An online privacy lawsuit filed against Accor Management through the Fairmont Hotels & Resorts brand should have hoteliers reviewing their online booking policies, according to a privacy attorney.
Robert Braun is co-chair of Jeffrey Mangels Butler and Mitchell's cybersecurity and privacy group and a senior member of the law firm’s global hospitality group. In a podcast interview, Braun said the lawsuit filed under the California Invasion of Privacy Act alleges Accor’s booking process allowed Facebook, acting as a third-party, to access potentially personal information without the plaintiff's consent. The plaintiff, Natalie Gianne, then allegedly received targeted advertisements from Facebook. She has filed her suit with the U.S. District Court for the Central District of California.
When the plaintiff clicked on the Fairmont hotel website, it triggered a tracking pixel to transfer certain meta information about her and her computer to Facebook, Braun said, citing the lawsuit. A tracking pixel is a small graphic on a web page that collects data on how a user interacts with the page and then transfers that data to the party collecting it.
“Facebook then was able to use its capabilities, which are phenomenal, to turn that information into a lot of personal information about Ms. Gianne, and so this is automatic sharing, and that's the key issue here, that she didn't know,” Braun said. “She didn't give permission. She couldn't see that information was being shared, but it was shared with them.”
The law cited in this suit, CIPA, was adopted in the state of California to address electronic surveillance, normally associated with wiretapping, Braun said. However, the language in the legislation is broad enough that attorneys have been able to expand it to cover a tracking pixel being triggered and transmitting certain information to a third party, which in this case is Facebook.
There are a lot of points in which tracking pixels can be added to a website, but the first is the website design itself, Braun said. Web designers can design a site without these pixels and tracking cookies, either because that is how they typically create them or because a privacy-minded client requested such a design. From there, they will add the tracking cookies needed for the site to function properly. Some cookies are necessary for functioning while others are for advertising and sharing purposes.
“There are, however, website designers who simply put in a lot of these, a lot of these pixels, under the assumption that that's what you'd want,” he said.
There is often a disconnect between a company's legal/privacy team, its website designers and the marketing division.
“The privacy people should understand what's going [on], but they don't always know that,” he said. “It is very complicated. There's always a lot of pressure to get these things done quickly and to make them look good, and that gets in the way of the privacy-by-design concept, but privacy by design is probably the best way to do it in terms of knowledge and awareness.”
Hoteliers have some options available to them to limit their exposure to similar invasion of privacy claims, Braun said. On the preparation side, hoteliers should take a broad look at their privacy policy, their terms of use and how they implement them.
“In my opinion, it’s not enough just to have a banner when someone visits a site that says we collect certain information, see our privacy policy,” he said. “What you really need to do is have the ability of someone to accept, reject or modify.”
Companies should also take inventory of all the cookies, pixel trackers and other technology on their websites, he said. There are good programs and consultants who can go through in-depth and find everything. Companies should then review them and decide what they really need and what they aren’t using.
“Because part of all this is not to collect information you don’t need, not to share information unless you know about it, and to provide a cookie policy that describes it,” he said.
For more from the interview with JMBM’s Robert Braun, including discussion of CIPA and other privacy and data protection acts, website privacy practices and reducing liability exposure, listen to the podcast embedded above.