Published on:

Hotel Lawyer Privacy Alert: Do your hotel mobile apps comply with new interpretations of online privacy rules?

5 January 2013

Hotel Lawyer on how new privacy law enforcement may affect your mobile apps used in marketing. Hotel lawyer Robert Braun has an alert that may save you an unnecessary class action or troublesome lawsuit (or enforcement action). Although, the California Attorney General has started the furor, the impact of this approach will affect any company who deals with even one consumer in the state of California, and thus is likely to affect most of the hospitality industry in the United States, and many companies outside the US.

Here is what it is all about.

Privacy on the Move
California Imposes New Requirements
on Mobile Apps

by
Robert E. Braun | Hotel Lawyer

Hotel companies are actively entering the mobile application space as a means of gaining market share and solidifying guest relations. In addition to online travel agents like HotelsbyMe.com, a number of brands including Omni, Choice and Starwood have developed mobile applications. However, as mobile applications gain popularity, hotel companies should consider how privacy and security laws will impact how they can use those applications.

For companies with operations in California, that issue was highlighted on December 6, 2012, when the California Attorney General filed a lawsuit against Delta Airlines for failing to include a privacy policy with a smartphone application. The lawsuit, the first of its kind, alleges that Delta violated California law requiring online services to “conspicuously post its privacy policy” by failing to include such a policy with its “Fly Delta” mobile application.

The California online privacy law

In 2004, California enacted the California Online Privacy Protection Act (“CalOPPA”). This law requires operators of websites and online services to “conspicuously post” privacy policies about the personal information that is collected, how the consumer can access or request changes to personal information, how the operator of the site will notify consumers of changes, and the effective date of the policy.

In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service.”


CalOPPA does not define an “online service” or mention “mobile” or “smartphone” applications, likely due to the fact that in 2004, smartphones and mobile applications were just being developed. However, the California Attorney General considers any service available over the internet or that connects to the internet, including mobile apps, to be an “online service.”

California Attorney General becomes active

In 2011 the Attorney General contacted the six leading operators of mobile application platforms – Apple, Amazon, Google, Hewlett-Packard, Microsoft and Research in Motion – to discuss mobile app compliance with CalOPPA. On February 22, 2012, the Attorney General reached an agreement with these companies on a set of principles. The principles require, among other things, that mobile applications include a conspicuously posted privacy policy describing the app’s privacy practices, and that the policy appear in a consistent location on the app download screen.

Following up on this development, in October 2012, the California Attorney General’s office sent letters to a number of mobile application makers that did not have a privacy policy reasonably accessible to app users, giving them 30 days to respond or make their privacy policies accessible in their apps. Delta’s response was not definitive, and the Attorney General sued. The risks are high – failure to comply with CalOPPA can result in fines of up to $2,500 for each violation.

National (and international) implications from this California development?

While California is the only jurisdiction to have applied its (9 year old) privacy law to mobile applications to date, California is widely regarded as a leader in consumer privacy, and many states look to California for guidance. If California did this by administrative interpretation, so could a lot of other states.

In any event, CalOPPA will have a broad reach, because it applies to:

“… [any] operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service….”

Thus, website or online service operators must comply with CalOPPA if they do business with any California consumers. With the size of California’s population and the importance of its market, the practical effect of CalOPPA will force an overwhelming number of online businesses (including mobile app developers) to comply with it.

As a result, hotels and hotel companies that use smartphone apps as part of their “mobile strategy,” must make privacy policies accessible to app users. Hotel companies can comply by including the privacy policy within the app itself or by creating an icon or text link to a readable version of the privacy policy, which may be part of a company’s overall web privacy policy.

Here are some of the ways JMBM helps clients with data security matters

The JMBM Global Hospitality Group® and the JMBM Cybersecurity & Privacy Group work with clients to establish and enforce data security policies, and assists clients when there are breaches. We have helped a variety of clients, including hospitality companies, in developing compliance programs, addressing data breach issues, and negotiating contracts with vendors and providers.

Here are some of the ways we help clients with data security matters:

  • Respond to data breaches, including selecting appropriate technology and forensics experts
  • Develop and implement data breach response plans and procedures, and related privacy, information security and data retention policies and procedures
  • Address statutory and regulatory issues
  • Develop effective solutions for protecting and managing information assets and complying with legal requirements, using an approach that will contain costs and maintain operational efficiency
  • Advise clients on international privacy laws and rules on their businesses, including the U.S.–E.U. Safe Harbor Program
  • Address legal challenges posed by social media and mobile applications
  • Negotiate agreements for technologies and services to implement information management systems
  • Conduct internal investigations, particularly those involving sensitive electronically stored information
  • Assist companies in developing appropriate governance tools to the board of directors and executive management levels to address cyber risk

Click here for more information, including specific examples of projects undertaken for representative clients.

Other information about cybersecurity issues

If this article was of interest, you may also wish to read other articles on “Data Technology, Privacy & Security,” which include the following articles:

What every hotel owner (and operator) needs to know about “data security” after the Wyndham case

What the Target data security breaches mean for hoteliers

Cyber Security Alert: How to protect your proprietary information from employees

Hotel Lawyer Privacy Alert: Do your hotel mobile apps comply with new interpretations of online privacy rules?

Hotel Liability for Guest Information — What you need to know and how to avoid liability.

Losing the expectation of privacy bit by bit, byte by byte.

Dodd-Frank Act presents Hotels with decisions on credit and debit card charges.

Bob BraunBob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager.

Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.

In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or rbraun@jmbm.com.

This is Jim Butler, author of www.HotelLawBlog.com and hotel lawyer, signing off. Why don’t you give us a call (or send an email) and let us know what you working on. We would like to see if our experience might help you create value or avoid unnecessary pitfalls. Who’s your hotel lawyer?


Our Perspective. We represent hotel owners, developers and investors. We have helped our clients find business and legal solutions for more than $71 billion of hotel transactions, involving more than 3,800 properties all over the world. We bring this experience to any hotel project — big or small. Let’s explore how it might work for you. For more information, please contact Jim Butler at jbutler@jmbm.com or +1 (310) 201-3526.

Jim Butler is a founding partner of JMBM, and Chairman of its Global Hospitality Group® and Chinese Investment Group™. Jim is one of the top hospitality attorneys in the world. GOOGLE “hotel lawyer” and you will see why. Jim and his team are more than “just” great hotel lawyers. They are also hospitality consultants and business advisors. They are deal makers. They can help find the right operator or capital provider. They know who to call and how to reach them.