How to Prepare Your Hotel Website for Data Privacy Laws

By: O'Rourke Hospitality Team

Internet privacy has become a policy point at the highest levels in recent years, and the potential ramifications of continual legislation and change affect hospitality marketers at a variety of levels, from advertising to hotel website design. 

As a marketer, you probably know all about the privacy changes companies like Apple and Google are undertaking that have affected ad targeting on platforms like Facebook. Those are changes that will continue to alter the landscape of marketing in the months and years ahead and will require strategic adjustments. But hospitality marketers should also be prepared for an influx of data privacy laws that create standards and regulations for how websites across industries handle user data. 

With two major laws already in place in the United States and Europe and more in the pipeline, here’s what hoteliers should know and how to ensure their website is up to par.

 

What are data privacy laws?

Data project laws were jumpstarted in 2018 with Europe’s General Data Protection Regulation (GDPR), which it called the ‘toughest privacy and security law in the world.’ While there are a number of points companies must abide by, the highlights include: 

  • Companies must get explicit consent from users they collect and store personal data for (think checkboxes on a form).

  • Data breaches must be reported within 72 hours of discovery to a country's data protection regulator.

  • Processing personal data must be done in a transparent manner to the individual or company whose data is being collected.

  • Any processing of personal data must be done in such a way that the end result serves a specific purpose.

 

And while it’s a European law, it applies to companies outside of the United States when they’re offering goods or services or monitoring user behavior. That means that hotels that book overseas travelers must comply with GDPR. 

But while the European Union was first on the scene in the data privacy overhaul, individual states have since followed and others have legislation in the works. 

California has the most notable data protection regulations in the United States. The largest state’s (with nearly 40 million people) privacy act, known as the California Consumer Privacy Act (CCPA), went into effect in January 2020 and put many of the same guidelines in place for companies doing business with California citizens. 

Despite the rollouts being slow, marketers should be thinking ahead when it comes to their hotel’s website design and compliance. In March 2021, Virginia became the second state to pass a data protection law, and Washington, New York, Connecticut, Oklahoma, Minnesota, Mississippi, New Jersey, and Utah are all considering their own laws and regulations by the end of 2021. A federal law that would cover the United State has been discussed, though it could be years out.

 

How should hotels prepare their websites?

So, you know about these data protection regulations but don’t know where to begin. 

One of the easiest ways to think about data privacy regulations is to think about the ways your hotel collects, stores, and uses traveler data. Examples of "Personal Data" outlined in most privacy laws that need protection include: name, phone number, email address, IP address, physical location, social media posts, and medical information — basically any information that can be used to identify a specific individual.

Branded hotels will likely have help from the corporate marketing team to stay on top of compliance with their Brand.com website. But branded hotels that have vanity websites, and independent hotels that don’t have additional corporate resources, should be thinking about data privacy regulations and how their hotel website complies. 

Start by thinking about the data your hotel requests from guests (via bookings, forms, etc.) and then audit how your hotel collects that data, stores it, and who has access. From there, hoteliers can follow these steps to ensure they’re taking proper measures.

Update your hotel’s privacy policy

It’s likely your hotel has a Privacy Policy page on its website, which should be linked in the footer for easy access. If your hotel doesn’t have a Privacy Policy, that’s the place to begin immediately. Assuming it does, now is a good time to review the messaging and ensure it complies with new and updated regulations. Make sure your hotel’s Privacy Policy references the regulations outlined in GDPR and CCPA, primarily noting what data your hotel website collects, how it uses the data, and how long it’s stored in a database. 

 

Confirm or implement cookie consent on your hotel website

A tracking cookie is a small text file that websites place on a user’s device to track online activity. While they are often used to help analyze web traffic or store a user’s preferences for the website to save them from re-entering information, they can also be used to glean information about a consumer’s usage or as a targeting method in advertising. Thus, most data protection laws require websites to allow users to opt-out of cookie tracking. 

Your hotel website shouldn’t send any cookie file without validating the user's prior consent. To do this, make sure any possible cookies are listed in your website's Privacy Policy and that you implement an accepted method for obtaining user consent (typically a pop-up along the bottom of the website).

 

Allow users to opt-out or erase their data

One of the most important changes included in data protection regulations is one that says users must be allowed to opt-out or erase their data from your website. Since hotel websites include forms and booking engines that collect users' information, hoteliers must implement a way to let travelers delete their information. This usually consists of an "opt-out" or "delete" button and should be accessible from all pages of your website where forms are present.

 

Data protection regulations are constantly evolving and ensuring compliance can be tricky. The bottom line when it comes to user information and privacy is that it’s better to be proactive than reactive. Having a data privacy plan for your hotel’s website is crucial and implementing it before widespread changes can save a headache down the road. 

If you aren’t sure if your hotel website is in order, a hospitality marketing agency or marketing strategist can help provide guidance

Subscribe to the O’Rourke Blog