Navigating Privacy and Data Security Challenges in the Hospitality Industry: Key Considerations for Hotel Management Agreements

Introduction

Over the past decade, the hospitality industry has rapidly adopted intensive technologies to meet the rising expectations of guests, personalize each guest’s experience, and cultivate and enhance customer loyalty. Access to more data yields new business opportunities and liabilities, which hotel owners and operators can allocate in hotel management agreements (HMAs).

Smart technologies and tech-enabled amenities have revolutionized the way businesses collect and use personal information to offer personalized experiences and gain invaluable insights into customer behavior. Smart thermostats automatically adjust guest room temperature based on occupancy. Virtual assistants and chatbots provide concierge services to hotel guests. Smart lighting systems allow guests to customize ambiance and smart TVs offer personalized entertainment options. Keyless entry systems enhance security and convenience, and smart minibars automatically charge guests by using weight sensors or infrared scanners to detect when items are removed or replaced.

The broad scope of guest data that hotels now collect with these technologies add to the complexity of privacy and data security challenges hotel owners and operators already confront in the hospitality industry. Multiple layers of federal and state privacy and data security laws have created an intricate web of compliance obligations for hotel owners and operators. High-profile data breaches or regulatory enforcement actions risk severely damaging a brand’s reputation, further underscoring the importance of protecting guest data in the face of constantly evolving privacy and data security laws.

In this article, we explore the type of privacy and data security laws that may apply to hotel owners and operators, and key considerations relating to privacy and data security for hotel owners and operators when negotiating HMAs.

Applicability of Privacy and Data Security Laws

Comprehensive consumer privacy laws have now been enacted in 17 US states, and additional states are in the process of passing similar legislation. Even if the state in which a hotel is located has not yet adopted a consumer privacy law, a hotel may be subject to the privacy laws of other states because the guest making a booking is located in a state that has enacted a consumer privacy law. While a hotel is a brick-and-mortar operation that is based in a specific location, hotels often receive bookings from patrons based outside the geographic borders of the state in which the hotel building is located. As a result, hotels are often simultaneously subject to numerous privacy and data security laws of multiple jurisdictions.

Hotel owners and operators in the United States could also be subject to non-US privacy laws, such as the EU/UK General Data Protection Regulation (GDPR), as a result of targeting their services at hotel guests from the European Union or the United Kingdom.

To properly assess and negotiate potential liability relating to data and security laws with respect to a hotel, hotel owners and operators should examine the applicability of such laws to their operations and consider whether additional compliance obligations are triggered.

Allocating Responsibilities and Rights Regarding Guest Data During the HMA Term

Once the parties determine which privacy laws apply, hotel owners and operators should contractually allocate compliance obligations and each party’s general liability under such laws. State consumer privacy laws primarily apply to “controllers” of personal information (or “businesses” under the California Consumer Privacy Act (CCPA), generally defined as entities that collect consumers’ personal information and determine the purposes and means of the processing of such information. Controllers are charged with a set of compliance obligations, including:

• Providing consumers with detailed privacy notices (under the CCPA, this includes a “notice at collection”)
• Allowing consumers to exercise their privacy rights, such as the right to access, delete, and correct their data; to opt out of the “sale” of their personal information (generally defined as disclosing or making available for monetary or other valuable consideration); and to opt out of the use of their data for the purpose of targeted advertising
• In several states, obtaining opt-in consent for the collection of sensitive personal information (such as regarding health, sexual orientation, race, or ethnicity)
• Implementing appropriate security measures to protect any personal information collected
• Executing appropriate agreements with service providers (or “processors”) who may process personal information on the controller’s behalf

Processors or service providers are subject to more limited statutory obligations. Primarily, they must ensure the security of the personal information being processed and adhere to the controllers’ contractual instructions.

Alas, in the relationship between hotel owners and operators, it’s often difficult to determine which is the controller and which is the processor under privacy law. Both sides generally seek control of, or at least access to, guest data. Hotel owners are often viewed as “controllers” because they own the hotel and engage operators to collect and process guest data for hotel management purposes on their behalf. The owner of a business, after all, is typically the controller in its relationships with vendors who operate on its behalf. However, in many instances, hotel owners essentially hand over all management responsibilities to operators, including not just managing the hotel but also accepting bookings, integrating new platforms and technologies, and maintaining and processing guest data. In light of the foregoing, the operator may be considered the controller.

