:
All in all, only the larger hotels and chains are likely to be affected by the CCPA Regulation.
Well, who isn’t? Taking a cue from the instance of Marriott, Cathay Pacific and British Airways being hit by hackers that led to the personal details of the guests being exposed, it is important to reassure the guests. This is challenging but CCPA is your best chance to assure your guests that you respect their privacy.
Perks: greater confidence, better trust, more bookings, extreme satisfaction.
What if I Do Not Abide?
Of course, there are a few practical steps that you can undertake for hotel compliance when it comes to CCPA by protecting your guests’ data. While seeking out some legal advice is surely much sought after, you can also follow these steps in tandem:
1. Keep a data collection document
2. Educate your staff in this regard
3. Ensure that your partners and third-party suppliers are all CCPA complaint
You can undertake the following exercises to ensure the same:
• Engage in a conversation with the third-party and ask what are the steps taken by them to be CCPA Complaint. Since it is just the beginning, a dialogue will be mutually beneficial for all the parties involved.
• Create a compliance road map plan for each of them which aligns with your organization’s own CCPA impacted internal personal data processes with those of the third-party. Gather a team of responsible stakeholders on both sides to see the project through to completion.
• Contract language should be rectified to see whether it is CCPA compliant. Such an exercise is helpful in minimizing legal risk.
• Embed CCPA compliant elements in your business plan with the third-parties.
4. Make security updates and conduct an assessment of your IT infrastructure
An act of cybercrime will involve a lot of legal risks and has great potential to pose unthinkable damage to your reputation. Hence a comprehensive assessment of your security and IT infrastructure is the need of the hour.
5. Revise your policies
6. Rebuild the Retargeting Lists
7. Ensuring opting-out through emails for advertising
8. Allow consumers to exercise their rights
Many states and hotels are becoming aware of the growing need for CCPA Compliance. The need for safeguarding consumer data is going to grow only in the coming years. Hence it is better to start early and be prepared to avoid the risk of reputation damage by being CCPA Compliant. This will further enhance the customer confidence to book with you.