Corporations like Google and Facebook collect incredible amounts of information about their users,1 and this summer saw confirmation of widespread surveillance of private citizens by the U.S. National Security Administration. Between government and corporate information collection, privacy experts have gone so far as to say that privacy on the Internet no longer exists. As data collection has become ubiquitous online, privacy regulators and other enforcement authorities such as the Federal Trade Commission (FTC) have become more interested in reviewing websites' and Web applications' privacy policies. These authorities require or strongly encourage, depending on the jurisdiction, website and app operators adopt and publish privacy policies that inform users of the information they collect and how they use it.  Indeed, California Governor Jerry Brown recently signed into law new provisions of California Online Privacy Protection Act (CalOPPA), which require website operators and online services to notify users whether other parties may collect information across different websites and disclose how they respond to Web browser do not track signals.2 Given the increased scrutiny being given to privacy policies and the size of the penalties levied for not complying with applicable laws in this area,3  it is surprising that so many websites and apps have inadequate policies or none at all. 
   Under law and as a best practice, website and Web application operators (including those in the hospitality industry) should publish–and adhere to–privacy policies that tell users how the operator collects, uses and discloses personal information.  Good privacy policies advance the core principles of privacy protection: they give users notice; let users choose what information is collected and how it is used; let users access information about them; tell users, correctly, that the operator takes reasonable steps to keep their personal information secure; and give users means to address their concerns.4 Moreover, good privacy policies meet the dual goals of being both thorough and accessible to the average user. Unfortunately, most privacy policies fall short of these goals. 
   In May, 2013, 19 privacy enforcement authorities from around the world conducted the first Global Privacy Enforcement Network Internet Privacy Sweep.5 The Sweep looked at 2,276 websites' and apps' privacy policies, spending only a few minutes per site or app to replicate a typical customer experience.6 Almost one quarter of those websites and apps had no privacy policy whatsoever.7 Of those that did have policies, many weren't helpful to the average user because their policies contained little more than boilerplate language or lengthy quotes from privacy legislation.8 Generally, the Sweep found that larger organizations' privacy policies were better than smaller organizations' policies, and that app privacy policies are lagging behind-more than half of the apps examined had no privacy policy at all.
   While evolving technologies and changing laws can make it difficult to keep up with the most recent requirements, the Sweep makes clear that "keeping up" is not the real problem.  Rather, it's having a policy and complying with it.  This of particular concern for companies in the hospitality industry. Not only do they have access to huge amounts of customer data, much of which is collected online, but the hospitality and food and beverage industries are primary targets for data breach, accounting for roughly 33 percent of the data breaches in 2012.10 This makes it more important than ever that companies in hospitality sector adopt meaningful privacy policies and comply with them.11 
   The results of the Sweep and the compliance actions initiated by the FTC and others of late, make clear that this is no easy matter. Still, the first step is to adopt a policy that not only meets statutory requirements, but can and will be implemented. Recommendations for drafting better policies are listed below:
  • Privacy policies should present information in a way that is easily readable to the average person.  They should use plain language and concise explanations rather than lengthy and confusing legalese.  Similarly, links to privacy policies should be both functional and easy to find.
  • Policies should fully inform users about all information the operator collects, including data that is collected behind-the-scenes such as the user's IP address and information collected from browser cookies. 
  • Policies should tell users about simple and effective methods to protect their personal information by, for example, opting out of providing data for certain purposes or requesting to access or challenge the accuracy of the operator's data about them.12
  • Policies should adhere to applicable laws, such as California's Online Privacy Protection Act of 2003,13  as well as FTC guidance. Operators should stay informed about legal developments both in the U.S. and internationally, and update their policies when necessary.
  • Policies should include up-to-date contact information for the person(s) responsible for the operator's privacy practices.
    Online data collection in the United States shows no signs of slowing. Nor do attempts to gain access to that information or penalties for failure to protect it. While companies in the hospitality industry may not be able to stop the onslaught from outsiders determined to hack their data, they can take steps to reduce their exposure from claims by regulators and others that they have failed to meet their obligations to consumers by adopting (and complying with) privacy policies that that allow their users to make educated decisions about what they disclose and how they allow their information to be used. To comply with applicable laws and guidance, these policies should be as accurate, thorough and clear as possible. 
1. This data comes from a variety of sources.  But, quite a bit is simply extracted from user behavior.  In its recent data map, Domo estimates that Google receives over 2,000,000 search queries/minute and Facebook users share 684,478 pieces of information/minute.  See Domo, Data Never Sleeps.
2. Governor Brown also singed into law new legislation regarding California’s data breach requirements: Senate Bill No. 46 and Assembly Bill No. 1149.
3.  In 2012, Google agreed to a $22.5 Million Dollar settlement involving privacy practices that violated its privacy policy.
4. Federal Trade Commission, Fair Information Practice Principles, Nov. 23, 2012, available at
5.   Office of the Privacy Commissioner of Canada, Results of the 2013 Global Privacy Enforcement Network Internet Privacy Sweep, Aug. 13, 2013, available at
6. Id.
7. Id.
8. Id.
9. Id.
10. See, Trustwave, 2013 Global Security Report, available at:
11. While there is no result yet in the FTC’s case against Wyndam Worldwide Corporation Hill, which alleges in part that the company’s public privacy policy misrepresented the security measures it actually employed to protect customer’s personal information, it illustrates the potential risk. See
12. See Federal Trade Commission, supra note 2.
13. See Cal. Bus. & Prof. Code §§ 22575-22579.