• The American Privacy Rights Act - What Does it Mean for Hotel Companies?   

The American Privacy Rights Act – What Does it Mean for Hotel Companies?

by Robert Braun, Co-Chair, JMBM Cybersecurity and Privacy Group;
Senior Member, JMBM Global Hospitality Group

On April 7, 2024, the United States House Committee on Energy and Commerce released the American Privacy Rights Act (APRA). While every Congress for more than a decade has introduced multiple proposals to address privacy rights on a national scale, none have gained traction, and while there’s every reason to suspect that the APRA will meet the same fate – headwinds are coming from the states that have already adopted comprehensive privacy statutes, and it is notoriously difficult to adopt legislation in an election year, and especially now), the APRA is being taken seriously, and might be the basis for a long-awaited, and long-needed, national privacy law.

What Makes the APRA Important?

The most important feature of the APRA is that it would replace the patchwork of individual state privacy statutes — adopted by sixteen (at last count) states, with more on the way. The laws share many common elements, but are not uniform; in a world where state borders mean less and less for consumer transactions, complying with each law is challenging. While there would remain room for states to adopt some unique laws, the APRA could significantly reduce the cost of compliance.

The APRA would also make the United States more consistent with jurisdictions throughout the world. Beyond state laws, there are many privacy laws, like the General Data Protection Regulation in the European Union (and similar laws in the United Kingdom and Switzerland), Canada, and other key trading partners. Citizens in these jurisdictions expect to have the same kind of data protection they have in their home countries, and adopting a comprehensive federal law would facilitate trade.

What’s in it for the Hospitality Industry?

Hotel companies should be particularly interested in the legislation. While many companies collect personal information from customers, hotel companies want to collect large amounts of personal information - knowing more about guests allows brands and operators to provide better services and increase their value. At the same time, the multitude of state laws, as well as foreign privacy laws, create a compliance challenge for the hospitality industry.

What’s in the APRA?

The current draft of the APRA is 140 pages long, but here are a few key highlights:

  • Data Collection. With some exceptions, companies must have a privacy policy that details their data collection practices and describes how consumers can opt out of data collection. Beyond that, the APRA restricts companies from collecting or transferring specific types of sensitive personal information, such as biometric or genetic information, without the individual’s affirmative express consent.
  • Data Minimization. Companies will be prohibited from collecting data that is not “necessary” or “proportionate” to the purpose for which the data is collected. This provision is seen as a real benefit for individuals who have long questioned why they are asked for information that appears to be unrelated to their requests.
  • Private Right of Action. In a major departure from prior federal proposals (and unlike most state statutes), the APRA borrows language from the California Consumer Privacy Act (CCPA) that gives individuals harmed by a data breach the power to sue corporations, allowing consumers to recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs. The APRA also allows California residents to seek statutory damages based on the CCPA.
  • Data Control. Under the APRA, individuals can stop companies and data brokers from transferring or selling their data, and can opt out of targeted advertising.
  • Data Brokers. In what is one of the most highly sensitive areas of data collection and protection, the APRA directs the FTC to maintain a registry of data brokers, and requires data brokers to keep a public website that identifies themselves as a data broker. Data brokers will have to honor “opt-out” requests generated through a centralized opt-out mechanism to be established by the FTC, facilitating requests by consumers who want to limit or prohibit the collection of personal information. Individuals would also have a private right of action against brokers that violate the APRA.

The APRA will create challenges for hotel companies. Whether or not the APRA is ultimately adopted – and there are challenges – the move toward a comprehensive, nationwide privacy law appears much closer today, and the hospitality industry will need to adapt. The JMBM Global Hospitality Group® and Cybersecurity and Privacy Group work with hospitality clients to achieve these goals and prepare them for the challenges of an ever-changing privacy landscape.

This is Jim Butler, author of www.HotelLawBlog.com and hotel lawyer, signing off. Please contact us if you would like to discuss any issues or development that affect your hotel interests. We would like to see if our experience might help you create value or avoid unnecessary pitfalls. Who’s your hotel lawyer?