Published on:

Data Privacy Lawyer Alert: The American Privacy Rights Act – What Does it Mean for Hotel Companies?

3 May 2024

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

The American Privacy Rights Act – What Does it Mean for Hotel Companies?

by Robert Braun, Co-Chair, JMBM Cybersecurity and Privacy Group;
Senior Member, JMBM Global Hospitality Group

On April 7, 2024, the United States House Committee on Energy and Commerce released the American Privacy Rights Act (APRA). While every Congress for more than a decade has introduced multiple proposals to address privacy rights on a national scale, none have gained traction, and while there’s every reason to suspect that the APRA will meet the same fate – headwinds are coming from the states that have already adopted comprehensive privacy statutes, and it is notoriously difficult to adopt legislation in an election year, and especially now), the APRA is being taken seriously, and might be the basis for a long-awaited, and long-needed, national privacy law.

What Makes the APRA Important?

The most important feature of the APRA is that it would replace the patchwork of individual state privacy statutes — adopted by sixteen (at last count) states, with more on the way. The laws share many common elements, but are not uniform; in a world where state borders mean less and less for consumer transactions, complying with each law is challenging. While there would remain room for states to adopt some unique laws, the APRA could significantly reduce the cost of compliance.

The APRA would also make the United States more consistent with jurisdictions throughout the world. Beyond state laws, there are many privacy laws, like the General Data Protection Regulation in the European Union (and similar laws in the United Kingdom and Switzerland), Canada, and other key trading partners. Citizens in these jurisdictions expect to have the same kind of data protection they have in their home countries, and adopting a comprehensive federal law would facilitate trade.

What’s in it for the Hospitality Industry?

Hotel companies should be particularly interested in the legislation. While many companies collect personal information from customers, hotel companies want to collect large amounts of personal information – knowing more about guests allows brands and operators to provide better services and increase their value. At the same time, the multitude of state laws, as well as foreign privacy laws, create a compliance challenge for the hospitality industry.

What’s in the APRA?

The current draft of the APRA is 140 pages long, but here are a few key highlights:

  • Data Collection. With some exceptions, companies must have a privacy policy that details their data collection practices and describes how consumers can opt out of data collection. Beyond that, the APRA restricts companies from collecting or transferring specific types of sensitive personal information, such as biometric or genetic information, without the individual’s affirmative express consent.
  • Data Minimization. Companies will be prohibited from collecting data that is not “necessary” or “proportionate” to the purpose for which the data is collected. This provision is seen as a real benefit for individuals who have long questioned why they are asked for information that appears to be unrelated to their requests.
  • Private Right of Action. In a major departure from prior federal proposals (and unlike most state statutes), the APRA borrows language from the California Consumer Privacy Act (CCPA) that gives individuals harmed by a data breach the power to sue corporations, allowing consumers to recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs. The APRA also allows California residents to seek statutory damages based on the CCPA.
  • Data Control. Under the APRA, individuals can stop companies and data brokers from transferring or selling their data, and can opt out of targeted advertising.
  • Data Brokers. In what is one of the most highly sensitive areas of data collection and protection, the APRA directs the FTC to maintain a registry of data brokers, and requires data brokers to keep a public website that identifies themselves as a data broker. Data brokers will have to honor “opt-out” requests generated through a centralized opt-out mechanism to be established by the FTC, facilitating requests by consumers who want to limit or prohibit the collection of personal information. Individuals would also have a private right of action against brokers that violate the APRA.

The APRA will create challenges for hotel companies. Whether or not the APRA is ultimately adopted – and there are challenges – the move toward a comprehensive, nationwide privacy law appears much closer today, and the hospitality industry will need to adapt. The JMBM Global Hospitality Group® and Cybersecurity and Privacy Group work with hospitality clients to achieve these goals and prepare them for the challenges of an ever-changing privacy landscape.

If this article was of interest, you may also wish to read other articles by Bob Braun on “Data Technology, Privacy & Security,” which include the following:

Time is Short – Reporting your Data Breach

Who’s Responsible for Personal Data at a Hotel?

Why hotels need “visibility” to avoid data privacy liability

Hotel Data Security: Challenges to Address in 2022

New Challenges for Hotels: The New California Privacy Rights and Enforcement Act of 2020

Hotel Managers and Owners Be Warned – You are Responsible for Your Hotel’s Data Security

The California Consumer Privacy Act – What Hoteliers Need to Know Now

Avoiding Hotel Data Breaches With a Risk Assessment Audit™ – Lessons From the Marriott International “Glitch”


Picture of Bob Braun

Bob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years of experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager. Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.

In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or

Picture of Jim Butler

This is Jim Butler, author of and founding partner of JMBM and JMBM’s Global Hospitality Group®. We provide business and legal advice to hotel owners, developers, independent operators, and investors. This advice covers critical hotel issues such as hotel purchase, sale, development, financing, franchise, management, ADA, and IP matters. We also have compelling experience in hotel litigation, union avoidance and union negotiations, and cybersecurity & data privacy.

JMBM’s Global Hospitality Group® has been involved in more than $125 billion of hotel transactions and more than 4,700 hotel properties located around the globe. Contact me at +1-310-201-3526 or to discuss how we can help.

How can we help? Brochure Credentials Photo Gallery


Contact Information