Published on:

Hotel Lawyer Privacy Alert: Do your hotel mobile apps comply with new interpretations of online privacy rules?

By Jim Butler and the Global Hospitality Group®
Hotel Lawyers | Authors of
5 January 2013

Hotel Lawyer on how new privacy law enforcement may affect your mobile apps used in marketing. Hotel lawyer Robert Braun has an alert that may save you an unnecessary class action or troublesome lawsuit (or enforcement action). Although, the California Attorney General has started the furor, the impact of this approach will affect any company who deals with even one consumer in the state of California, and thus is likely to affect most of the hospitality industry in the United States, and many companies outside the US.

Here is what it is all about.

Privacy on the Move
California Imposes New Requirements
on Mobile Apps

Robert E. Braun | Hotel Lawyer

Hotel companies are actively entering the mobile application space as a means of gaining market share and solidifying guest relations. In addition to online travel agents like, a number of brands including Omni, Choice and Starwood have developed mobile applications. However, as mobile applications gain popularity, hotel companies should consider how privacy and security laws will impact how they can use those applications.

For companies with operations in California, that issue was highlighted on December 6, 2012, when the California Attorney General filed a lawsuit against Delta Airlines for failing to include a privacy policy with a smartphone application. The lawsuit, the first of its kind, alleges that Delta violated California law requiring online services to “conspicuously post its privacy policy” by failing to include such a policy with its “Fly Delta” mobile application.

The California online privacy law

In 2004, California enacted the California Online Privacy Protection Act (“CalOPPA”). This law requires operators of websites and online services to “conspicuously post” privacy policies about the personal information that is collected, how the consumer can access or request changes to personal information, how the operator of the site will notify consumers of changes, and the effective date of the policy.

In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service.”

CalOPPA does not define an “online service” or mention “mobile” or “smartphone” applications, likely due to the fact that in 2004, smartphones and mobile applications were just being developed. However, the California Attorney General considers any service available over the internet or that connects to the internet, including mobile apps, to be an “online service.”

California Attorney General becomes active

In 2011 the Attorney General contacted the six leading operators of mobile application platforms – Apple, Amazon, Google, Hewlett-Packard, Microsoft and Research in Motion – to discuss mobile app compliance with CalOPPA. On February 22, 2012, the Attorney General reached an agreement with these companies on a set of principles. The principles require, among other things, that mobile applications include a conspicuously posted privacy policy describing the app’s privacy practices, and that the policy appear in a consistent location on the app download screen.

Following up on this development, in October 2012, the California Attorney General’s office sent letters to a number of mobile application makers that did not have a privacy policy reasonably accessible to app users, giving them 30 days to respond or make their privacy policies accessible in their apps. Delta’s response was not definitive, and the Attorney General sued. The risks are high – failure to comply with CalOPPA can result in fines of up to $2,500 for each violation.

National (and international) implications from this California development?

While California is the only jurisdiction to have applied its (9 year old) privacy law to mobile applications to date, California is widely regarded as a leader in consumer privacy, and many states look to California for guidance. If California did this by administrative interpretation, so could a lot of other states.

In any event, CalOPPA will have a broad reach, because it applies to:

“… [any] operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service….”

Thus, website or online service operators must comply with CalOPPA if they do business with any California consumers. With the size of California’s population and the importance of its market, the practical effect of CalOPPA will force an overwhelming number of online businesses (including mobile app developers) to comply with it.

As a result, hotels and hotel companies that use smartphone apps as part of their “mobile strategy,” must make privacy policies accessible to app users. Hotel companies can comply by including the privacy policy within the app itself or by creating an icon or text link to a readable version of the privacy policy, which may be part of a company’s overall web privacy policy.

Developing a comprehensive information privacy and security program

The JMBM Global Hospitality Group® and the JMBM Data Security Group work with clients to establish and enforce data security policies, and assists clients when there are breaches. We have helped a variety of clients, including hospitality companies, in developing compliance programs, addressing data breach issues, and negotiating contracts with vendors and providers. Contact Bob Braun (, 310.785.52331) or Mike Gold (, 310.201.3529) for assistance. Bob Braun is a member of the International Association of Privacy Professionals and was the first and only “Super Lawyer” in Southern California in 2012 with a specialty in information technology.

If this article was of interest, you may also wish to read other articles on “Data Technology, Privacy & Security,” which include the following articles:

What the Target data security breaches mean for hoteliers

Cyber Security Alert: How to protect your proprietary information from employees

Hotel Lawyer Privacy Alert: Do your hotel mobile apps comply with new interpretations of online privacy rules?

Hotel Liability for Guest Information — What you need to know and how to avoid liability.

Losing the expectation of privacy bit by bit, byte by byte.

Dodd-Frank Act presents Hotels with decisions on credit and debit card charges.

Bob Braun

Robert Braun is a senior member of the Global Hospitality Group® at JMBM. Mr. Braun advises hospitality clients with respect to hotel management agreements, franchise agreements and operating issues. He also advises on transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry. He is a member of the International Association of Privacy Professionals. Contact him at 310.785.5331 or

This is Jim Butler, author of and hotel lawyer, signing off. We’ve done more than $60 billion of hotel transactions and have developed innovative solutions to help investors be successful in bidding for hotel acquisitions, and helping investors and lenders to unlock value from troubled hotel transactions. Who’s your hotel lawyer?

Our Perspective. We represent hotel lenders, owners and investors. We have helped our clients find business and legal solutions for more than $60 billion of hotel transactions, involving more than 1,300 properties all over the world. For more information, please contact Jim Butler at or +1 (310) 201-3526.

Jim Butler is a founding partner of JMBM, and Chairman of its Global Hospitality Group® and Chinese Investment Group™. Jim is one of the top hospitality attorneys in the world. GOOGLE “hotel lawyer” and you will see why.

Jim and his team are more than “just” great hotel lawyers. They are also hospitality consultants and business advisors. They are deal makers. They can help find the right operator or capital provider.