How Can Hotels Comply With the California Privacy Rights Act (CPRA)?

On January 1st, 2023, the California Privacy Rights Act will come into effect. So, it’s time to talk about what this means for your hotel business. 

If you’re thinking ‘Another privacy rights act?’ or ‘This doesn’t apply to me’, keep reading. 

You’ll learn what it’s all about, who it actually affects, and how you can make sure you’re ready for the big day.

What is the CPRA?

You’ve probably heard about the California Consumer Privacy Act (CCPA) passed in 2018. It laid the foundation for data privacy law in the state of California and came into effect on January 1, 2020. 

With so much of our data being moved around, there’s a need for more regulation and information. 

What’s being done with our data, and what can we do about this? That’s what the CCPA tries to give: more control, more privacy and more information. It intends to provide California residents with the right to:

• Access their personal data
• Know what personal data is being collected
• Know if that data is being sold or disclosed to anyone, and to whom.
• Control whether or not their data can be sold
• Request a business to delete any personal information about them
• Not be discriminated against for exercising their (data) privacy rights

This meant a lot of businesses needed to make significant changes in how they handle data and the surrounding communication—and it’s all about consumers. 

So, why the need for the CPRA? 

The California Privacy Rights Act amends the CCPA. It isn’t a new law, but rather a rewrite of the CCPA. Together, they form one data privacy regime in the state of California.

The rewrite included changes that strengthen the rights of California residents, while businesses have to prepare for tighter regulations. Some of the changes include:

The definition of Personal Information is clarified

• More certainty about advertising that uses personal information to profile and target California residents
• A new government agency for statewide data privacy enforcement called the California Privacy Protection Agency (CPPA) and reporting requirements to them
• More limitations on the use of “Sensitive Personal Information”
• Requirements for data minimization 

There are many more changes in the CPRA, all intended to close the gaps that the CCPA had or erase any ambiguity. 

Does Your Hotel Have to Be CPRA Compliant?

It’s quite easy to check if your hotel business needs to worry about the new CPRA. There are three main rules. Your hotel has to be CPRA complaint if at least one of these things applies to you:

• You buy, sell or share personal information with 100,000+ consumers or households. (Under the CCPA, you have to comply if you collect data from 50,000 households or more.)
• You make more than $25+ million in annual revenue
• At least 50% of your annual revenue comes from selling or sharing consumer PI

Does that sound like it applies to you, but are you nowhere near CPRA ready yet? 

No need to panic, you have time to get it right and prepare your hotel for CPRA. While it takes effect on January 1, 2023, it only becomes fully enforceable on July 1, 2023.

How does the CPRA affect hotel businesses?

Hospitality is all about trust. Your guests will sleep even better if they know their data is in good hands, knowing they have a say in it as well. Communication and transparency are all part of the five-star experience.

As a hotel, you collect more personal information than you might think. Whether you’re part of a franchise, a family-owned business or part of a chain, you will need to get a clear picture of what data you’re handling, from where it’s coming in, and where it is going. 

This will also give you data insights that you might be sharing with partners and suppliers. You’re going to need to do risk assessments. Who has access to what data? What systems are you using? What about cybersecurity? Once you’ve got your report ready, you’ll need to hand it over to the new California Privacy Protection Agency. 

But there’s much more that needs to be done. While it is good to get an expert or lawyer on board to ensure your systems are airtight, it’s also good to know roughly what needs to be done—so you can decide whom to work with, train your team, and understand why you need an expert. 

Take CCPA and CPRA seriously to keep your guest data safe. Don’t approach it as a DIY project on the side. Because failing to comply is not just a breach of trust, it can also create huge dents in your hotel’s budget. 

Fines are up to $2,500 per violation or even $7,500 per intentional violation. Moreover, the CPRA increases the potential fine for violations involving consumers under 16. It’s safe to say that investing in good legal help is worth the money.

Let’s look at some things on the to-do list to prepare your hotel for CPRA!

How hotel businesses can become CPRA-proof

Chances are, you won’t be starting completely from scratch if you’ve been keeping up with the existing CCPA. Here’s a checklist to start with and prepare your hotel for CPRA.

1. Update your compliance documents

You’ll want to stay up to speed on any changes or new regulations. As data is being collected more and more, you can expect regulations to be updated now and then. In those moments, update your compliance documents. That’s step one.

2. Upgrading your systems 

The systems you use are essential. Take a close look at your booking tools and other hospitality software and make sure they are up-to-date. 

3. Get airtight network security

Your intentions can be great, but sometimes other people aren’t on the same page. In addition to having safe systems, protect your network the right way to prevent people from taking a peek.

4. Make sure your data collection and inventory are compliant

Opt-out, opt-in, request extra info: there’s a lot to look into when it comes to data collection. You will need to determine if the personal information you’re collecting is considered profiling under the CPRA. 

If it does, you will need to change your policies and procedures for the disclosure, use and opt-out of automated decision-making technology. This is all about letting your guests know how their data could be used if they consent to it. 

It goes beyond cookies, by the way. If you collect data offline, for instance, in forms, you will also have to consider this.

5. Update and communicate privacy disclosures

Make sure your privacy disclosures are complete, specific and most of all, clear. They help guests understand what is going on in simple language. Also, make sure they are easily found or handed over whenever the CPRA requires that. The same goes for your CCPA notices. If you haven’t communicated those clearly yet, have a read on how a privacy attorney goes on holiday to know what it’s all about.

6. What’s up with your data retention practices?

Do you have data retention policies in place? If you are collecting and retaining data from your guests, you will need to rationalize and document the reasons for this.

7. Train your employees

Data protection is a team effort. The ones who are handling data will need to know the rules. Look into training programs or courses, so they are up to speed on what the CPRA is about.

8. Check the fine print in your third-party agreements

It’s not just about what you do. If you want to prepare your hotel for CPRA, you will have to look into what vendors, contractors and other partners are doing with data you might have to share with them. CPRA compliance goes beyond the walls of your own hotel.