Research Paper Draft: The Hospitality Law and Privacy
Introduction
Privacy, including information privacy, has become one of the great concerns of our modern information society. Each day, without much difficulty, one can find a news story or report concerning some question of privacy. The main focus of these questions, however, have centered around the age-old debate between what is the best balance between security and privacy. That is to say, very little public, media or government attention has focused on other equally important areas of privacy including privacy in the private sector, such as in the hospitality industry. Nowadays, the hospitality industry increasingly has access mountains of our private information. Moreover, the details of that information, which not only contain the personally identifiable information of guests, clients and customers; but also details of some of their customer’s most intimate activities; may potentially be more revealing than what the local police, FBI or NSA can gather about us. Acknowledging the fact there are a number of rights, laws, and guidelines, including the Constitution, that protect a person’s privacy from state or their agents; what are the legal and policy protections that safeguard a person’s privacy from the actions of a hotel, restaurant, airline, cruise ship, or travel agency?
In seeking to resolve this question this paper will focus specifically on information privacy. Information privacy, according to Rotenberg and Jacobs, refers to the collection, use and disclosure of personal information (611-612). More specifically, in contrast to decisional privacy issues such as one’s freedom to travel, some of the questions this paper will attempt to answer include: what privacy rights, if any, does a guest have in a hotel, or restaurant; what rights to privacy does a client have with a travel agent; what duties or responsibilities does a hotel have to protect a guest’s privacy in their hotel room; what duties does a hotel have to protect the privacy of a guest’s records or financial information, what duties does a hotel/restaurant/travel agency have to report a breach of a guest’s private records; can the government order a hotel to spy on a guest or otherwise provide them access to the guest’s private information, and what laws (common or statutory) regulate the privacy of guest and client interaction with the hospitality industry.
Background
The hospitality sector is one of the least recognized but most important industries in the nation. Over the last year, the hospitality sector employed over eight million Americans, or one out of every 18 people, generated over U.S. $1 trillion, and represented nearly three percent of the nation’s gross domestic product (Bureau of Labor Statistics). There are a number of reasons why hospitality has enjoyed such an explosion in growth over the past decade. First, the spread of globalization, for instance, and the lowering of barriers to travel that it has enabled has allowed millions of people who previously did not have the opportunity to travel to see the world, or at least, the next town over. Second, the increased opening of once closed travel markets such as China, Eastern Europe, and Russia have also facilitated travel and hospitality opportunities both to and from such destinations. Finally, the explosion of information technology, especially in terms of increasing the ability of locals and visitors to communicate with each another, as well as in allowing visitors to stay in touch with those back home. To be sure, from peer-to-peer apps such as Airbnb, to internet bookings has made travelling less stressful and frightening but more convenient and profitable.
Today, the American hospitality sector, even by conservative estimates, is one of the largest industries in the nation (Wilkerson 48). Certainly, if one takes into consideration all aspects of hospitality such as hotels, restaurants, travel agencies, airlines, and tour groups, it would not be beyond the realm of possibility to state that the hospitality industry in the world’s largest, or at least, its most expansive. At home or abroad, the hospitality industry has little problem in accommodating demand. Indeed, whether it is increasing airline travel routes, offering dinner reservation over the internet, or connecting a person with an empty room to a person that needs a place to stay for the night, the hospitality industry has worked hard to make travel more accessible to everyone.
Despite all the growth and development, there are a number aspects of the hospitality industry that have and will remain a constant. First, the hospitality industry collects, stores, uses, and transmits massive amounts of information about its customers. It is one of the few industries that collect such amounts of customer information (Kim and Haley 3-4). Additionally, as a result of the size of the industry, the customer information that the hospitality industry collectively holds most likely includes as significant portion of humanity.
There are multiple reasons why the hospitality industry needs customer information, such as in order to complete a transaction, or to increase the effectiveness of an offered service, or simply for a hospitality organization’s own records. Moreover, with advances in information technology, the ability of the hospitality industry to collect customer information, and the extent to which it can collect such information is unparalleled in human history. Second, large portions of the customer information collected by the hospitality industry is of a personal or sensitive nature. Personal information includes but is not limited to a customer’s: name, social security number physical address, e-mail address, food choices, entertainment selections, or travelling preferences. Sensitive information, on the other hand, includes: bank and credit card information, medical information, phone calls made or received, travel destinations, or who one is travelling with or accompanying. In other words, the information collected could potential provide a detailed profile and comprehensive understanding of the customer. Third, as a result of the collection of such information, and recognition of the fact that much of the information collected might be personal and sensitive, most customers expect a certain degree of privacy in and of their interactions with the hospitality industry. This expectation may be as simple as not expecting a hotel, for instance, of keeping which hotel room one rented private or as complex as stopping another hotel guest from filming you through your hotel door’s peephole (Cook County Circuit Court 9). Fourth, the customer information that the hospitality industry collects, uses, and transmits, is highly attractive to a wide range of third-parties including the public, the media, private sector organizations, and of course, the government.
