By Jim Butler and the Global Hospitality Group®
10 July 2018
Privacy legislation is dominating the news cycle these days–and it’s unlikely to slow down. Now, as U.S. companies are adjusting to the requirements of the European Union’s General Data Protection Regulation, the State of California has introduced new laws that will apply to California companies or companies doing business in California. Senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group Bob Braun discusses the implications of the new legislation and how it will impact hotels, below.
California Adopts the California Consumer Privacy Act of 2018 by Bob Braun
On June 28, 2018, just more than a month after the EU’s General Data Protection Regulation (GDPR) went into effect, imposing broad obligations and restrictions on any entity collecting personal information of EU citizens and residents, the California legislature has passed AB 375, and the governor has signed, the California Consumer Privacy Act of 2018, providing many of the same protections and sure to upend privacy regulation in the United States. The Act was passed by the State Assembly and signed into law by Governor Jerry Brown on June 28, 2018.
Hotel companies have been grappling with the impact of the GDPR on their operations, and analyzing whether they need to adopt policies and procedures, appoint data privacy officers and register with a Data Privacy Agency as required under the GDPR. Since a privacy rule that impacts California effectively becomes a national standard, this new Act means that hotel companies will need to consider many of those issues, regardless of their foreign operations.
The Act goes into effect on January 1, 2020, and while it has broad implications that will become more apparent over time, there are some key initial takeaways.
Key Provisions
- Application. The Act applies to all personal information, which is broadly defined, not just information collected electronically or collected directly by a firm. Hotel firms will need to consider all of their data acquisition functions, and conform their practices to the Act, and consider how reservation functions, loyalty programs and other business practices are impacted by the Act.
- Definition of Personal Information. The Act defines “personal information” as ” information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Significantly, personal information explicitly includes a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. And, particularly significant in light of this week’s Supreme Court decision, it includes geolocation data. This is a far-reaching extension of how personal information has been defined in the United States for privacy purposes.
- Consumer’s Right to Know. The Act would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
- Private Right of Action. The Act includes a private right of action, allowing consumers to seek damages for certain categories of unauthorized disclosures in the amount of $750 per violation. This change is significant; while the statutory damages seem modest, recall that a typical breach consists of thousands of records. Moreover, victims of a data breach of typically been required to prove damages which can be daunting; this changes that requirement.
- Business Disclosures. Business will be required to make disclosures about the information and the purposes for which it is used.
- The Right to be Forgotten. Consumers will have the right to request deletion of personal information and to require the business to delete their personal information upon receipt of a verified request.
- Expanded Opt-Out Rights. Consumers will have the right to opt out of the sale of personal information by a business, and businesses will be prohibited from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
- Firms Covered. The Act will protect California citizens, and apply to any company that has annual gross revenues in excess of $25 million, alone or in combination, or annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or derives 50 percent or more of its annual revenues from selling consumers’ personal information. You should note that these tests are in the alternative, and that it will include many smaller companies. Since hotel companies regularly deal with a significant volume of guest information, hotels will be particularly impacted by this law.
Enforcement
While the Act does not go into effect for more than a year, it seems likely that it will be aggressively enforced. The Act gives the California Attorney General as the authority and responsibility to issue regulations and opinions and to enforce the Act – some believe that this will make the AG the equivalent of the “top cop” on privacy matters in the nation. Both the current and prior attorneys general have aggressively pursued data privacy enforcement, and we can expect more of the same.
These are only a few of the provisions of the Act, but it is clear that it has the potential of impacting companies throughout the nation. Just as California’s initial breach notification act, adopted in 2002, radically changed the privacy landscape, the California Consumer Privacy Act of 2018 is likely to have as important an impact.
The authors of the Act recognize that it will require additional clarifying regulation to implement, and the Act itself authorizes the Attorney General to issue opinions on the scope of the Act.
While the ink on the Act is still wet, it seems clear that the Act reflects many of the requirements of the EU’s General Data Protection Regulation, and complying with the GDPR will put companies at a competitive advantage against those who wait. JMBM’s Global Hospitality Group has worked with hotel companies to establish procedures and policies to achieve GDPR compliance, and are prepared to address compliance with California’s new law. For additional information, contact Bob Braun (rbraun@jbmb.com, 310.785.5331) or Mike Gold (mgold@jmbm.com, 310.201.3529).
Bob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager.Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.
In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or rbraun@jmbm.com.
This is Jim Butler, author of www.HotelLawBlog.com and hotel lawyer, signing off. Please contact us if you would like to discuss any issues or development that affect your hotel interests. We would like to see if our experience might help you create value or avoid unnecessary pitfalls. Who’s your hotel lawyer?