CCPA: Hotel Loyalty Programs, Data Retention and the Brave New World of Privacy

By Robert E. Braun

This article first appeared in the Hotel Business Review and is reprinted with permission from www.HotelExecutive.com.

The California Consumer Privacy Act (the “CCPA” or the “Act”) is a piece of consumer privacy legislation which was signed by California Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The Act is, far and away, the strongest privacy legislation enacted in the United States at the moment (although there are a number of contenders for that honor), giving more power to consumers to control the collection and use of their private data, and is poised to have far-reaching effects on data privacy.

What is the CCPA?

It is estimated that more than 500,000 companies are directly subject to the CCPA, many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting. As discussed below, many hotels and hotel companies will be directly impacted by the Act, either because their qualify as a “business” as defined in the CCPA, or because they are associated with companies – brands and management companies – that are subject to the Act. Hotel owners, managers and brands that have not grappled with the requirements of the CCPA need to move quickly to do so, or risk potential liability under the penalty provisions of the Act.

Where did the Act Come From?

In early 2018, Alistair McTaggart, a California real estate developer, led an effort to include a new privacy law – the Consumer Right to Privacy Act of 2018 – on the November 2018 California ballot. By June 2018, supporters of the initiative had gathered enough signatures to earn a place on the November ballot. In response, California legislators, working with California businesses and other interest groups, negotiated and passed a substitute bill – the CCPA – in exchange for an agreement to drop the more restrictive text in the Consumer Right to Privacy Act from the November ballot.

The Act is aggressive, and cites the March 2018 disclosure of the misuse of personal data by Cambridge Analytica, as well as the congressional hearings that followed which highlighted the fact that any personal information shared on the internet can be subject to considerable misuse and theft. This prompted the California legislature to move rapidly to protect Californians’ right to privacy by giving consumers much more control of their personal information.

Because the Act was adopted so quickly, and because it was driven by the original proposition, the Act, as entered into law, does not have the kind of guidance that helps us understand how to implement the concepts in the Act. The California Attorney General has, as required under the Act, submitted proposed regulations that assist in complying with the Act, but much more needs to be done for businesses to feel comfortable in plotting a means of compliance. It is likely that our understanding of the Act, and how businesses can comply with the Act, will evolve over the coming years.

The Act as Part of a Broader Shift in Consumer Preferences

In order to understand the impact of the Act, and how to address its many changes, businesses need to understand how it reflects an evolution in consumer attitude toward the ownership and use of personal information.

In the United States, there have been few limitations on the collection or use of personal data. There are some exceptions – financial information is regulated under the Gramm-Leach-Bliley Act, health information is governed under the Health Insurance Portability and Accountability Act , and children’s information is addressed under the Children’s Online Personal Privacy Act. But in general, personal information – names, addresses, and other identifying information – may be collected and used without significant restriction, and consumers did not typically object.

The advent of computers and the increased ability to collect, store, process and monetize information, has changed consumers’ attitudes. Companies increasingly base their business models on the ability to collect and utilize information. This is not limited to firms like Facebook and Google; a variety of firms monetize the information they collect, both by direct marketing and by sharing, or selling, the data to others. Along with the “legitimate” use, came less savory forms, like credit card fraud and identity theft. As a result, individual consumers are increasingly concerned about how their personal data is shared.

Hotels should be particularly aware of this shift, since hotels are among the businesses most targeted by bad actors, and reports of data theft are regularly reported.

Behind these changes is a significant shift in the treatment of personal information. Increasingly, the belief is that an individual should have control over his or her identifying data, and not just a limited selection of financial data, but a broad array of information – essentially, anything that could be used to identify an individual. This would include not just names, addresses and other obvious data points, but also biometric and location data, of which many of us are unaware are being collected.

Do Hotels Need to Comply with the Act?

The Act is applicable to many businesses, whether located inside or outside California.? The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California – ?a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria: Continue reading

As most (but not all) business know, the California Consumer Privacy Act of 2018 (the “Act” or “CCPA”) goes into effect January 1, 2020. It is estimated that more than 500,000 companies are subject to the CCPA, many of them smaller and mid-size businesses that may not have pre-existing robust privacy policies and procedures.

