Hotel Data Security Update: Hotels, Hotel Owners and Employee Personal Information
Hotel operators and owners have long been focused on the privacy of the personal information they collect from guests – because of the global nature of the hospitality business, hotel brands have focused on complying with the European Union’s General Data Protection Regulation (GDPR), and beginning in 2018, the Consumer Privacy Act (CCPA), the first comprehensive law designed to protect the privacy of consumers’ personal information. Businesses that are subject to the GDPR and the CCPA are required, among other things, to respond to consumers who wish to view the personal information collected by the business, delete personal information, and opt-out of the sale of personal information; these obligations expanded in 2020 when California voters approved the California Privacy Rights Act of 2020 (CPRA).
Employee and Business Personal Information
While the CCPA is aimed at protecting consumers’ personal information, the terms of the law extend to the personal information of employees and business contacts. While the California legislature initially exempted employment information and “business to business” (B2B) personal information from many of the provisions of the CCPA until January 1, 2021, which was extended in the CPRA to January 1, 2023.
The Exemption and its Demise
While most observers believed that the California legislature would extend the exemptions of employee and B2B personal information, when the California Legislature adjourned on August 31, 2022, it did so without adopting an extension. As a result, it is a certainty that full consumer rights will apply to personal information obtained from employees or because of a B2B relationship.
Because hotel owners and operators are familiar with the requirements of the CCPA and the GDPR, the expiration of the exemption will be challenging. Owners and operators will need to adapt their policies to employee and B2B personal information. However, there are many hotel owners that have little or no contact with guests and have left compliance to hotel operators. These firms will be particularly impacted by the significant disclosure, policy and procedure issues that need to be addressed by the end of 2022.
This is especially the case for hotel owners that act as the employer of hotel personnel, but will extend to all hotel owners with employees, whether engaged at a hotel or not, since employers are obligated to collect vast amounts of personal information, including sensitive personal details (such as financial, health and intimate personal characteristics) to conduct businesses. These owners will need to address the information they collect, where it is held, who has access to it and how it is used. Moreover, hotel owners and operators will need to determine how consumer rights apply to employee and B2B personal information, and prepare to provide employees and B2B contacts with CCPA rights, including the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to limit use and disclosure of sensitive personal information, and the protection against retaliation following the exercise of opt-out or other rights.
Business Challenges
Personal information obtained from employees presents particular significance. California businesses need to evaluate the differences and similarities between the rights afforded to employees under the CCPA (including how the exemptions from disclosure and deletion apply), and those provided under the California labor laws. California employers have, or should have, adopted many of the processes required under the CCPA. For example:
- Right to Know – The CCPA gives consumers the right to request that a business disclose (i) the categories of personal information collected, (ii) the sources of such personal information, (iii) third parties to whom the business disclosed the personal information, and (iv) what personal information was sold/shared and to whom. California law has several laws affording employees the “right to know” certain types of information the employer has collected, including the employee’s personnel file, documents signed by the employee, and payroll records. In contrast, the CCPA is broader in scope and requires employers to disclose geolocation, biometric, internet activity, inferences drawn, and other information that employers might collect. Additionally, the timelines for compliance with a request are different under the CCPA from California labor laws.
- Right to Delete – The right to request that a business delete personal information collected from the individual. Employers should assess federal, state and local retention requirements pertaining to employment records, including but not limited to the Age Discrimination in Employment Act, the Americans with Disabilities Act, the Civil Rights Act of 1964 (Title VII), the Fair Labor Standards Act, the Family Medical Leave Act, the Occupational Health and Safety Act, California Government Code Section 12946, and California Labor Code Section 226 to determine potential exemptions to a deletion request under CCPA Section 1798.105(d)(8), which exempts a business from deleting information necessary “to comply with a legal obligation.” These exemptions may also apply to B2B personal information.
- Right to Opt Out of Sale or Share – Under the CCPA, consumers have the right, at any time, to direct a business that sells or shares personal information not to sell or share such information. Employers should not only reassess their disclosure agreements with vendors but also ascertain whether their vendors are service providers, contractors or third parties under the CCPA, since the disclosure of an employee’s personal information to a vendor may be viewed as a “sale” under certain circumstances.
- Right to Limit Use and Disclosure of Sensitive Personal Information – Employers should assess whether they are processing an employee’s personal information, and whether that includes sensitive personal information. For example, if an employer is processing sensitive personal information (such as racial or ethnic origin) for diversity and inclusion purposes, it may be permitted under an exception. However, if an employer is processing sensitive personal information for purposes of inferring characteristics of its employees and using artificial intelligence to assist with hiring, including using automated decision systems, this right may be triggered.
B2B Implications
While the emphasis of this development has been the impact on employers, B2B personal information is now subject to the same regime as employee personal information. Hotel companies need to analyze their collection and use of B2B personal information, as well as provide the same rights as the rights to a consumer under the CCPA, including the right to know, right to delete, right to opt out of sale or share, and right to limit use and disclosure of sensitive personal information.
Next Steps
Hotel companies subject to the CCPA should immediately take steps to comply with these new requirements, including:
- Update CCPA processes and controls to address employee and B2B data.
- Conduct a review and inventory HR processes to see where employee data may exist, what data the business maintains and whether such data is subject to the CCPA.
- Update notices at collection and privacy policies for employees, applicants, and contractors.
- Update existing processes to respond to employee requests under the labor code and engage stakeholders to design new policies and procedures for responding to privacy rights requests in 2023, including the treatment of potential exemptions under the CCPA.
- Review and update contract terms with service providers, contractors and third parties to incorporate new required terms under CPRA and mitigate the risk.
Jeffer Mangels Butler & Mitchell, working through its Cybersecurity and Privacy Group and its Global Hospitality Group, address privacy and security issues and assist with compliance, both with state, federal and international data protection laws. For more information, contact Robert Braun ([email protected]).
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Further information about cybersecurity issues
If this article was of interest, you may also wish to read other articles by Bob Braun on “Data Technology, Privacy & Security,” which include the following:
- Why hotels need “visibility” to avoid data privacy liability
- Hotel Data Security: Challenges to Address in 2022
- New Challenges for Hotels: The New California Privacy Rights and Enforcement Act of 2020
- Hotel Managers and Owners Be Warned – You are Responsible for Your Hotel’s Data Security
- The California Consumer Privacy Act – What Hoteliers Need to Know Now
- Avoiding Hotel Data Breaches With a Risk Assessment Audit™ – Lessons From the Marriott International “Glitch”
- California Adopts the California Consumer Privacy Act of 2018
- GDPR: What you need to know about the EEU’s new data privacy rules
- Cyberattacks on Hotels — What Should Hotel Owners and Operators Do?