The hospitality industry is always working to leverage technology to improve the customer experience. The industry’s embrace of new technology is seen at each step of the hotel booking process, from researching hotel options using online review sites such as TripAdvisor, to booking a reservation using an online travel agency such as Expedia, to using the hotel operator’s mobile app to check into a hotel before you even arrive.
At each step, potential guests provide a variety of detailed personal information, from their address and phone number to individual room preferences. Most consumers have limited knowledge of how their personal data is stored, used, analyzed or shared. Even where guests agree to terms of service when providing personal data, those terms are often voluminous and difficult to understand. With society’s increasing reliance on technology comes the constant risk of data breaches and theft of personal data, thus it is especially important that the personal data of individuals be protected.
In an effort to address these burgeoning concerns, the European Union (EU) recently implemented a new regulation known as General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). The GDPR, which became effective on May 25, 2018, seeks to empower consumers by requiring companies to offer greater transparency in how they collect, store, process and share their customers’ personal data. Every organization around the world that processes personal data of EU residents will be affected by the GDPR. This article focuses on the implications of the GDPR on the various players in the hospitality industry, including owners, operators, brands and management companies, addresses who may be liable in the event of GDPR violations, and offers advice on how companies in the hospitality industry can ensure GDPR compliance and better oversee the management of personal data.
The GDPR Explained
The GDPR establishes extensive rules protecting the personal data of individuals, and regulates how companies manage, store, use, and share that personal data. GDPR rules apply to any entity that exists in the EU, does business in the EU, or collects any personal data of individuals located in the EU, even if the entity has no physical footprint in the EU. The GDPR is intended to give “data subjects” commonly understood to include all EU residents–greater control over their personal data, regardless of what entity collects that data, and a fuller understanding of how that data is collected and stored, what security measures are in place to protect that data, and for what purpose that data may be or is being used.
Overall, the GDPR requires companies to become significantly more transparent as it concerns personal data collection. Anytime a company obtains personal data on an EU resident, the company will need a legal basis for the collection of the data, and explicit “opt-in” consent from the individual. Individuals will be able to revoke consent, and companies must ensure there is a methodology in place for doing so. The GDPR also grants data subjects a right of access to their personal data (Article 15) and a right of erasure (Article 17) whereby the individual may request the erasure of their personal data on various grounds.
The consequences of non-compliance are extreme. Violations may subject the offending entity to a fine of up to €20 million or 4 percent of the annual worldwide turnover of the entity for the preceding financial year, whichever is greater. Beyond the financial impact on an offending entity, the violation may also be detrimental to the entity’s reputation.
Hospitality Industry Particularly Susceptible
Given the inherently global and data-intensive nature of the hospitality industry, hotel owners, operators, brands and management companies are inordinately impacted by the GDPR. Not only does the GDPR apply to any of these parties with a hotel property or other business presence in the EU, but also to any party that collects personal data from residents of the EU, even when concerning hotel stays in non-EU countries.
Moreover, hospitality companies process immense amounts of personal data on a constant basis. Seeking to anticipate each guest’s desires, these entities gather volumes of personal data, including names, birthdays, business credentials, entertainment, food and lodging preferences, travel plans, and in some instances biometrics, health status, or sex life or sexual orientation (which may be disclosed by way of certain guest requests) among others. They also receive personal data from third parties such as travel agencies (which also must ensure their own GDPR compliance). Further, by processing payments from guests, additional sensitive personal data is collected, including credit card information, banking information, and spending preferences. In addition, the hospitality industry cycles through large amounts of staff members, and for those staff qualifying as a “data subject” pursuant to the GDPR, their personal data must be safeguarded in the same fashion.
Additionally, the hospitality industry frequently employs digital marketing campaigns, which also implicate the GDPR as these methods of engaging potential guests involve collecting personal data.
Liability Risks and Recommendations
To ensure compliance with the GDPR, hospitality companies must understand their data collection, usage and storage practices. As it is difficult to know where data is stored (which can be housed, for example, locally at the hotel level, more removed at the management or brand level, or remotely on cloud-based storage), companies should establish an organizational system for personal data that is carefully followed. Entities should also consider creating a position for a data protection officer if one is does not exist already. That individual would oversee data gathering, storage and protection procedures, and compliance with the GDPR. Entities should also carefully review their data collection forms and privacy notices on their websites to ensure they conform to GDPR requirements.
Establishing such safeguards is highly recommended given that liability for non-compliance as between hotel owners and operators (as well as brands and management companies) is uncertain. Collection of personal data occurs all the way from the hotel level to the corporate/brand level. Generally, hotel operators, rather than hotel owners, are the entities that gather and store guests’ personal data. When booking a hotel, guests frequently book through brand websites and loyalty programs, some of which direct guests to hotel specific websites (which are often brand-hosted). But this does not guarantee with any certainty that penalties for GDPR violations will fall on the operator and not the owner.
Hotel management agreements usually contain broad indemnification provisions whereby owners indemnify operators for various potential issues. But the scope of that indemnity is defined by the specific language and parameters of the respective contract. Liability language, drafted years or decades before the GDPR’s passage, likely will not provide comfort as to how liability for GDPR violations will be treated. Hotel management agreements also sometimes contemplate who among the hotel owner and operator is the owner of guest profile data, including guest preferences. That ownership, while historically desired, may also now bring a presumption of GDPR liability.
In the event of a violation of the GDPR, it is a near certainty that operators will take the stance that liability falls on the owner. Thus, it is critical for owners to carefully consider the implications of liability for GDPR violations when entering into hotel management agreements, and to review the language of their existing agreements, to understand their exposure and potential liability. Additionally, new hotel management agreements should specifically contemplate and address liability for GDPR violations.
The GDPR has immediate implications for the hospitality industry. Since compliance is mandatory and penalties are severe, hotel owners and operators, in addition to other industry players such as online travel agencies, are well served not only by seeking to comply with the GDPR’s numerous requirements, but also by ensuring that their agreements adequately delineate liability for any violations of the GDPR.
Todd E. Soloway and Bryan T. Mohler are partners at Pryor Cashman. Jason S. Mencher, an associate at the firm, assisted in the preparation of this article.