Marriot fined USD 125 million under the EU GDPR data protection regulation
Marriot is fined under the EU General Data Protection Regulation (GDPR) by the UK's ICO. Find out how your business can become GDPR compliant today.
The hotel industry is known to be especially sensitive to the General Data Protection Regulation (EU GDPR) as they daily process a vast amount of personal data. Hotels continue to struggle to become compliant with the EU General Data Protection Regulation (GDPR). The latest is Marriot International who received a record-high fine under the GDPR.
Marriot is one of the most well-known hotel brands in the world. If Marriot struggles with GDPR, many other hotels are likely to be in noncompliance with the new EU data privacy regulation, the General Data Protection Regulation (GDPR).
Fined by the UK's Information Commissioner’s Office (ICO), Marriot is accountable for the personal data they collect and has violated the GDPR:
"The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected" said Information Commissioner Elizabeth Denham.
It is the second time in less than one week that the UK's ICO has decided to impose record fines using its authority under the General Data Protection Regulation (GDPR). Just days before, it was British Airways that got fined a huge penalty of USD 230 million under the GDPR.
Read the latests blog posts about the ICO.
The hotel industry is especially sensitive to the GDPR
With new and existing customers coming and leaving hotels and establishments, the hotel industry is especially sensitive to the GDPR.
Hotels worldwide process vast amounts of personal data being one of the most vulnerable industries. It is no surprise that the industry accounted for the second-largest share of security breaches (Verizon 2016 Data Breach Investigations).
Hotels often rely on analytics and advertisements to drive traffic to their websites. Marriot is no different. However, in order to be compliant, you need to block cookies and trackers before you have received explicit consent. In the following case, and many others, that is NOT the case:
Marriot website entered from an EU website in 2019
GDPR is designed to protect the individual’s rights by limiting how that information is used and what cookies are being placed on a visitor's computer. As a result, it covers any information that allows an EU resident to be personally identified whether included in a membership database or tracked on a website.
Website cookies and third-party booking engines
Hotels using third-party booking engines are additionally exposed. Under GDPR, for example, a hotel will be held accountable for the data they receive from third-party, e.g. online travel aggregators or external booking engines. These tools and sites often share personal data, such as name and email, which need to be communicated to the end-users together with adequate controls enabled for the visitor. GDPR identifies organizations by category - data controllers or data processors. An entity can be one or the other, but it can also be both. This ultimately depends on the setup the hotel uses.
Booking engines and other solutions often rely on cookies to provide detailed information about visitors, their inquiries and what rooms they have searched for. Hotels need to provide adequate controls and mechanisms in place, which allow visitors to be in control of their own personal data and how they are being tracked for the hotel to stay compliant with GDPR.
Becoming GDPR Compliant
Companies can make their cookie consent usage compliant with the Secure Privacy platform. It is crucial that you block non-essential plugins and cookies, and only enable those cookies that are strictly necessary for your website to function.
Follow these steps to make your website compliant:
There are three steps to get started:
1. Sign up for a free trial.
2. Install the solution on your website.
3. Enjoy that cookie consent is automatically documented.
Step 1: Enter Your Details To Sign Up For A Free Trial
Select the GDPR solution and activate your 7-day free trial.
Step 2: Install Script or Plugin on Website
Download WordPress GDPR plugin or follow our tutorials to set up the solution on your website.
Step 3: Validate that consent is documented for your website
Cookie consent is automatically documented once installed.
GDPR Fine Examples
French CNIL fined Google 150 million EUR.
Here are more of the highest GDPR fines enforced by regulators so far.
Who are the Biggest GDPR Fines Culprits.
Want to try
Get your free cookie banner up and running today!
The Ultimate Guide to GDPR Data Breach Responses
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
What Is a Data Protection Officer and Do You Need One?
When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
- Data Protection
How to implement an Online Data Protection Strategy
When a company operates online within the European Union, or when its website visitors come from the EU, the company must comply with the General Data Protection Regulation (GDPR). The GDPR was created to protect citizens' personal data and restrict abuses.
- Data Protection