The California Consumer Privacy Act, signed into law on June 28, 2018 is a bill designed to protect the rights of California residents when it comes to how their personal data can be used.
The law is set to go into effect January 1, 2020, but it will include a one-year look-back. This means you will need to be able to explain any data you have collected on a guest since January 1, 2019. It includes the following requirements for data collection and how that may affect hoteliers.
- Right to know what data is being collected
- Right to access personal data
- Right to erase personal data
- Right to opt-out of data selling
The right to know what data is being collected about them
For example, IP address and device identifiers, which help you store “proof” of consent in DOI campaigns, are considered personal data, and thus need to be disclosed to the person you are capturing it from.
The right to access their personal data
Guests will have the right to know and receive access to any data you have collected about them. If you’re a Revinate customer, you’re already covered. Both our Guest Feedback and Marketing products offer this feature. You can provide this information on the property or group level.
The right to erase their personal data
Simply put, this means that guests have the right to have their profile and all related data erased. This essentially erases that guest’s entire existence with that hotel. Revinate Marketing and Revinate Guest Feedback offer properties the ability to delete a guest from its records. Deleting a guest means:
- They will no longer appear in segments, stats or the guest database
- They will be added again if they make a new reservation
- They will be added to a log of deleted guests
- The property will be reminded to remove the guest from the Property Management System
Again, our Support Team will also be able to do this on the backend for both Revinate Marketing and Revinate Guest Feedback upon request.
The right to opt-out of data selling
This gives guests the option to choose not to allow their data to be sold and to receive the same service for the same price as those who do not opt out. This aspect of the law shouldn’t apply to hotels. Hoteliers aren’t likely to sell guest data and guests should receive the same service whether they opt out of you selling their data or not.
Frequently Asked Questions
Does CCPA apply to me?
CCPA only applies to businesses that fulfill at least one of the following criteria:
- Receives the personal information of at least 50,000 California customers per year
- Has annual gross revenue in excess of $25 million
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information
Do I need to get proof of consent to market to my guests?
No. Double opt-in campaigns are not required. Unlike GDPR which aggregated and replaced a series of other privacy laws, CCPA is intended to be applied alongside existing state and federal privacy laws, such as CAN-SPAM.
What fines can I expect with CCPA?
We have good and bad news for you. The good news? The fines are not as heavy as with GDPR. GDPR has strict fines for repeated and flagrant misuse of private data: 20 million euros or 4% of gross revenue (whichever is larger). For CCPA, the fines are significantly smaller. However, the biggest concern in California is the potential for civil suits, which could potentially go to court for millions, not to mention the headache of a civil suit.
I did a lot of work for GDPR…that will cover me, right?
More similar laws are on the way
The tide of increased consumer privacy is just beginning, so expect more laws to come. The good news is, Revinate is here to help you track your guest data and keep it secure.
As always, please seek legal advice from a professional to ensure you are in compliance.
- California Consumer Privacy Act: A Compliance Guide by Skadden, Arps, Slate, Meagher & Flom LLP
- California’s Data Privacy Law: What It Is and How to Comply (A Step-By-Step Guide) by Dickinson Wright PLLC