What Hotels Need to Know About the California Consumer Privacy Act

By Jeff Venza, President & CEO

Hotel management companies are asking, how does the new privacy act in California compare to the new European Union privacy law? Here is a side-by-side comparison which reveals a few things that hotels should know.

The delta between the EU Privacy Law (GDPR) to the California Consumer Privacy Act (CCPA) is:

1. Legitimate interest: This is something that many companies are considering using to avoid documenting consent for GDPR. Companies don’t have this luxury with CCPA (the California law).

Summary – If it’s a competition for most robust, then 1 point goes to CCPA for being more protective.

2. Personal Data/PII: In terms of defining personal data/PII, it appears as CCPA has a list quite similar to GDPR.

Summary – It’s a tie.

3. Fees (Part 1): GDPR fines for damages for lack of compliance. It appears CCPA will levy fines in the event of a breach only.

Summary – One point goes to GDPR.

4. Fees (Part 2): GDPR effectively applies to any controllers and processors (the threshold is very low). Whereas, CCPA applies only to business that have high revenues ($25M) OR large numbers of processing ($50K) or has much (50%) of their revenue from personal information sales.

Summary – One point goes to GDPR.

5. Fees (Part 3): Fines under GDPR are based on global revenues (4%) whereas CCPA levies fines based on each violation ($7,500 per violation). So, in the case of a large breach (like Equifax with 12 million records), the fines can quickly approach billions of dollars.

Summary – One point awarded to CCPA.

6. Consent: This is a huge deal for GDPR. CCPA allows businesses to expect consumers to opt-out. This is a big difference than requiring a business to demonstrate that people have opted-in, under their own free will.

Summary – One point goes to GDPR.

An at-a-glance summary score for the most comprehensive and most protective:

2 points to CCPA, 3 points to GDPR, 1 tie

And what do both have in common:

• People have the right to know (data subject requests).

• Breach notifications are important.

• Managing third-parties is important.

• Data privacy legislation is here to stay.

Regardless of the nuances between both privacy laws, data privacy legislation is here to stay. Hotels will continue to be targeted by hackers because of the personal information collected every day. Knowing and understanding privacy legislation is key to operating hotels in today’s market.