The classification of these roles is fact-specific. Hotel owners and operators should carefully consider their actual roles to determine their designations under applicable privacy laws and draft appropriate provisions to allocate privacy risks in an HMA. Some helpful considerations are which brand — and privacy policy — is presented to hotel guests; which online platform is used to manage reservations; which loyalty program guests participate in; and whether operators are permitted to retain guest data after termination of the HMA.

Because hotel owners are often required to comply with privacy laws regardless of the scope of delegation to an operator, they typically seek to obligate hotel operators to process guest data in compliance with applicable laws as well as establish and implement robust cybersecurity protocols and policies to safeguard such data. Hotel owners also typically seek to retain the right to access guest data and use it in a commercially reasonable manner.

At the same time, a hotel operator may resist providing the owner access to guest data or the ability to process guest data during the term of the HMA, maintaining that the owner has no need to access such information while the operator is managing the hotel and that sharing such guest data further exposes the hotel operations in general to increased risk under privacy laws. Indeed, the operator could claim that sharing guest data with the hotel owner may render it a data “sale” under state privacy laws, which could result in the need to comply with further requirements under privacy laws, as further described below.

Also, hotel operators seeking to limit their exposure to potential violations of privacy and data security laws should ensure appropriate agreements are in place with third-party service providers that have access to guest data, such as booking platforms, cloud providers, analytics and marketing services, and providers of smart technologies. Such agreements should impose on third-party service providers an obligation to comply with the same data protection standards as required under an HMA and applicable laws and, if relevant, include indemnification in favor of the operator for breaches by the service provider.

Data Sharing Upon HMA Termination

Even when an operator succeeds in limiting a hotel owner’s access to guest data during the term of an HMA, upon termination of the HMA, hotel owners often require a right to access any guest data the operator collected. Addressing the rights to guest data upon termination of an HMA is important for both hotel owners and operators.

• Hotel owners will seek to regain full control of guest data after the HMA terminates, which is vital for maintaining continuity of guest relationships, marketing efforts, and future business operations. Such rights also protect the owner from potential misuse of guest data. 
• Operators may agree to a structured process for transferring guest data back to the hotel owner, reducing the risk of legal disputes and ensuring compliance with data privacy laws. At the same time, operators often view themselves as owning the guest relationship, including participation in brand loyalty programs, and therefore may resist sharing certain data — especially if collected by the operator in connection with other hotels managed by such operator.

Hotel owners should consider the intended use of guest data transferred by operators post-termination of the HMA to determine whether such data sharing is a “sale” under state privacy laws. If data sharing is considered a sale, it triggers additional compliance requirements, including the obligation to allow guests to opt out of the sale. The majority of state laws define a sale as the disclosure or transfer of personal information to a third party for “monetary or other valuable consideration.” Given the broad definition, a sale can occur even without a monetary payment if the hotel owner benefits, such as through the ability to advertise to guests to retain guest loyalty.

Contractual Protections: Indemnification and Cyber Liability Insurance

Indemnity provisions in HMAs typically provide that hotel owners indemnify operators for any claims, damages, and liabilities relating to the hotel, the HMA, or operator’s performance of obligations thereunder, other than with respect to such claims, damages, and liabilities resulting from bad acts of the operator (e.g., gross negligence, willful misconduct or fraud).

Hotel owners seeking to protect themselves from privacy law violations and data breaches may consider incorporating clear covenants that require the operator to take certain measures to comply with privacy laws, protect guest data, and respond to any data breaches. Parties should also consider whether it is appropriate for the operator to provide indemnity for any liabilities resulting from either an operator’s breach of the agreement or, more specifically, an operator’s breach of privacy laws applicable to the hotel. Given the complexity and scope of privacy laws applicable to a hotel, hotel owners and operators should be careful to tailor covenants and indemnities to clearly define risk allocation among the parties.

Parties to an HMA should also consider ensuring the inclusion of adequate cyber liability insurance, covering a broad range of potential costs associated with data breaches beyond direct financial losses, including legal fees, regulatory fines, potential guest compensation, and costs of public relations efforts to manage the hotel’s reputation following a breach.

Conclusion

As the legislative and regulatory landscape in data privacy and security continues to evolve, we encourage hotel owners and operators to engage with counsel to identify the scope of compliance measures imposed by privacy and data security laws and thoughtfully negotiate data privacy and security provisions in HMAs to clearly define the related roles and responsibilities of each respective party.

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.