The CCPA applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California, whether or not the business has a physical presence in California. Businesses that meet at least one of the following criteria are subject to the Act:

  • Generate annual gross revenue in excess of $25 million,
  • Receive or share personal information of more than 50,000 California residents annually, or
  • Derive at least 50 percent of its annual revenue by selling the personal information of California residents.

While enforcement actions by the Attorney General won’t begin until six months after the final regulations are published, or July 1, 2020, companies need to ensure they are in compliance on January 1, 2020, when the Act goes into effect. This article is a summary of a five-part series designed to guide companies through compliance, Complying with the California Consumer Privacy Act in 5 (More or Less) Not So Easy Steps.”

Part 1 – Data Mapping

A company cannot comply with the Act without understanding what data the company collects, how it uses the data and who has access to it. Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations. A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss.

There is a benefit to this practice that goes beyond complying with the Act. Companies can determine the extent of their data collection practices and whether it advances the business. Companies must realize that every point of data it holds is not just an asset, but also a liability. Eliminating unnecessary data reduces liability exposure. Understanding a company’s data profile leads to efficiencies in operations and can better rationalize costs associated with maintaining data, including cybersecurity and insurance expenses. Learn more here.

Continue reading

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps

Part 5 of a Series

Consumer Rights: Deletion, Do Not Sell, Non-Discrimination

The California Consumer Privacy Act obligates covered businesses to disclose the categories of personal information, the sources of personal information and uses of personal information collected in the course of their operations.  In addition, the CCPA gives consumers specific rights not just to know what data is being collected, but also whether and how that data can be used.  Compliance with the CCPA requires an understanding of these rights, and adoption of procedures to comply with them.

Deletion

Under Section 1798.105 of the CCPA, consumers have the right to request a business to delete “any personal information about the consumer which the business has collected from the consumer.” The business must fulfill such requests — and to direct “any service providers,” as that term is defined in the CCPA, to do the same — within 45 days of receiving a “verified request” or “verifiable request” from the consumer.  Businesses should be aware that the consumer’s right to delete is one of the provisions that must be included in the company’s privacy policy.

The right to delete is not absolute.  Businesses are also not required to delete information “if it is necessary” to:

  • Complete the transaction for which it was collected.
  • Provide a good or service the consumer has requested.
  • Perform a contract between the business and the consumer.
  • Detect security incidents.
  • Protect against “malicious, deceptive, fraudulent, or illegal” activities.
  • Prosecute people responsible for “malicious, deceptive, fraudulent, or illegal” activities.
  • “Debug to identify and repair errors that impair existing intended functionality.”
  • Ensure the exercise of free speech by another customer.
  • Ensure the company’s exercise of “another right provided for by law.”
  • Comply with a legal obligation, in particular, those of the California Electronic Communications Privacy Act.

These exceptions give businesses a broad range of reasons to keep information.  For example, a business may continue to use a consumer’s personal information that has been the subject of a deletion request “internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” A similar exception is carved out for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”

Opt-out of Sales

The CCPA gives consumers two related rights regarding the sale of personal information: 1) a “right to opt out” of the sale of personal information, and 2) for consumers under the age of 16, a “right to opt in”. Continue reading

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps:
Part 4 of a Series

Verified Requests for Data

The CCPA is hurtling headlong toward implementation on January 1, 2020.  The Act, which is likely to be amended, perhaps substantially, in the next sixty days, and which has no guiding regulations, continues to present a conundrum for companies faced with designing and implementing policies and procedures that need to be consumer-ready by Day 1.

One requirement that has created substantial confusion and uncertainty is directly related to a key element of the Act – the right of consumers to control the personal information held by companies. Under the Act, companies must develop or identify internal mechanisms to respond to a consumer’s exercise of their right to access the information collected about them, verify their identity, respond within the mandated 45 days, and document both the request and response.

While the obligation is clear and seemingly innocuous, it is creating both confusion and its own cottage industry of consultants and service providers.

The sticking point of this requirement is determining how a company will reasonably verify the requester’s identity. The California Attorney General was to have adopted regulations to help businesses determine when a request is a verified consumer request (sometimes referred to by the quaintly anachronistic acronym “VCR”). Those regulations have not yet been proposed.

In the interim, companies are left with little more than what feels like the type of direction from U.S. Supreme Court Justice Potter Stewart, when he was forced to define a threshold test for obscenity in 1964:

“I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description, and perhaps I could never succeed in intelligibly doing so. But I know it when I see it….”

