We’re nearly two months into enforcement of the General Data Protection Regulation (GDPR), and brands across industries and verticals are getting a clearer understanding of what the new law means for them.
Clearly, companies that are based in Europe must comply with the GDPR. However, it may be surprising to some that U.S. companies with websites that “offers goods or services” to individuals in the EU are also required to adhere to the GDPR.
Specifically, U.S. travel and hospitality companies and their websites may be impacted by the GDPR’s extra-territorial scope that requires non-EU companies to comply with the GDPR’s data protection obligations when processing personal data of individuals located in the EU. The extra-territorial scope of the law is particularly striking for travel and hospitality brands that offer products and services to individuals in the EU even if they do not have an office or salesperson based in the EU.
GDPR Application for Travel and Hospitality Brands
Below are a few instances in which travel and hospitality brands are required to comply with the GDPR:
- A U.S. hotel chain that advertises or sends messages to Europeans.
- An online travel website for U.S. hotels that enables individuals in Europe to register for a hotel room in the EU or U.S. In this instance, compliance is required as the site is collecting personal data from individuals in the EU even though it does not have an EU presence.
- A hotel website or app that “monitors” the behavior of users who are located within the EU (or has a third-party vendor on their website perform this function). For example, if a site uses a website analytics provider to collect personal data on individuals based in the EU, then GDPR applies to this data collection and use. Another example is a website that sends retargeting ads for a hotel to an individual based in the EU that viewed the hotel on its U.S. site.
It’s also important to remember that the scope of personal data has been expanded under the GDPR, so even if a company or their vendor does not know the identity of the individual, it is still considered personal data if that individual can be singled out (i.e. via cookie IDs or device IDs).
Gaining Consumer Consent
If a website operator determines that it is impacted by European data protection laws, it must also comply with the obligations and requirements under the GDPR. This includes having a “lawful basis” for collecting and using the personal data. One lawful basis is consent. Consent is particularly important for companies dropping cookies on website visitors as the ePrivacy Directive (ePD) runs parallel to the GDPR. The ePD governs companies using cookies. Website operators will be responsible for obtaining unambiguous consent for dropping cookies on the visitor’s browser to serve them relevant or personalized advertisements. In other words, even if a website operator is not using consent as their legal basis to process personal data under GDPR, they (and their vendors) still need to obtain unambiguous consent to read and write cookies due to the ePD.
We are supporting our client and publishing partners by offering a free consent tool to gather GDPR and ePD compliant consent. The tool has been built in line with the Interactive Advertising Bureau’s Consent Framework. It also enables website owners to provide transparency around the personal data collected on and used from their sites.
In his announcement of the tool earlier this year, Kevin Hartleben, director of platform solutions in Europe, notes:
“Consumer-friendly data-privacy is a long-held principle – our services have been built from the ground-up with ‘privacy by design’ as a fundamental approach – and we wholeheartedly support giving consumers greater transparency and choice around what happens with their data. This new consent tool is a real testament to this, as well as our commitment to continued innovation and the industry as a whole.”