02 April 2025
See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.
A recent lawsuit filed in the U.S. District Court for the Central District of California alleges that Accor Management US Inc., the parent company of Fairmont Hotels & Resorts, violated California’s privacy laws by improperly sharing users’ browsing and booking information with social media platforms without user consent. This data sharing is said to have enhanced the algorithms and ad targeting abilities of these platforms.
Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, outlines what CIPA is and how companies should respond to CIPA claims.
Fairmont has a New (Website) Visitor – A CIPA Class Action
by Robert Braun, Co-Chair, JMBM Cybersecurity and Privacy Group;
Senior Member, JMBM Global Hospitality Group
On March 19, 2025, Accor Hotels, through its Fairmont Hotels & Resorts brand, became one of the latest – and one of highest profile – defendants in a current wave of website litigation. In the complaint, the attorneys for Natalie Gianne, claimed that when she accessed the Fairmont Hotels website to book a room, Accor allowed social media platforms to intercept communications, including confidential guest records without her prior consent in violation of the California Invasion of Privacy Act (“CIPA”, pronounced “see-pa”), and used that information to target her for advertisements.
Hotel companies need to pay particular attention to this case and its implications. Hotels are attractive targets for claims like these – they have broad website presence and have a public profile that makes these cases sensitive. In addition, large hotel companies are viewed as deep pockets that would be willing to settle.
What is CIPA?
The CIPA was originally adopted to adopted to protect California residents from a third party eavesdropping on a telephone call. As a result, in California and several other states, all parties to a phone call (including video calls) must consent to a recording. This is straightforward enough; however, CIPA plaintiffs, like Gianne, are extending the CIPA to information collected for website analytics purposes.
Data analytics is the process of examining raw data to uncover patterns, draw conclusions, and make informed decisions, enabling businesses to optimize performance, improve efficiency, and make strategic decisions. In the website context, analytics involves collecting, measuring, analyzing and reporting data to understand and improve website usage.
Where do the CIPA and Website Analytics Meet?
Websites have employed third parties to analyze website usage for years. Website owners want to know how users came to their site, what they do when they are on the site, and where they go when they leave. Website owners can use this information to make sure their sites are easy to navigate; if, for example, a user leaves a website while making a purchase at a website, the website owners will want to know why. They want to know what drives users to their sites, and how they can get more visitors. Analytics can help a website owner boost their search engine ratings, determine the value of marketing campaigns, and track digital marketing efforts.
Historically, analytics were internal – a website owner would collect information from visitors and use that information to improve their website. The website owner might hire an outside service (Google Analytics is well known for providing this service). Information about the visitor might be collected by a third party, but only in anonymous, aggregated form, and was only shared with the website owner. Bringing us back to the CIPA and similar laws, no third party was involved, so no consent was required.
Now, however, website owners have allowed (sometimes without their knowledge) social media companies like Facebook, LinkedIn and others to place tracking devices – typically, pixel trackers and other invisible items) on the site; when a user visits a page where the tracking device is installed, the user’s browser is instructed to transmit information to the tracker. However, not all companies obtain user consent to these tracking devices. In this case, a user can argue that personal information was shared with a third party without consent, and that it constituted a violation of CIPA.
How Should a Company Respond?
Update Website Documentation. One of the most important steps is to evaluate and, if necessary, update existing website terms of use, cookie policy, and privacy disclosures to reflect what is allowed on the website.
Website owners also need to implement processes to ensure and document consent. Typically, this is achieved through a “cookie banner” that a user must acknowledge before going to the site. However, the consent must be implemented carefully; it’s common for tracking technology to be triggered the moment a user lands on a site, which could be grounds for a claim that CIPA is being violated. Instead, no cookies or other trackers should be “turned on” until the user gives consent, something that website designers or privacy technicians can oversee. In addition, thought should be given to the form of the banner; it should provide for actual consent, which means that the consumer must be given a choice.
As important as privacy policy disclosures are the terms of use. While these have long been seen as a boilerplate document and implemented with little thought, key terms can protect the website owner, including limitation on damages, enforceable arbitration clauses and, when possible, class action waivers.
Act Quickly. When a company receives a CIPA claim, there are several things it (and its attorneys) should do to evaluate the seriousness of the claim:
- Does the claim bring any specific evidence? Some letters or complaints don ‘t have specific information about the defendant or the basis for the claim, which may leave room for defenses.
- What law firm brought the action? Some firms are known for filing CIPA class action claims and may have a reputation for settling easily or as hard negotiators. Since class action claims are often arranged by attorneys, they can be seen as the adverse party.
- Does the demand letter include an offer for settlement? For better or worse, it’s often makes economic sense to resolve a case quickly, rather than spend unnecessary resources on litigation. This determination is more complicated that determining the cost of settlement against the cost of litigation. While a firm may want a quick and quiet resolution, it also should consider that a private, out of court may not protect them from future claims from other plaintiffs not included in this class.
- Could the claim be subject to arbitration? Arbitration is confidential and will avoid the uncertainty of a jury trial.
In any case, responding to a claim, including a pre-litigation claim, requires experienced attorney. Counsel can evaluate the likelihood of litigation, preserve evidence and data, and conduct an internal investigation. A company needs evidence that can be used to challenge the CIPA claim, as well as class certification, but it’s important to gather it in a way that preserves the attorney/client privilege whenever possible.
If this article was of interest, you may also wish to read other articles by Bob Braun on “Data Technology, Privacy & Security,” which include the following:
Artificial Intelligence is Checking into your Hotel – Are You Ready?
The American Privacy Rights Act – What Does it Mean for Hotel Companies?
Time is Short – Reporting your Data Breach
Who’s Responsible for Personal Data at a Hotel?
Why hotels need “visibility” to avoid data privacy liability
Hotel Data Security: Challenges to Address in 2022
New Challenges for Hotels: The New California Privacy Rights and Enforcement Act of 2020
Hotel Managers and Owners Be Warned – You are Responsible for Your Hotel’s Data Security
The California Consumer Privacy Act – What Hoteliers Need to Know Now
Bob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years of experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager. Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.
In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or rbraun@jmbm.com.
This is Jim Butler, author of www.HotelLawBlog.com and founding partner of JMBM and JMBM’s Global Hospitality Group®. We provide business and legal advice to hotel owners, developers, independent operators, and investors. This advice covers critical hotel issues such as hotel purchase, sale, development, financing, franchise, management, ADA, and IP matters. We also have compelling experience in hotel litigation, union avoidance and union negotiations, and cybersecurity & data privacy.
JMBM’s Global Hospitality Group® has been involved in more than $125 billion of hotel transactions and more than 4,700 hotel properties located around the globe. Contact me at +1-310-201-3526 or jbutler@jmbm.com to discuss how we can help.
How can we help? Brochure Credentials Photo Gallery