Like so much of the CCPA, the obligation is appropriate on its face, but difficult to implement. Continue reading

Ever since the California Consumer Privacy Act (the “CCPA”) was adopted in 2018, various constituencies have lobbied for revisions. While multiple proposals were considered in the California legislature, only a few have a chance for passage and enactment. Last month, the California Senate Judiciary Committee passed several amendments to the CCPA, and we now have a better idea as to what amendments are likely to be adopted. The bills head now to the Appropriations Committee and then to the full state Senate. Here are the important highlights:

  • Employee Exemption: With AB25, lawmakers weakened the employee exception, which now sunsets on Jan. 1, 2021. The current exemption means CCPA does not cover collection of personal information from job applicants, employees and certain others, but only for one year. Afterward, employers will be required to tell employees what type of information they are collecting, and why.
  • Loyalty Programs: AB 846 clarifies and modifies CCPA application to loyalty and reward programs. Businesses would still be prohibited from selling consumer information gathered as part of these programs.
  • Phone Access: AB 1564 requires businesses to provide a toll-free phone number for customers to request access to their personal information. On-line only businesses are only required to provide an email address.

Three bills, AB 873, AB 1416 and AB 981 failed. They would have changed the definition of “personal information” and “de-identified information,” weakening the privacy protections.

These and several related bills will head to the full Senate, which must vote by Sept. 13, 2019. Governor Newsom then has a month to consider signing them (along with another 1,000 or so bills), and any bill that is signed will go into effect Jan. 1, 2020.

Bottom Line: The law’s strong consumer protections withstood challenges, though observers anticipate there will continue to be debate and negotiations with unions as to how CCPA affects employees. Companies should continue apace with their plans for implementation.  Companies that haven’t yet begun to comply should start now!

See our recent blogs on the CCPA below.

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps:

 Part 1 – the Data Map
 Part 2 – the Breach Response Plan
 Part 3 – the Privacy Policy

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

On August 5, 2019, Marriott International announced that it had taken a $126 million charge in the second quarter, primarily as a result of the data breach it announced in 2018.  Coincidentally, on July 9, 2019, The United Kingdom’s Information Commissioner’s Office (ICO), which enforces the General Data Protection Regulation (GDPR) in the UK, announced that it intends to impose a fine of £99,200,396 ($123,705,870) on Marriott for last year’s data breach.

As was widely reported, in November 2018, Marriott disclosed that hackers accessed the Starwood guest reservation database since 2014. Initially, the company said hackers stole the details of roughly 500 million hotel guests, which the hotel chain later corrected to 383 million following a more complete investigation.  Still, 383 million records is nothing to be laughed at.

The hackers stole a breathtaking array of sensitive data:

  • 383 million guest records
  • 5 million encrypted passport numbers
  • 25 million unencrypted passport numbers
  • 1 million encrypted payment card numbers
  • 385,000 card numbers that were still valid at the time of the breach

What went wrong? What can be distilled from Marriott’s experience that other companies can apply in their efforts to comply with the GDPR?

For JMBM’s Hotel Law Blog, I have outlined some important lessons learned, particularly for U.S. companies with business with Europe. To read the blog, see Cybersecurity Lawyer: Lessons from Marriott’s $123 million GDPR fine.

— Bob Braun

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps 
Part 3 of a Series

 The Privacy Policy

This is the third in a series of articles on complying with the California Consumer Privacy Act (CCPA). The CCPA is estimated to directly impact more than 500,000 businesses, many of them smaller and mid-size businesses; even more companies that are not specifically subject to the CCPA will need to comply to do business with those that are.

The CCPA says that California residents, including minors, have the right to know if their personal data is being collected, and to whom the data is being sold, and with whom it is being shared. Armed with that knowledge, California residents have the further right to object to the sale of their data and to have their data deleted. In short, California consumers now own their personal information and have real control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.

Complying with the detailed requirements of the CCPA — including disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements — is daunting. In our first article, we highlighted the importance of the data map. In our second article, we covered breach response.

In this post, we’ll review the changes companies need to be making to their privacy policies in order to comply with the CCPA. The Act mandates that any company subject to the CCPA make specific public disclosures, including: Continue reading

Public Service Announcement: Social media use increases your cybersecurity exposure. Share appropriately.

