Corporations like Google and Facebook collect incredible amounts of information about their users, and this summer saw confirmation of widespread surveillance of private citizens by the U.S. National Security Administration. Between government and corporate information collection, privacy experts have gone so far as to say that privacy on the internet no longer exists. As data collection has become ubiquitous online, privacy regulators and other enforcement authorities such as the Federal Trade Commission (FTC) have become more interested in reviewing websites’ and web applications’ privacy policies. These authorities require or strongly encourage, depending on the jurisdiction, website and app operators adopt and publish privacy policies that inform users of the information they collect and how they use it. Indeed, California Governor Jerry Brown recently signed into law new provisions of California Online Privacy Protection Act (CalOPPA), which require website operators and online services to notify users whether other parties may collect information across different websites and disclose how they respond to web browsers that do not track signals. Given the increased scrutiny being given to privacy policies and the size of the penalties levied for not complying with applicable laws in this area, it is surprising that so many websites and apps have inadequate policies or none at all.
Under law and as a best practice, website and web application operators (including those in the Hospitality industry) should publish—and adhere to—privacy policies that tell users how the operator collects, uses, and discloses their personal information. Good privacy policies advance the core principles of privacy protection: they give users notice; let users choose what information is collected and how it is used; let users access information about them; tell users, correctly, that the operator takes reasonable steps to keep their personal information secure; and give users means to address their concerns. Moreover, good privacy policies meet the dual goals of being both thorough and accessible to the average user. Unfortunately, most privacy policies fall short of these goals.
While evolving technologies and changing laws can make it difficult to keep up with the most recent requirements, the Sweep makes clear that “keeping up” is not the real problem. Rather, it’s having a policy and complying with it. This is of particular concern for companies in the Hospitality industry. Not only do they have access to huge amounts of customer data, much of which is collected online, but the Hospitality and Food and Beverage industries are primary targets for data breach, accounting for roughly 33% of the data breaches in 2012. This makes it more important than ever that companies in Hospitality sector adopt meaningful privacy policies and comply with them.
The results of the Sweep and the compliance actions initiated by the FTC and others of late, make clear that this is no easy matter. Still, the first step is to adopt a policy that not only meets statutory requirements, but can and will be implemented. Recommendations for drafting better policies are listed below:
- Privacy policies should present information in a way that is easily readable to the average person. They should use plain language and concise explanations rather than lengthy and confusing legalese. Similarly, links to privacy policies should be both functional and easy to find.
- Policies should fully inform users about all information the operator collects, including data that is collected behind the scenes such as the user’s IP address and information collected from browser cookies.
- Policies should tell users about simple and effective methods to protect their personal information by, for example, opting out of providing data for certain purposes or requesting to access or challenge the accuracy of the operator’s data about them.
- Policies should adhere to applicable laws, such as California’s Online Privacy Protection Act of 2003, as well as FTC guidance. Operators should stay informed about legal developments both in the U.S. and internationally, and update their policies when necessary.
- Policies should include up-to-date contact information for the person(s) responsible for the operator’s privacy practices.
Online data collection in the United States shows no signs of slowing. Nor do attempts to gain access to that information or penalties for failure to protect it. While companies in the Hospitality industry may not be able to stop the onslaught from outsiders determined to hack their data, they can take steps to reduce their exposure from claims by regulators and others that have failed to meet their obligations to consumers by adopting (and complying with) privacy policies that allow their users to make educated decisions about what they disclose and how they allow their information to be used. To comply with applicable laws and guidance, these policies should be as accurate, thorough, and clear as possible.
Greg Duff, Editor
Greg Duff founded and chairs GSB’s national Hospitality, Travel & Tourism group. His practice largely focuses on operations-oriented matters faced by hospitality industry members, including sales and marketing, distribution and e-commerce, procurement and technology. Greg also serves as counsel and legal advisor to many of the hospitality industry’s associations and trade groups, including AH&LA, HFTP and HSMAI.