October 23, 2023

Marriot fined USD 125 million under the EU GDPR data protection regulation

Marriot is fined under the EU General Data Protection Regulation (GDPR) by the UK's ICO. Find out how your business can become GDPR compliant today.

The hotel industry is known to be especially sensitive to the General Data Protection Regulation (EU GDPR) as they daily process a vast amount of personal data. Hotels continue to struggle to become compliant with the EU General Data Protection Regulation (GDPR). The latest is Marriot International who received a record-high fine under the GDPR.


Marriot is one of the most well-known hotel brands in the world. If Marriot struggles with GDPR, many other hotels are likely to be in noncompliance with the new EU data privacy regulation, the General Data Protection Regulation (GDPR).

Fined by the UK's Information Commissioner’s Office (ICO), Marriot is accountable for the personal data they collect and has violated the GDPR:

"The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected" said Information Commissioner Elizabeth Denham.

It is the second time in less than one week that the UK's ICO has decided to impose record fines using its authority under the General Data Protection Regulation (GDPR).  Just days before, it was British Airways that got fined a huge penalty of USD 230 million under the GDPR.

Read more about UK GDPR, learn about the ICO Cookie Guidelines and how to become UK GDPR-compliant right here. 

The hotel industry is especially sensitive to the GDPR

With new and existing customers coming and leaving hotels and establishments, the hotel industry is especially sensitive to the GDPR.

Hotels worldwide process vast amounts of personal data being one of the most vulnerable industries. It is no surprise that the industry accounted for the second-largest share of security breaches (Verizon 2016 Data Breach Investigations).

Hotels often rely on analytics and advertisements to drive traffic to their websites. Marriot is no different. However, in order to be compliant, you need to block cookies and trackers before you have received explicit consent. In the following case, and many others, that is NOT the case:


Marriot website entered from an EU website in 2019

GDPR is designed to protect the individual’s rights by limiting how that information is used and what cookies are being placed on a visitor's computer. As a result, it covers any information that allows an EU resident to be personally identified whether included in a membership database or tracked on a website.

Non-compliance can result in hefty fines, operational setbacks and reputational damage. As a result, all hotels must be fully invested in addressing website cookie banners, privacy policy updates and receiving cookie consent when visiting a website. Equally important is to enable users to opt-in and opt-out of the solutions used on a hotel website.

Website cookies and third-party booking engines

Hotels using third-party booking engines are additionally exposed. Under GDPR, for example, a hotel will be held accountable for the data they receive from third-party, e.g. online travel aggregators or external booking engines. These tools and sites often share personal data, such as name and email, which need to be communicated to the end-users together with adequate controls enabled for the visitor. GDPR identifies organizations by category - data controllers or data processors. An entity can be one or the other, but it can also be both. This ultimately depends on the setup the hotel uses.

Booking engines and other solutions often rely on cookies to provide detailed information about visitors, their inquiries and what rooms they have searched for. Hotels need to provide adequate controls and mechanisms in place, which allow visitors to be in control of their own personal data and how they are being tracked for the hotel to stay compliant with GDPR.


Becoming GDPR Compliant

Companies can make their cookie consent usage compliant with the Secure Privacy platform. It is crucial that you block non-essential plugins and cookies, and only enable those cookies that are strictly necessary for your website to function.

Follow these steps to make your website compliant:

There are three steps to get started: 
1. Sign up for a free trial.
2. Install the solution on your website.
3. Enjoy that cookie consent is automatically documented.

Step 1: Enter Your Details To Sign Up For A Free Trial

Select the GDPR solution and activate your 7-day free trial.


Step 2: Install Script or Plugin on Website

Download WordPress GDPR plugin or follow our tutorials to set up the solution on your website.


Step 3: Validate that consent is documented for your website

Cookie consent is automatically documented once installed.


GDPR Fine Examples

Hotel GDPR Compliance: Marriot fined USD 125 million under the EU GDPR data protection regulation
Germany's 1&1 Telecom Fined $10.6 Million for a GDPR Violation

French CNIL fined Google 150 million EUR.

Here are more of the highest GDPR fines enforced by regulators so far.

Who are the Biggest GDPR Fines Culprits.