Data powers and optimizes most facets of the travel business. Backend operations and frontend consumer marketing use and depend on data points to make decisions in real time that affect efficiency and profitability. Many of those data points are generated by individuals and travel providers who handle such data have certain legal responsibilities to consumers, in addition to securing and protecting that data through technology. Legislation varies from region to region, but a certain degree of transparency must exist between the company and the customer in regards to what data the provider collects, how they use it and any ‘opt-out’ clauses that may exist. Travel providers that collect and use data should be aware of the regional rules regarding data and privacy in the markets they operate in.
A Sample of Global Data Privacy Legislation
Governments are taking data collection, handling, privacy and security seriously and 71% of countries have some sort of data handling legislation on the books.While specific laws and penalties may vary from country to country, there are commonalities among all legislation in effect. Here is a quick overview of 3 major market data privacy legislations:
European Union:
The General Data Protection Regulation covers the EU bloc and highlights consumer data privacy by outlining parameters for the following:
- Minimizing the amount of data collected to only what is needed
- Companies that collect and use data must offer full accountability on how data is handled and limiting access to that data to the appropriate parties
- Rights of individuals, to access, edit and delete their data from a company’s database
The GDPR also regulates the amount of automatic processing the individual consumer is subject to. The EU limits and controls automatic decision making by companies which could affect the consumer in a certain way.
Canada:
Enacted in 2000 by the federal government, Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA) covers private sector companies that collect personal data for business purposes. Some of the key principals needed to comply with PIPEDA are:
- Companies must have explicit consent to collect an individual’s information
- Companies must clearly indicate the purpose and use for collecting personal information
- Companies must ensure that information is accurate and up to date when making decisions about an individual
- Individuals have the right to access any data the company has about them
- Individuals have the right to expect the company will safeguard and protect their information
Under this act, individuals can challenge the company if not in compliance with PIPEDA’s 10 Fair Information Principles. Fines for each infraction are steep at $100,000 per violation.
California:
The United States does not have a federally mandated data privacy act and leaves those controls to the state. California has some of the strictest consumer laws and that includes its California Privacy Rights Act (CPRA), which came into effect January 1st, 2023. The act affords the usual access and control rights for individuals when it comes to collecting information. Companies also have the same responsibilities to communicate how data is used but the CPRA does apply to larger sized businesses with revenues in excess of $25 million. The California rules also give a designation between intentional violations and unintentional violations and are penalized differently.
Data that Powers the Travel Market
Travel providers handle vast amounts of client data and much of it is personal in nature. Typical data points for the travel business are name and address, phone number, email addresses, social security number or passport / driver’s license numbers among other sensitive pieces of information. Purchasing and clicking behavior are also key data points that can be tracked and utilized in operations. This type of data is valuable from a marketing perspective and can be used by the brand to optimize the way it sells products and services to a certain individual. Because of the value of this data, some nefarious uses for this information are:
- Providing or selling these data points to categories outside the travel channel for the purpose of marketing
- Selling information such as emails to a 3rd party
When used properly and within the region’s legal framework, this data can influence direct marketing to a current or potential client, offering products and services based on past purchasing behavior or offering promotions and service to clients who have ‘opted – in’ to receive such marketing messages. Personal information is also used for administrative contact with the client by emailing or calling them directly.
Keeping Clients Informed
The common denominator among data and privacy legislation is transparency. Businesses that collect data must inform the individual how the data is collected, how it will be used and to some extent, what measures are taken to secure and protect that data. Travel providers set out policies in regards to this and will have them readily available for clients and potential clients to view. These policies may also be displayed in some form during the actual data collection. The end goal for the business is to establish credibility when it comes to data handling and to instill some sort of confidence in the client when handing over personal information. Using references from local legislation, travel providers can create these policies that help users understand more about how their information may be used. Establishing backup plans or strategies for handling any type of data breach or security incident can bring another layer of confidence to the client.
Client Confidence and Staying in the Legal Lane
Data and privacy can be considered one of the top concerns for consumers who use the internet. This especially holds true for travelers as the amount of information collected increases as well as the personal nature of the data. Travel providers must be aware of laws that could potentially govern the way they need to handle data and provide transparency to customers. A clear and easy to understand policy regarding how data is handled, what information is collected, how it is used and security measures taken is essential for travel businesses from a consumer confidence standpoint as well as fulfilling legal obligations.