A Wake-Up Call for Hoteliers’ Online Booking Policies

A recent lawsuit against Accor Management, via the Fairmont Hotels & Resorts brand, has raised significant questions about online privacy in the hotel industry. The suit, filed under the California Invasion of Privacy Act (CIPA), alleges that Accor’s booking process enabled Facebook to access personal information without consent from the plaintiff, Natalie Gianne. This case has led to a renewed focus on the use of tracking pixels and their role in privacy concerns.

In a recent podcast interview, Robert Braun, co-chair of Jeffrey Mangels Butler and Mitchell’s cybersecurity and privacy group, provided insights on the lawsuit. According to Braun, Gianne’s visit to the Fairmont hotel website triggered a tracking pixel, transferring certain meta information about her and her computer to Facebook. This allowed the social media giant to use this data for targeted advertising, leading to the lawsuit.

A tracking pixel is a small graphic that collects data on user interactions on a webpage and transfers that data to the party collecting it. In this case, the plaintiff alleges that the tracking pixel on the Fairmont website shared her private information with Facebook without her knowledge or consent.

CIPA, the legislation cited in this case, was originally adopted to address electronic surveillance, typically associated with wiretapping. However, the law’s broad language has allowed attorneys to expand its scope to cover issues such as tracking pixels transmitting information to third parties.

Website designers play a crucial role in this privacy equation, as they can design a site without tracking pixels and cookies if requested by privacy-conscious clients. Despite this, there can often be a disconnect between a company’s legal or privacy team and its website designers and marketing division, leading to privacy concerns.

To protect themselves from similar privacy invasion claims, Braun suggests that hoteliers conduct thorough reviews of their privacy policies, terms of use, and implementation. He emphasized the importance of having a banner notifying visitors of data collection and giving them the ability to accept, reject, or modify it.

Moreover, Braun recommended that companies inventory all cookies, pixel trackers, and other technology used on their websites. By using professional programs and consultants, companies can identify all data-collecting tools on their sites, allowing them to decide what is necessary and what isn’t.

This lawsuit reminds companies to be vigilant about what data they collect and share and to maintain a comprehensive cookie policy that clearly describes their practices. The case also underscores the need for privacy-by-design concepts, ensuring that privacy considerations are embedded in the design of online services and not merely added as an afterthought.