A Privacy Tsunami May Be Coming to Retail Travel
by Paul Ruden /
In April, we wrote about recent developments with the California Consumer Privacy Act (“CCPA”). We indicated that the legislation was subject to numerous amendments and to the issuance of implementing regulations.
The California legislative calendar provides that the Senate will remain in session with committees active until the summer break that starts July 13 (if the budget has been passed), resuming Aug. 12 and wrapping up with final passage of all bills by Sept. 13. The governor must sign or veto passed bills by Oct. 13. The legislature will reconvene on Jan. 6, 2020. The General Assembly schedule is almost identical.
Much time remains, therefore, for the California legislature to lighten or worsen the burdens imposed by the CCPA. But that’s not all. A recent editorial in the New York Times entitled “Where is America’s Privacy Law?” lays out the problem. The U.S. does not have a national privacy policy akin to the General Data Protection Regulation (GDPR) adopted by the European Union. Multiple states are considering their own privacy laws to curb abuses in the handling of consumer personally identifiable information that is collected, and sometimes sold, in the course of many types of commercial transactions, including, of course, retail travel.
One overall solution would be a realistic federal law that sets a single national standard for privacy controls. Ideally, that federal law would preempt all state laws so that, for example, travel advisors would not be forced to comply with multiple and variable state laws governing, in some cases, a single transaction and usually in interstate commerce. Time is running out for this year, however, and Congress is locked in multiple partisan quagmires that may prevent a single workable privacy bill from being adopted. California and other major states are not going to wait for a comprehensive federal solution.
The best present course of action for travel advisors seems to be this: Begin thinking about how you will comply with the central concepts that are likely to be part of any state or federal privacy legislation. It still seems premature to invest in a particular approach until the legal path ahead is clearer. The following questions, at least, should be on that thinking list:
1. What specific types of personally identifiable data (“PI data”) do you collect?
2. Of the PI data you collect, which specific data items do you transfer to other businesses in order to conduct your own business?
3. What notice do you give consumers as to the specific purposes for obtaining and sharing their information?
4. Is any of your information sharing avoidable; that is, it is not essential to completing transactions on behalf of the person providing the information?
5. If a consumer asked you to avoid/stop sharing her information, how would you assure that the request was honored?
6. If a consumer requested deletion of her personal information from your systems, which data elements could you delete entirely and still complete the business for which the data was provided?
7. If you actually sell consumer information to third parties, how important is that to your business?
8. Are you interested in paying consumers for the right to sell their information and, if so, how would you give notice and process these transactions?
9. What industry-standard practices do you use to encrypt or otherwise protect personal information of consumers; if none, how will you go about installing such protections into your office workflows?
Having the answers to those questions will go a long way toward preparing your business to comply with the coming wave of consumer data protection rules, whatever their ultimate source and whenever they become law.