Tim Horton's - a chain of coffee shops based in Canada - has been using a smartphone app downloaded by millions of customers to track their location.
Not just when the app was in use on their phones, oh no.
This app tracked customer locations even when the app wasn't in use.
And they did it for years.
Such is the current state of the penalties for this under Canadian data protection law, that Tim Horton's has announced that it will settle the resulting class action lawsuit by giving all those affected a free coffee and a donut.
That's it. One coffee. One donut.
If you're a Tim Horton's customer and you have had your location tracked almost everywhere you've been for a couple of years, that's what they think of you and that is what they think you will settle for.
Having ridden a coach and horses through the fundamental bonds of trust between customer and vendor which are needed in the modern data economy, their assessment of the response to the scandal is very low...
There are some interesting articles in the trade publications these days about the ability of hotel technology to collect "1,500 data points".
As I'm travelling a lot more this year and staying in hotels owned by different brands, I have been able to add a few more loyalty accounts to my wallet.
Some, it appears, make better use of technology than others. While I'm heading up to my room in the lift, I find myself wondering, "if they're really collecting all this data, what are they planning to use it for?"
Because as far as I can tell, it may well be collected but it isn't actually being used.
There are two issues with this:
There's a fascinating story in today's Sunday Times, "China's new spy army has invaded - and we're not fighting back", by Ian Williams.
Being your friendly data protection and privacy anorak, it made me think about how vulnerable hotel guests might be.
You see Chinese hackers carry out a great deal of industrial espionage. A lot of which involves reading people's emails and scanning them for information in the message text, in attached documents or in systems to which an email account could grant access.
Hacking email accounts of your employees is a constant threat. Just ask Marriott what it's like. But what about the threat to your guests while they are staying in your hotel? An environment YOU are responsible for!
We already know from this blog post that the hotel sector is in the top three of industries favoured by hackers.
An example given by Mr Williams is of an attack on an oil company in the USA.
The hackers didn't need to...
As though you don't already have enough challenges as a hotelier...
The secret most data protection "experts" didn't share with you when you made your initial compliance efforts back in 2018 is this,
"The world of data protection and privacy is fluid and it moves at a fast pace."
I'll caveat that a wee bit - I know it appears to outsiders that the regulators don't move with quite the same alacrity as the environment they oversee. The IT press in particular grumbles about this quite a lot.
However you've only got to take an example from the news last week, where the Irish Data Protection Commission raised the prospect of Meta (Facebook) being told to stop transferring EU citizen data to the USA or face the consequences. Which could result in Facebook not being available to EU citizens.
When regulators move, their actions can have serious consequences. If your marketing and lead generation uses Facebook adverts, this latest action could simply switch it off for...
A couple of interesting sets of survey results were published in the last week or so.
One presents some facinating insight on hotel technology as experienced by hoteliers today in mid-2022. The other takes us to the near future and considers what will be important come 2025.
The current state of hotel technology is discussed in this survey by HotelOperations.com (as presented by the ever-relevant Josiah Mackenzie, if you're not following him you should) which you can read if you click on this link.
The glimpse into the future is presented in a joint report created by Oracle and Skift.com, which you can access from the page this link will take you to if you click it.
From my point of view as a data protection and privacy chap, these are very useful documents. If you pull up a chair and get yourself a cup of coffee I'll explain why - and why it should matter to you.
It's probably best if I tell you about the Dodo first.
A few years ago, in the early...
Your ability to make use of guest data is critical - yet you need to make sure you are using it responsibly. The consequences of you not paying enough attention to the need to keep personal data safe are serious.
I mean, just look at those teeth!
The power of data is its ability to improve things. It can be analysed by people who are much cleverer than I am and they can draw conclusions from it which can dramatically improve the livelihoods of other people. I witnessed this during the Covid pandemic.
Data can also be analysed by machines and artificial intelligence (AI). The concern about AI is that until it has learned how to do the tasks it is challenged to do it is not much cleverer than I am. It is however a lot faster than I am. And that should be a concern for all of us.
You see, something which still has a lot of learning to do, but which is capable of travelling at mind-boggling pace, will be able to make lots of mistakes in many places,...
There is much fanfare in the news bulletins this morning about the beginning of the end for ,"those annoying cookie banners" as a result of the release of some information by the Department of Culture, Media and Sport (DCMS).
(I blogged about this yesterday - the annoying ones are a direct consequence of feckless, careless configuration and penny-pinching use of technology. But that's only my opinion.)
It seems the press can't resist jumping on the bandwagon when it comes to presenting data protection and privacy issues to us. With GDPR it was "the fines" and now with the sort-of-nearly proposed data reforms it is "those annoying cookie banners".
The move to "opt out" as opposed to "opt in" is also doubtless popular amongst those who seek to target you for marketing purposes. More on that in a moment.
We'll see what happens. But I will say this: Be careful what you wish for.
Buried deep in the thinking for these reforms remains the need for "safeguards"...
When you're trying to get things done on the internet, pop-up cookie banners can be extremely anoying.
Yet it doesn't need to be this way. Not if people took the time to configure them them properly.
Unfortunately, most people don't. Especially most of the people who are responsible for your hotel website. They don't understand the real purpose - and requirement - for cookies to be controlled.
Instead they are quite happy to allow cookies to be poorly managed and badly controlled. Which means your website visitors are confused, frustrated or even put at risk. It can also mean your website doesn't work properly. Which means you can lose sales and/or look really stupid.
Other people who look stupid when they complain about cookie management are some web developers and politicians who blame this on GDPR.
The requirement to manage cookies on your website is not a GDPR thing. Instead it is demanded by the "Privacy and Electronic Communications...
Is your use of other people's personal data properly managed or will your response to your next data protection challenge be determined by a quick game of rock, paper, scissors?
This is our goal for data protection and privacy in the UK hospitality industry:
"No more random acts of data protection."
It is part of the answer to a very serious problem all hotels face. The problem is this:
Privacy is contextual. Your management of privacy and data protection depends heavily on the context of your use of, the availability of and the risks surrounding personal data. This is a fluid environment, it changes shape regularly. Which means it can be very frustrating to deal with.
The problem with frustration is that it quickly leads to people not making what might be considered "the best" decisions or introducing "the best" solutions to problems.
Which means you end up with random acts of data protection (and privacy). For example, think about cookie banners on...
It must be true. It says so in the Financial Times.
In March 2022 the FT published an interesting article about how vulnerable to attack hotels can become. You can read it here.
Implementing technology is expensive. In many cases it is the answer to the challenge of finding staff to provide services, or at least part of it. Check in kiosks, for example, are becomeing more common as hotels seek to cut their need for staff skills which are becoming increasingly scarce.
Hoteliers are also encouraged to "personalise" both the guest stay and sales promotions. Obviously, personalisation means collecting and using personal data. The more personal data you hold, the more attractive you are to hackers.
You see, these attacks always follow the money. You will have systems in your hotel which handle transactions. There will be key staff with access to payment systems which represent a juicy and profitable target for hackers. What are you...