25 October 2022
In addition to protecting the personal information of guests in compliance with the EU’s General Data Protection Regulation and California’s Consumer Privacy Act, hotel operators and owners need to extend the same protections and rights to their employees and the information collected from them. Bob Braun, a senior member of the Global Hospitality Group and Co-Chair of JMBM’s Cybersecurity & Privacy Group outlines hotel employer obligations in the article below, along with suggested next steps.
Hotels, Hotel Owners and Employee Personal Information
by Bob Braun, Hotel Lawyer
Hotel operators and owners have long been focused on the privacy of the personal information they collect from guests – because of the global nature of the hospitality business, hotel brands have focused on complying with the European Union’s General Data Protection Regulation (GDPR), and beginning in 2018, the Consumer Privacy Act (CCPA), the first comprehensive law designed to protect the privacy of consumers’ personal information. Businesses that are subject to the GDPR and the CCPA are required, among other things, to respond to consumers who wish to view the personal information collected by the business, delete personal information, and opt-out of the sale of personal information; these obligations expanded in 2020 when California voters approved the California Privacy Rights Act of 2020 (CPRA).
Employee and Business Personal Information
While the CCPA is aimed at protecting consumers’ personal information, the terms of the law extend to the personal information of employees and business contacts. While the California legislature initially exempted employment information and “business to business” (B2B) personal information from many of the provisions of the CCPA until January 1, 2021, which was extended in the CPRA to January 1, 2023.
The Exemption and its Demise
While most observers believed that the California legislature would extend the exemptions of employee and B2B personal information, when the California Legislature adjourned on August 31, 2022, it did so without adopting an extension. As a result, it is a certainty that full consumer rights will apply to personal information obtained from employees or because of a B2B relationship.
Because hotel owners and operators are familiar with the requirements of the CCPA and the GDPR, the expiration of the exemption will be challenging. Owners and operators will need to adapt their policies to employee and B2B personal information. However, there are many hotel owners that have little or no contact with guests and have left compliance to hotel operators. These firms will be particularly impacted by the significant disclosure, policy and procedure issues that need to be addressed by the end of 2022.
This is especially the case for hotel owners that act as the employer of hotel personnel, but will extend to all hotel owners with employees, whether engaged at a hotel or not, since employers are obligated to collect vast amounts of personal information, including sensitive personal details (such as financial, health and intimate personal characteristics) to conduct businesses. These owners will need to address the information they collect, where it is held, who has access to it and how it is used. Moreover, hotel owners and operators will need to determine how consumer rights apply to employee and B2B personal information, and prepare to provide employees and B2B contacts with CCPA rights, including the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to limit use and disclosure of sensitive personal information, and the protection against retaliation following the exercise of opt-out or other rights. CONTINUE READING →