What Hotels Need to Know About the California Consumer Privacy Act

Written By: Jeff Venza

Hotel management companies are asking: “How does this new privacy act in California compare to the new EU Privacy Law?” A side-by-side comparison reveals a few things that hotels should know:

The delta between the EU Privacy Law (GDPR) to the California Consumer Privacy Act (CCPA) is:

  1. Legitimate Interest. This is something that many companies are considering to use to avoid documenting consent for GDPR. Companies do not have this luxury with CCPA (the California law).
    Summary – If it is a competition for most robust, one point goes to CCPA for being more protective.
  2. Personal Data / PII. In terms of defining Personal Data / PII, it appears as CCPA has a list quite similar to GDPR.
    Summary – Tie
  3. Fees (Part 1). GDPR fines for damages for lack of compliance. It appears CCPA will levy fines in the event of a breach only.
    Summary – One point to GDPR
  4. Fees (Part 2). GDPR effectively applies to any controllers and processors (the threshold is very low). Whereas, CCPA applies only to business that have high revenues ($25M) OR large numbers of processing (50K) OR has much (50 percent) of their revenue from personal information sales.
    Summary – One point to GDPR
  5. Fees (Part 3). Fines under GDPR are based on global revenues (4 percent) whereas CCPA levies fines based on each violation ($7,500). So, in the case of a large breach (like Equifax – 12 million records), the fines can quickly approach billions of dollars.
    Summary – One point to CCPA
  6. Consent. This is a huge deal for GDPR. CCPA allows businesses to expect consumers to opt-out. This is a big difference from GDPR’s requirement for businesses to demonstrate that people have opted-in, under their own free will.
    Summary – One point to GDPR

At-a-Glance Summary Score (for most comprehensive, most protective):
Two points to CCPA, three points to GDPR, one tie

What do both have in common:

  • People have the right to know (data subject requests)
  • Breach notifications are important
  • Managing third parties is important
  • Data privacy legislation is here to stay

Regardless of the nuances between both privacy laws, data privacy legislation is here to stay. Hotels will continue to be targeted by hackers because of all the personal information they collect every day. Knowing and understanding privacy legislation is key to operating hotels in today’s market.

This article was originally published by VENZA on LinkedIn. Jeff Venza is president and CEO of VENZA, Inc. Jeff is also a member of the HFTP GDPR/HDPP advisory council and a frequent speaker at HFTP events.


To learn more about GDPR, CCPA and other important updates regarding data privacy, visit the HFTP website or HFTP GDPR Bytes today.

You May Also Like

About the Author: Contributor