By David Berman | April 24, 2023
Hospitality companies are often national or international enterprises in terms of the data they process. For an across-the-pond visit from London to Los Angeles, a British consumer’s data will be processed as they search for a Hollywood hotel. In this interaction, the hotel’s website needs to be in compliance with not only any state laws in place but also laws from the customer’s country of residence.
Richard Sheinis, a lawyer with expertise in technology, data privacy and cybersecurity, talked about data privacy issues, such as the above example, that business owners should know about during a 15-minute “fireside chat” at BITAC Operations on April 18.
Sheinis’ main focus was on how the United States lags behind the rest of the world when it comes to data privacy laws. While laws are in place in some states, such as the California Consumer Privacy Act, the rest of the country does not have consistent federal standards for businesses to follow. Virginia, Connecticut, Utah and Colorado are the only other states to have passed data privacy laws, he said, while 19 others have active legislation.
The lack of federal regulation on the issue makes navigating it similar to a Rubik’s Cube, Sheinis said.
“You try to line up the same color on each of the sides, and you get it all red on one side, and then you’re trying to get all blue on the other side, but in the process of trying to make it all blue, you screw up the all red,” he said. “It’s a little bit like that. So really, the biggest challenge is you have all these laws coming from different directions, depending upon where you do business, and what do you have to comply with? And how do you comply with all of them at the same time?”
The European Union has an all-encompassing data privacy law called the General Data Protection Regulation — a “gold standard” that other areas of the world have followed with their own laws. The GDPR is largely based on consent, as businesses can’t do much of anything with user data without permission. In the U.S., on a federal level, businesses don’t need consent to use user data.
Another key difference between the GDPR and U.S. policies is that informing consumers about cookies is mandatory under the former. Businesses must give consumers the option to accept or reject cookies when visiting their website. While not required in the U.S., many businesses still do so, Sheinis said.
Sheinis said the federal government’s failure to pass a blanket data privacy law can be chalked up to two main factors. First, if a state wants to be more restrictive than a hypothetical federal law, that could still lead to inconsistencies for businesses who work across state lines — which many, if not all, hospitality companies do. The second hang-up is on private right to action — whether or not an individual consumer would be able to sue over a company’s data privacy violation.
For the audience of hospitality and vendor executives, Sheinis gave three key elements of data privacy laws they should know. The first is to know the difference between “selling” and “sharing” user data, ensuring that each company gives proper opt-out options to consumers. Second, certain state laws have increased the level of information needed for privacy policies. Companies must now inform web page visitors of what data they collect, where they collect it, who they share the data with, why they share it, how long it’s retained, and more. Third, Sheinis said companies should ensure they have mechanisms in place to let consumers access the data that’s collected on them.
Sheinis ended his discussion by providing final takeaways for the audience. He emphasized how important it is to understand which data privacy laws businesses need to comply with depending on their level of revenue and which states they receive web traffic from.
“It goes back to learning, what’s the data you have, here is it, what applies to you, and then being able to comply with whatever that is, putting it all together in the Rubik’s Cube so that you’re complying on (all) sides, whether it’s GDPR, California, or other states,” Sheinis said.