General Private Sector Privacy Duties
Upon first consideration, the private sector, which includes almost all of the hospitality industry, seems to pose as mentioned above, a potentially more invasive interference with a person’s information privacy that the government. This is so because, as Solove argues, in today’s modern information society, in order to accomplish even the simplest of tasks such as reading an e-mail, a person is required to voluntarily provide significant quantities of their personal information or otherwise knowingly allow other access to private data (2-4). According to Solove, the vast majority of this information, moreover, is never seen by the government but rather the private sector, and the techniques that they businesses use to collect data is as varied as there are companies (5-7).
In addition to the gathering of traditional credentials such as name, address and financial information, two further examples that are particularly relevant for the hospitality industry include “cookies” and radio frequency identification (RFID) tags. A cookie is a small software file that is downloaded onto a person’s computer, tablet or smartphone, when they access a website such as a hotel or restaurants reservation page. Hotels and restaurant often use cookies in order to store customer preferences so that when a customer visits the website again, they will not have to re-enter prior information. While generally innocuous, cookies can according to Zimmerman, be highly invasive of a person’s privacy (442-444). In addition to being able to identify a customer, they can also be used to track where a customer is and what other sights the have accessed without the customer’s notice. RFID tags are card, such as a hotel key card, that are embedded with a chip that transmits a radio frequency which can be picked up and read by sensors. According to the Electronic Privacy Information Center (EPIC) depending on what information is programmed onto the chip, a sensor could provide such information as the exact location of the card as well as the person holding it (EPIC).
With the private sector’s willingness and ability to collect such information on their customers, the question becomes are there any restrictions to their conduct. A review of the literature suggests: yes, there are some restrictions but they are quite limited. According to McClurg, one possible limitation is found in the law of torts (97). Tort law as a protection, will be discussed later, suffice it to write that any conduct perpetrated by a private business that exceeds what a reasonable person would deem acceptable, may potentially be illegal and provide a customer with a legal remedy. According to Kerr, another possibility might be found in federal statutory law such as the Computer Fraud and Abuse Act (CFAA) (1598). The CFAA prohibits the unauthorized access of a computer or accessing computer beyond one’s authorization. Accordingly, customer who finds that the hotel, restaurant or travel agency proceeded to download a cookie to his computer after he told them not to might have a cause of action.
Kim and Haley argue that one area of strict regulation, however, is the protection of customer data. In other words, while there may not be a stringent legal framework for restricting the collection of customer information, one exists for the protection of that date from theft, misuse, or unauthorized access (14).
Hospitality Sector Privacy Responsibilities
The hospitality industry is a part of the private sector. Accordingly, it is subject, generally to the same duties that any private industry actor is obliged to comply with and obey. Nevertheless, the hospitality industry has, as mentioned above, has historically had access to and been entrusted with more personal and more sensitive information than other industries. According to Miller, for example, hotels have a fundamental duty to protect or ensure the right of a guest to the privacy of their hotel room from unreasonable intrusions into the guest’s privacy (271). In practical terms what this means is that the hotel is required to protect, at the least, a guest’s hotel room from the arbitrary intrusion or interference into the guest’s privacy whether that includes, for instance, housecleaning entering the room when the guests demand that they are not disturbed or prohibiting the public or media from knowing which room a person is actually occupying.
Customers’ Right to Privacy
Outside of the specific restrictions on the private sector generally and the hospitality industry specifically, some of the most basic protections to customer’s privacy rights are available from common law protections to privacy. To be sure these protections are fundamental to what it means to be a human. In their 1890 law review article, Samuel Warren and, future Supreme Court Justice, Louis Brandeis set out the reasoning that would facilitate the eventual finding of a common law right to privacy. According to Warren and Brandeis, the common law was filled with examples and illustrations of instances of where courts explicitly provided for the protection of a person’s privacy (Warren and Brandeis). Accordingly, to clear up any confusion about where a person’s privacy rights began and ended, Warren and Brandeis in essence recommended that courts interpret the old laws protecting privacy to the new circumstances that confronted them (Warren and Brandeis). According to Solove, Rotenberg and Schwartz, the Supreme Court, would eventually adopt the Warren-Brandeis framework for analyzing whether or not a privacy right existed in a contested action (25). This applies to the hospitality industry in one primary way, namely the law of torts.
