How to Prepare Your Hotel for CCPA
The California Consumer Privacy Act goes into effect on January 1st, 2020. If your hotel hosts any guests that are residents of California, there is a great chance that this will impact your business and you need to ensure you’re in compliance. Furthermore, numerous other states have similar privacy laws on the docket and could be coming soon. You need to be preparing now.
What is CCPA?
CCPA stands for California Consumer Privacy Act and is California’s privacy law aimed at protecting California residents’ against “their data being collected and sold without their knowledge”. Many are calling it “GDPR” lite, so if you were one of the hotels that took action to become compliant for GDPR, this will be a similar process but it is important to note that California’s version does come with a different set of rules and regulations. For a longer answer, we encourage you to read this article from Fortune and the most recent addendums made on October 13th here.
You might be saying to yourself “My hotel isn’t located in California so I probably don’t have to worry.” Well, you could be wrong. California’s CCPA regulations apply anywhere a California resident does business. That means if a California resident books your hotel online or stays at your hotel, you could be held to these regulations.
How do I know if my hotel is impacted by CCPA?
CCPA law applies to any business that does business with residents in California and matches the one of the following criteria:
- Businesses with annual gross revenues of at least $25 million
- Receive, sell or share personal information of 50,000 or more consumers, households or devices
- Businesses that gets at least 50% of annual revenue from selling consumers personal information
California represents 12% of the US population so there is a great chance this will impact your hotel now or sometime in the future.
What does CCPA guarantee to consumers?
CCPA offers consumers protection against how their data is collected and sold and guarantees:
- Knowledge of what personal info is being collected
- Knowledge of whether it’s being sold or shared and with who
- Consumers can opt out of the sale of their personal info
- Consumers’ data can be deleted from past 12 months upon request
What is considered “personal info/data” under CCPA?
It can include traditional data points such as birthdate, SSN, email, address along with non-traditional such as geolocation, IP address, consumer behavior, browse and search history, preferences and open/click behavior.
What role does GCommerce play within CCPA for my hotel?
You should work with the appropriate people at your property and your legal team to understand and evaluate your exposure, including working to understand any vendors you are currently using that capture consumer data. For example this would include your PMS, CRS and CRM providers.
Under CCPA, GCommerce is considered a “service provider” working on your behalf. It is recommended that your business have all service providers sign a data protection agreement stipulating the nature of the data use and specifying that we only use data to perform contracted services.
How can my hotel prepare for CCPA?
Here are several key steps we believe are important to consider to prepare your hotel’s digital marketing for the implementation of CCPA on January 1st, 2020:
- Hotels must provide two methods for consumers to exercise their rights, including a toll free number and their website
- Form Submission Data – It is generally safer to use a 3rd party like MailChimp or a more robust eCRM for all submission forms on website to feed into. These provide easy opt-out options for your email marketing databases. Should you like a recommendation for a third party system to be used, GCommerce is happy to assist both in the selection and implementation.
- Retargeting lists – Retargeting lists that were built prior to January 1, 2020, which were not given the opportunity to opt-out previously, will need to be rebuilt. We recommend getting ahead of this and giving visitors the ability to opt-out now in preparation for the January 1,2020 deadline. Typically our retargeting lists are cleansed every 30-45 days, so over time, with the cookie tracking policy in place, your retargeting lists will be valid.
- Email lists used for advertising – Historically, marketers have been able to utilize email databases to reach audiences on advertising channels such as Facebook and Google. As of January 1, 2020, any email address being utilized for advertising will need to be given the opportunity to opt-out in order to maintain CCPA compliance.