Pretty much everywhere commentators, operators and consultants are promoting the benefits of Big Data in the travel and hospitality industry.  Big Data offers tremendous promise to manage costs, guide investment strategies, and personalize user experiences. And, Little Data maybe even more so. 

However, not everyone is singing the praises of Big Data. There is an equally loud chorus among privacy advocates, legislators and others that Big Data threatens user privacy, and because of the quantity of data collected, exposes personal information to increased risk. In light of the Target data breach, NSA disclosures, and recent uses of customer data that verge on creepy, this chorus is growing louder.   

Certainly, customers benefit from personalization and efficiencies that Big Data can bring, but customers are voicing concerns about how their personal information is being used, and reports indicate that a substantial majority do not believe companies are honest about how they exploit customer data. 

The problem is that there’s not a lot of guidance on how to serve both constituencies well. Worse, the privacy landscape is in flux. In the space of a few months, the California Attorney General filed a complaint against the Kaiser Foundation Health Plan for failing to timely report a data breach, Congress is considering legislation that would impose criminal penalties for failure to disclose a data breach, the FTC has reached settlements with 14 companies for falsely claiming to comply with the US-EU Safe Harbor, new rules on data security in government contracting have been adopted, new EU rules on data collection are coming on line, and the judge in the Google wiretap case has ruled that companies may not rely on generalized privacy statements to establish user consent to their data practices. How can you get the benefits of Big Data and at the same time comply with the rules and protect customer privacy? 

What and Why:  Evaluate your needs and make informed decisions about what data to collect and why. While the costs of collecting data have decreased, processing that data is still expensive. And once collected, you need to protect it. This is not easy or cheap and holding data increases the risk of disclosure. Before proceeding you need to have a plan in place, and don’t collect what you don’t need.      

Rules of the Road: The rules applicable to collection and use of data vary from jurisdiction to jurisdiction and from type of use and the nature of the data collected. Make sure someone in your organization has responsibility for staying up to date and reviewing your practices, policies and procedures for compliance. And, if you are doing business (or plan to) anywhere outside the U.S., follow the OECD Privacy Guidelines and the EU Data Protection Directive.  

Notice and Consent:  Provide explicit notice about what data you are collecting, how you will use it and ask for permission in advance. In the last year, Disney Parks has begun using RFID wristbands, MagicBands, in its parks and resorts. These wristbands interact with sensors throughout the parks and collect data about user activity, which is then used by Disney to interact with the visitor, improve services and other purposes as described in the Disney FAQ and privacy policy. While some argue that Disney’s notice does not go far enough (particularly with respect to choice), it represents a clear step toward the explicit notice required by Judge Koh in the Google case, as well as the consent requirements for cookies under the EU Directive. 

One Size Fits All: Maybe for sweatshirts, but not for data policies.  Don’t cut and paste from form or competitor policies. If there is anything to be learned from Judge Koh’s order in Google, it is that to gain protection through user consent, your policy must describe what you do.   

  
De-identify and Encrypt: Where practical (and certainly where promised), de-identify and/or encrypt data collected from customers. This may not only provide a safe harbor for claims in the event of a data breach (and provide grounds to argue no damage), it also provides customers with an added level of security.    

Data Storage and Security Practices: As with rules on collection, these vary from jurisdiction to jurisdiction. Get familiar with these rules, establish and comply with internal policies that satisfy these requirements. This includes a data retention policy that conforms to your published privacy policy.     

 
Establish Internal and External Controls: You are responsible for what happens to the data you collect, so you need to adopt internal and external controls for how the data is collected, handled and stored, provide training to employees and contractors on compliance, monitor activity to confirm that the data is not being accessed or used improperly, and take prompt remedial action if you learn of a violation or breach. 

Do What You Say: Too often, policies are written and forgotten. There is a need for frequent training and monitoring. But there is another element.  If your policy says you won’t share the data you collect or that you will employ industry best practices to protect it, or that you will only use it for a specific purpose, you need to do it. In the latest round of the Sony PSN litigation, misrepresentations regarding Sony’s data security practices in its privacy polices formed a basis for permitting certain plaintiffs to proceed with consumer protection claims against the company.  

    
Big Data is here to stay, and if recent developments are any indicator, restrictions on collection and use and the costs associated with unauthorized use – through breach or otherwise – will only increase. ?If you are going to use Big Data (or Little), do what Mickey did: plan ahead and get consent.