If that were all it took.

In my earlier post, I described how casual use of social media (that is, failure to take into account its impact on privacy and security) can put your company’s information security profile at risk, and open your executives and employees to social engineering cyber scams. Additionally, social media accounts often contain sensitive personal data that can be accumulated, hacked, sold and resold. The most popular social media sites compound this problem when they release – unintentionally or not – personal information.  Facebook is a regular offender; just this month it confirmed that it “unintentionally uploaded” the email contacts of 1.5 million people without their consent. Business Insider reported that a security researcher noticed Facebook was asking some new users to provide their email passwords when they signed up — a move widely condemned by security experts.

While it’s unrealistic to enforce a policy banning the use of social media, companies can and should educate executives and employees on appropriate use as part of regular cybersecurity training. Social media “hygiene” should become as ubiquitous as the signs imploring that “employees must wash hands” in restrooms.

Look at Your Settings—Often

When apps or devices are updated, it’s common that privacy restrictions get reset to the baseline, which is often the most liberal sharing of data. As a result, even if you set your privacy preferences at an acceptable level recently, updating your operating system or applications – generally a good idea – may result in reestablishing the basic settings. Continue reading

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps
Part 2 of a Series

What’s Next – the Breach Response Plan

This is the second in a series of articles on complying with the California Consumer Privacy Act (CCPA). The CCPA is estimated to impact more than 500,000 businesses, many of them smaller and mid-size businesses., Complying with the detailed requirements of the CCPA — including disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting.  In our last article, we highlighted the importance of the Data Map. When you finish your data map, what should you do next?

What is the CCPA?

The California Consumer Privacy Act was signed into law on June 28, 2018, and will become effective January 1, 2020 – although the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, or July 1, 2020.  The effective date of the Act gives covered businesses little time to prepare.  Preparing now is particularly important, because many obligations under the Act will require advance work, and companies will need to begin now.

After the Data Map – the Incident Response Plan

Most businesses understand that if they suffer a data breach – if specified personal information is accessed by unauthorized users – the business has to consider notifying the individuals whose information has been accessed, and possibly their regulators. Despite the fact that laws requiring notification laws have been in effect for more than 15 years, many companies do not have plans to address a breach. Commencing on January 1, 2020, when the CCPA goes into effect, the inability to respond will become a bigger issue. The reason – the CCPA grants a private right of action to individuals.

Actions under the CCPA

Under the CCPA any natural person who is a resident of California may bring an action if their unencrypted or unredacted personal information has been exposed due to a business’s failure to maintain appropriate security safeguards. The definition of personal information under the CCPA is broader for most purposes of the Act than when determining a breach – it is limited to a person’s name (at least first initial and last name) and either their social security number, driver’s license or state identification number, bank or credit card information, or medical or health insurance information.

There is no requirement that a plaintiff demonstrate damages; instead,` plaintiffs can seek statutory damages between $100 and $750, injunctive or declaratory relief, or “any other relief the court deems proper. In addition, plaintiffs can seek actual damages in excess of the statutory recoveries. And the Act specifically allows the aggregation of claims into a class action. The specific authorization of a private right of action means that any breach is more likely to result in extended, costly, and embarrassing legal action. Continue reading

It is difficult to overstate the current backlash against social media. Social media giants are under attack from virtually all sources, including both governments and individuals. The #humblebrag du jour is a social media addict publically stating the intent to close accounts, take social media sabbaticals, cull friend and follower lists, and boasting about how much better life has become after weaning themselves from the constant attention-drain – even if many do not follow through on the threat.

If you join the movement, you might be helping your company’s information security profile.

Social media accounts often contain sensitive personal data that can be accumulated, hacked, sold and resold in their own right.  But beyond that, they provide corporate hackers with enough information to guess passwords, whereabouts and interests, and provide enough data to craft sophisticated and effective spear-phishing emails – personalized missives that reflect the character and wording of the individuals they spoof, down to grammar, spelling and tone.

That’s why it’s so important to include a cybersecurity-focused review of your company’s social media policy and practices. If you aren’t going to set strict social media standards for C-level executives and consider conducting regular audits of their social accounts, then you at least need to educate them about the risk. Some of the key risks  – but only the most obvious ones – are below. Continue reading