While Warren and Brandeis’ analysis was mainly focused on the obtaining of, without authorization, information by the media and its dissemination to the public, the basic focus of what they wanted to regulate is analogous to the hospitality industry. To be sure, according to work of O’Brien, as early as 1902, state legislatures had begun to positively respond to Warren and Brandeis’ argument on the idea of there being a right to privacy as expressed in the law (446). For Warren and Brandeis, privacy could be protected by the simple application of age-old tort concepts to the current realities. Accordingly, and in terms of the modern day hospitality industry, there are a number of legal aspects that are available to plaintiffs to bring a complaint. According to Solove, Rotenberg and Schwartz, these remedies are commonly known as the “privacy torts”, and they include public disclosures of private facts, intrusion upon seclusion, providing information that projects a person in a false light, and the uses or misuse of information that in effect results in the unauthorized appropriation of the identity of a customer’s “likeness” (26-27). In consideration of the four privacy torts, the former two provide the most relevant cause of action for the hospitality industry customer.
According to Mintz, a public disclosure of a private fact refers to the dissemination of a fact about a person that, on the one hand is true, but on the other hand is not a legitimate concern of the public, and whose publication, is “highly” offensive to a “reasonable person (436-437). Under this definition, the transmission or publication of any information by a hospitality industry actor about a customer that is found to satisfy the elements of the tort provides a possible cause of action to any possible or relevant plaintiff. For instance, a hotel’s exposure that a guest met with a controversial public intellectual would satisfy the elements of a public disclosure of a private fact. In addition, if a restaurant allowed for the intrusion or prying into the affairs of a guest that a reasonable person would find objectionable and private, such as the revelation of a fact that would not normally be open to the public, then a customer might have a cause of action in the disclosure of that specific information.
Conclusion
The hospitality industry’s increasingly detailed access to their customer’s personal and sensitive information, along with other relevant factors including growing size of the hospitality industries customer base, the expectations of privacy from customers as well as the attractiveness of customer information to third parties point to a broad range of privacy issues that have become an integral part of the administration and regulation of the hospitality sector. To better recognize the privacy considerations involved, a thorough understanding of the hospitality and privacy laws is necessary. Interestingly, while much as been written on the subject of hospitality law and privacy law, relatively little has been published about the intersection of hospitality and privacy law
Works Cited
Bureau of Labor Statistics. “Employment by major industry sector.” U.S. Department of Labor, 08 Dec. 2015. Web. http://www.bls.gov/emp/ep_table_201.htm
Cook County Circuit Court. “Complaint: Erin Andrews v. Marriott et al.” 15 Jul. 2010. Web. http://lawprofessors.typepad.com/files/erinandrewscivilsuit.pdf
Electronic Privacy Information Center (EPIC). (2016). Radio frequency identification (RFID) systems. Retrieved from https://www.epic.org/privacy/rfid/#identification
Kerr, Orin S. “Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes.” New York University Law Review 78.5 (2003): 1596-1668. Web. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=399740
Kim, Sunny and Mark Haley. “Principles of Privacy: Defining and Implementing Sound Privacy Practices in Hospitality. 55. Web. https://faculty.unlv.edu/pbrewer/Principles_of_Privacy.pdf
McClurg, Andrew J. “A Thousand Words Are Worth a Picture: A Privacy Tort Response to a Consumer Data Profiling.” Northwestern University Law Review 98 (2003): 63-143. Web. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1628724
Miller, Jason C. “Do Not Disturb: Fourth Amendment Expectations of Privacy in Hotel Rooms. Seton Hall Circuit Review 7 (2011): 269. Print.
Mintz, Jonathan B. “The Remains of Privacy’s Disclosure Tort: An Exception of the Private Domain. Maryland Law Review 55 (1996): 425-466. Web. http://digitalcommons.law.umaryland.edu/cgi/viewcontent.cgi?article=2987&context=mlr
O’Brien, Denis. “The Right to Privacy.” Columbia Law Review 2 (1902): 437.
Rotenberg, Marc and David Jacobs. “Updating the Law of Information Privacy: The New Framework of the European Union.” Harvard Journal of Law and Policy 36.2 (2013): 605-652.
Solove, Daniel J. The Digital Person: Technology and Privacy in the Information Age. New York: New York University Press, 2004. Print.
Solove, Daniel J., Mark Rotenberg and Paul M. Schwartz. Information Privacy Law. 2nd ed. New York: Aspen Publishing. 2006. Print.
Warren, Samuel W. and Louis Brandeis. “The Right to Privacy.” Harvard Law Review (1890): Web. http://faculty.uml.edu/sgallagher/Brandeisprivacy,pdf
Wilkerson, Chad. “Travel and Tourism: An Overlooked Industry in the U.S. Tenth District. Kansas City Federal Reserve.” 2003. Web. https://www.kansascityfed.org/publicat/econrev/pdf/3q03wilk.pdf
Zimmerman, Rachel K. “The Way the “Cookies” Crumble: Internet Privacy and Data Protection in the Twenty-First Century.” New York University Journal of Legislation and Public Policy 4 (2001): 439-464. Web. http://www.merchantgould.com/portalresource/The-Way-the-Cookies-Crumble-Rachel-Zimmerman-Scobie.pdf
