Marriot fined USD 125 million under the EU GDPR data protection regulation


By Hotel

The hotel industry is known to be especially sensitive to the General Data Protection Regulation (EU GDPR) as they daily process vast amount of personal data. Hotels continue to struggle to become compliant with the EU General Data Protection Regulation (GDPR). The latest is Marriot International who recieved a record high fine under the GDPR.

Marriot is one of the most well known hotel brands in the world. If Marriot struggles with GDPR, many other hotels are likely to be in noncompliance with the new EU data privacy regulation, the General Data Protection Regulation (GDPR).

Fined by the UK’s Information Commissioner’s Office (ICO), Marriot is accountable for the personal data they collect and has violated the GDPR:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protectedsaid Information Commissioner Elizabeth Denham.

It is the second time in less than one week that the UK’s ICO has has decided to impose record fines using its authority under the General Data Protection Regulation (GDPR).  Just days before, it was British Airways that got fined a huge penalty of USD 230 million under the GDPR.

The hotel industry is especially sensitive to the GDPR

With new and existing customers coming and leaving hotels and establishments, the hotel industry is especially sensitive to the GDPR.

Hotels worldwide process vast amount of personal data being one of the most vulnerable industries. It is no surprise that the industry accounted for the second largest share of security breaches (Verizon 2016 Data Breach Investigations).

Hotels often rely on analytics and advertisements to drive traffic to their websites. Marriot is no different. However, in order to be compliant, you need to block cookies and trackers before you have recieved explicit consent. In the following case, and many others, that is NOT the case:

Marriot website entered from an EU website in 2019

GDPR is designed to to protect the individual’s rights by limiting how that information is used and what cookies are being placed on a visitors computer. As a result, it covers any information that allows an EU resident to be personally identified whether included in a membership database or tracked on a website.

Non-compliance can result in hefty fines, operational setbacks and reputational damage. As a result, it is important that all hotels are fully invested in addressing website cookie banners, privacy policy updates and recieving cookie consent when visiting a website. Equally important is to enable users to opt-in and opt-out from the solutions used on a hotel website.

Website cookies and third-party booking engines

Hotels using third-party booking engines are additionally exposed. Under GDPR, for example, a hotel will be held accountable for the data they recieve from third-party, e.g. online travel aggregators or external booking engine. These tools and sites often share personal data, such as name and email, which need to be communicated to the end-users together with adequate controls enabled for the visitor. GDPR identifies organizations by category – data controllers or data processors. An entity can be one or the other, but it can also be both. This ultimatly depends on the setup the hotel uses.

Booking engines and other solutions often rely on cookies to provide detailed information about visitors, their inquiries and what rooms they have searched for. Hotels need to provide adequate controls and mechanisms in place, which allow visitors to be in control of their own personal data and how they are being tracked for the hotel to stay compliant with GDPR.

Becoming GDPR Compliant

Companies can make their cookie consent usage compliant with the Secure Privacy platform. It is crucial that you block non-essential plugins and cookies, and only enable those cookies that are strictly necessary for your website to function.

Follow these steps to make your website compliant:

There are three steps to get started: 
1. Sign up for a free trial.
2. Install the solution on your website.
3. Enjoy that cookie consent is automatically documented.

Step 1: Enter Your Details To Sign Up For A Free Trial

Visit Secure Privacy pricing page to view pricing.

Select GDPR solution and activate your 7-day free trial.

Step 2: Install Script or Plugin on Website

Download WordPress GDPR plugin or follow our tutorials to setup the solution on your website.

Step 3: Validate that consent is documented for your website

Cookie consent is automatically documented once installed.

Tagged under:

Make your hotel GDPR & EU cookie compliant with the #1 cookie consent solution