Source for HOTELS — May 2017
Change Language:
Ask And Tell
Juliana Shallcross


After data breaches at several major hotel companies last year, hotels have been on high alert when it comes to protecting their guests’ personal information. At the same time, legal moves around the world have been aimed at giving customers more control over how their personal information is collected, stored and shared.

Hotels, which often collect details such as credit card numbers and preferences that help personalize a guest’s stay, face the tough challenge of getting the guest to trust them with information while simultaneously following the latest privacy regulations. Yet toeing this line could offer an upside for hotels, says Wilson Raj, global director of consumer intelligence for SAS, a data analytics service.

Raj says hotels may win more favor with guests by being transparent in their data collection while still customizing stays. “The hotel industry now has the opportunity to actually design the offerings or services with transparency and data privacy in mind from the get-go. That is the big opportunity,” he says.


One way hotels can do this, Raj says, is to be very explicit about the data value exchange – what information is being collected and how the hotel will use it to enhance the guest’s experience. He cites recent efforts of an SAS client, Vail Resorts in Vail, Colorado, where the ski resort collected information from guests via a mobile app but also allowed the guests to share that data on social networks. Meanwhile, the resort was tracking guests’ behavior on the properties and then tailoring offers based on that, such as discounts on spa treatments after a day of challenging ski runs or discounts on dinner for the family.

“It’s still using data, but securing it in such a way that it provides value,” Raj says.

Another best practice for hotel marketers when it comes to collecting sensitive information through traditional communications (not a mobile app) is to give clear and concise terms and conditions, Raj says about the kind of information being collected, how it’s being collected and stored, and for how long. Raj also advises hotels to be proactive and send out quarterly updates about the information they have on file for a guest and whether they can continuing using it.

“Many companies are afraid to do that,” he says. “But just the act of being so transparent will increase the level of brand trust.”

As for how willing guests are to turn over their personal information, the younger generation, is not surprisingly, more comfortable with this than older generations – but only slightly. According to a 2016 SAS Customer Intelligence report, 68% of individuals 40 and older are concerned with what businesses do with their personal information compared with 58% of individuals under 40.


One hotel sales and marketing executive for an independent hotel in New York City who didn’t want to be named says his guests don’t seem to mind submitting their personal information if it means a deal or discount might be offered. Other guests are often too busy to be bothered with sending all that information along, he adds.

A sales and marketing executive for a California-based hotel group also says its guests were willing to exchange information for the sake of a more personalized stay. “Guests are open to sharing preferences because they trust Palihouse will deliver a curated, enriching experience,” says Christine Alvarez, vice president of sales and marketing for Paligroup, a hotel developer and operator.

Casey Ueberroth, chief marketing officer of Preferred Hotels & Resorts, says his company has eliminated the hurdles to joining the iPrefer loyalty program. Previously, iPrefer asked guests for detailed personal information, but today all that’s required is an email address. Once guests hand that over, they can earn points and access members- only rates at more than 600 properties. After that, iPrefer will follow up and ask them to create account log-ins where they can enter more information if they like.

“We’re trying to be as polite and thoughtful as possible,” Ueberroth says about respecting guest privacy while still collecting rich data. “Once you’ve nurtured a list of enough quality guests, you really want to keep them happy.”

Neil Flavin, senior vice president at HVS Asset Management, says guests are more reluctant to have their driver’s license or credit card photocopied, a common practice years ago that has been replaced with technology and is done rarely today.

And like anything else with hotel operations, keeping guest data security requires consistentcy in one thing. “Training, training, training is key,” Flavin says. “The more information the hotel and the front desk have regarding the security of data relating to the guest is better.”


EUROPE: The European Union is readying a 2018 enforcement date for the General Data Protection Regulation (GDPR), which applies to companies worldwide that pull in information on EU citizens. It widens the definition of personal information to pretty much anything that can identify an individual, including IP addresses. The GDPR provides customers with the right to be forgotten and mandates that all organizations that gather personal data, not just the data controllers often hired for the collection job, be held responsible for that sensitive information. Companies in violation of the GDPR will be fined 4% of their global turnover.

UNITED STATES: No single law regulates data privacy, rather an ad-hoc approach that constitutes general regulations. According to law firm DLA Piper, the U.S. has about 20 “sector-specific” national privacy or data security laws including the Privacy Act of 1974, while states have hundreds of such laws among them. President Donald Trump’s executive order on public safety has U.S. businesses concerned since it will exclude non-citizens from protection under the Privacy Act as well as jeopardize the Privacy Shield, an agreement between European Commission and U.S. businesses to transfer customer data across the Atlantic.

SWITZERLAND: Switzerland first took steps to protect personal data in 1992 when the government enacted the Federal Act of Data Protection. Since then, other laws provided for restricting the process of personal data. The country is revising its Data Protection Act to be on par with the GDPR, which it plans to implement in 2018 as well.

BRAZIL: Brazil has no statutes that regulate data privacy, although two bills are being considered. The Brazilian Internet Act, signed into law in 2014, restricts the use, collection and sharing of users’ private information.

JAPAN: Japan recently amended its Act on Protection of Personal Information to give consumers more ways to consent to what kind of information is collected about them. Like the GDPR, the scope of what is considered personal information has been extended. However, Japan has allowed anonymized personal data to be transferred to third-party companies without the individuals’ consent, although such a transfer must be publicly announced.