CCPA, CPRA and the changing privacy landscape

CCPA, CPRA and the changing privacy landscape

The protection of customer data is a crucial component of every hotelier’s digital strategy. Given the recent passage of new legal provisions in California, online privacy concerns are more important than ever. What are the new measures, and how will they impact the hospitality business? Here’s what you need to know.

2023 is a brand-new year. And now that the confetti has been swept up, the champagne bottles have been recycled and the “Auld Lang Syne”s have been sung, it’s time to take a look at what’s on the horizon for the hospitality industry.

Many hoteliers are already aware of several important legal changes that have taken place on the digital privacy side of resource management. Specifically, two recent California-based ballot measures that have instituted comprehensive protections for how hotels and other businesses gather and use guest data in the state.

The first (which was passed in 2018) is the California Consumer Privacy Act, or CCPA. The second — passed just a year later — is the California Privacy Rights Act, or CPRA.

The CCPA and CPRA together represent groundbreaking legislative work. Not only have these measures been recognized as the first end-to-end consumer privacy legislation in U.S. history, they’re also being looked at as models for other states seeking to pass similar measures.

Additionally, while each is an important provision, they differ slightly in some very important ways; and it’s important for business owners to understand the differences when implementing their digital privacy policies.

What are the CCPA and CPRA?

First, the basics:

The California Consumer Privacy Act was signed into law in June of 2018, and went into effect on January 1st, 2020. At its core, the CCPA establishes a range of consumer protection rights, as well as mandating specific obligations on the part of businesses who collect customer data.

The California Privacy Rights Act (sometimes referred to as Proposition 24, or CCPA 2.0) is an amendment and expansion of the previous measure. It seeks to add additional protections that have emerged as being necessary since the passage of the previous measure. It was approved by a ballot measure in November of 2020, and took effect on January 1st, 2023.

Even though these measures are ostensibly similar on the surface, there are some significant differences between them.

How do the CCPA and CPRA differ?

To be clear — the CPRA does not expressly replace the CCPA. Rather, it is an expansion and amendment intended to address some oversights that became evident as the previous measure was rolled out. These provisions are intended to work in concert, not to “cancel each other out”, or for one to supersede the other.

That said, there are some key differences between them. Most importantly:

  1. Updated criteria for qualification: The CCPA covers for-profit businesses above a specific revenue level that derive a certain portion of their earnings from the trade or sale of customer data. Under the previous measure, any entity that has made available for sale the personal data of 50,000 or more California customers must follow certain criteria. The CPRA expands that number to 100,000, and also adds a provision for sharing the data as opposed to selling it outright.
  2. A new category of protected data: The CPRA establishes a new type of protected consumer information, referred to as Sensitive Personal Information (or SPI). The list of what qualifies as SPI has been revised and updated, as have the criteria for the appropriate security measures businesses are obligated to implement in order to safeguard and process it. These measures include (but are not limited to) provisions like updated disclosures, opt-out requirements and how businesses are allowed to use gathered data.
  3. Expanded customer privacy rights: Customers are afforded more control and additional protections under the expanded CPRA. Most notably, the right to opt out of their data being made available for sale, the ability to query businesses that have collected their data as to what information has been gathered, and the power to request that any data collected on them be deleted.
  4. Additional available actions: Under CPRA provisions, customers are also afforded the right to correct gathered information, limit how businesses use it, access information about the processes by which businesses gather and use their data, and opt out of any processes in which they do not agree to participate.
  5. New usage limitations: Further, the CPRA places additional limitations on how businesses gather customer data, what it’s used for, and how long they’re allowed to retain it. These limitations must henceforth be observed in data-collection practices, as well as openly disclosed in privacy policy documentation.
  6. Expansion of data breach protections: As we’ve seen in recent years, a data breach can have serious fallout for both customers and businesses. If bad actors are able to access and retrieve customers’ private information, the results can be catastrophic for everyone involved. In response, the CPRA affords customers the right to pursue legal action against any business that fails to properly safeguard customer data if exposure occurs.

(Note: This information is intended as an overview, not a comprehensive legal resource. For more information, please visit the information centers for both the CCPA and CPRA.)  

Why it matters

Among the amendments established by the CPRA is the creation of a new enforcement authority charged with the oversight and administration of the updated measures now in effect. The California Privacy Protection Agency (CPPA) has been implemented in order to investigate potential violations of both the CCPA and CPRA, and levy any action necessary to enforce these measures. The CPPA’s role as an intermediary will consist of handling customer complaints, looking into potential violations, and acting if violations are found. Although both the agency and the measures it seeks to enforce have only recently been created, the laws in question are currently in effect at the time of this publication.

What this means for your hotel

All qualifying hotels that operate within the State of California are obligated to abide by the measures outlined in both the CCPA and the CPRA as of January 1st, 2023. Failure to comply with these legislative regulations could result in civil penalties levied by the state, private legal actions, or both. It’s therefore of crucial importance to keep privacy practices and disclosures up-to-date and compliant.

Choose a proven partner for protection

Cendyn is a catalyst for digital transformation in the hospitality industry and as such ensures that all hotel customers satisfactorily comply to all evolving digital legislation. In the due course of handling the data operations of our California-based customers, Cendyn has already undertaken the necessary steps to implement CCPA/CPRA-compliant data-administration practices and disclosures across the Golden State.

(Reminder: This information is intended as an overview, not a comprehensive legal resource. For more information, please visit the information centers for both the CCPA and CPRA.) 


Subscribe to receive the
best hospitality technology insights


Discover how you can drive business via your most profitable channel.