• GDPR
  • LGPD
July 14, 2019

Marriot fined USD 125 million under the EU GDPR data protection regulation

Marriot is fined under the EU General Data Protection Regulation (GDPR) by the UK's ICO. Find out how your business can become GDPR compliant today.

The hotel industry is known to be especially sensitive to the General Data Protection Regulation (EU GDPR) as they daily process a vast amount of personal data. Hotels continue to struggle to become compliant with the EU General Data Protection Regulation (GDPR). The latest is Marriot International who received a record-high fine under the GDPR.

marriot hotel

Marriot is one of the most well-known hotel brands in the world. If Marriot struggles with GDPR, many other hotels are likely to be in noncompliance with the new EU data privacy regulation, the General Data Protection Regulation (GDPR).

Fined by the UK's Information Commissioner’s Office (ICO), Marriot is accountable for the personal data they collect and has violated the GDPR:

"The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected" said Information Commissioner Elizabeth Denham.

It is the second time in less than one week that the UK's ICO has decided to impose record fines using its authority under the General Data Protection Regulation (GDPR).  Just days before, it was British Airways that got fined a huge penalty of USD 230 million under the GDPR.

The hotel industry is especially sensitive to the GDPR

With new and existing customers coming and leaving hotels and establishments, the hotel industry is especially sensitive to the GDPR.

Hotels worldwide process vast amounts of personal data being one of the most vulnerable industries. It is no surprise that the industry accounted for the second-largest share of security breaches (Verizon 2016 Data Breach Investigations).

Hotels often rely on analytics and advertisements to drive traffic to their websites. Marriot is no different. However, in order to be compliant, you need to block cookies and trackers before you have received explicit consent. In the following case, and many others, that is NOT the case:

marriot bonvoy

Marriot website entered from an EU website in 2019

GDPR is designed to protect the individual’s rights by limiting how that information is used and what cookies are being placed on a visitor's computer. As a result, it covers any information that allows an EU resident to be personally identified whether included in a membership database or tracked on a website.

Non-compliance can result in hefty fines, operational setbacks and reputational damage. As a result, all hotels must be fully invested in addressing website cookie banners, privacy policy updates and receiving cookie consent when visiting a website. Equally important is to enable users to opt-in and opt-out of the solutions used on a hotel website.

Website cookies and third-party booking engines

Hotels using third-party booking engines are additionally exposed. Under GDPR, for example, a hotel will be held accountable for the data they receive from third-party, e.g. online travel aggregators or external booking engines. These tools and sites often share personal data, such as name and email, which need to be communicated to the end-users together with adequate controls enabled for the visitor. GDPR identifies organizations by category - data controllers or data processors. An entity can be one or the other, but it can also be both. This ultimately depends on the setup the hotel uses.

Booking engines and other solutions often rely on cookies to provide detailed information about visitors, their inquiries and what rooms they have searched for. Hotels need to provide adequate controls and mechanisms in place, which allow visitors to be in control of their own personal data and how they are being tracked for the hotel to stay compliant with GDPR.

secure privacy analytics

Becoming GDPR Compliant

Companies can make their cookie consent usage compliant with the Secure Privacy platform. It is crucial that you block non-essential plugins and cookies, and only enable those cookies that are strictly necessary for your website to function.

Follow these steps to make your website compliant:

There are three steps to get started: 
1. Sign up for a free trial.
2. Install the solution on your website.
3. Enjoy that cookie consent is automatically documented.

Step 1: Enter Your Details To Sign Up For A Free Trial

Visit Secure Privacy pricing page to view pricing.

Select the GDPR solution and activate your 7-day free trial.

secure privacy gdpr pricing

Step 2: Install Script or Plugin on Website

Download WordPress GDPR plugin or follow our tutorials to set up the solution on your website.

secure privacy dashboard

Step 3: Validate that consent is documented for your website

Cookie consent is automatically documented once installed.

secure privacy consents dashboards

Secure Privacy dashboard

Want to try
Secure Privacy?

Get your free cookie banner up and running today!

That also interest you