CCPA Hospitality

CCPA/CPRA for Hotels: Do Not Sell, Loyalty Data Rights & California Privacy Compliance

Updated: February 2026CCPA/CPRA • California AG Enforcement • GPC Signals • CPPA • Loyalty Data Rights

$7.8M

First CCPA enforcement action — Sephora AG settlement (2022) — sets hospitality precedent

45 days

CCPA opt-out of sale/sharing requests must be honoured within 45 days

100M+

US hotel loyalty programme members whose data triggers CCPA obligations

CPRA 2023

California Privacy Rights Act added sensitive personal information category

CCPA/CPRA RISK FOR HOTELS:The California Attorney General's first CCPA enforcement action against Sephora (August 2022) established that sharing guest data with advertising technology vendors — including hotel booking analytics platforms and retargeting cookies — constitutes a 'sale or sharing' of personal information under CCPA even without monetary consideration. US hotels using Google Analytics 4, Meta Pixel, or any third-party cookie analytics on their booking websites must provide a 'Do Not Sell or Share My Personal Information' link and honour opt-outs within 45 days. The CPRA (2023) added the California Privacy Protection Agency as an independent enforcement body with $7,500/intentional violation authority.

Section 1

CCPA/CPRA: The US Privacy Law Hotels Must Master

KEY ENFORCEMENT — California AG CCPA Enforcement (2022-2024)

First Fine

Sephora $1.2M — failure to process opt-out requests (August 2022)

Sector

Retail/hospitality cookie analytics = 'sale' under CCPA

Exposure

$7,500 per intentional violation (CPRA 2023 amendment)

CPRA Regulator

California Privacy Protection Agency (CPPA) — independent enforcement from 2023

The California Consumer Privacy Act (CCPA, effective January 2020) and its amendment the California Privacy Rights Act (CPRA, effective January 2023) are the most stringent US privacy laws. They apply to for-profit businesses — including hotels — that: (1) have gross annual revenues exceeding $25 million; (2) buy, sell, or share for commercial purposes the personal information of 100,000+ consumers; or (3) derive 50%+ of revenue from selling personal information. Most branded and major independent hotels meet at least the revenue threshold. The CPRA created the California Privacy Protection Agency (CPPA) as an independent enforcement body, significantly increasing enforcement activity.

'Sale or Sharing' — Hotel Analytics & Cookies

Under CCPA, sharing guest data with advertising platforms (Google, Meta) even via pixel tracking constitutes 'sharing for cross-context behavioural advertising.' Sephora's $1.2M fine established this applies to any business using standard marketing analytics. Hotels must provide opt-out links on all consumer-facing websites.

Sensitive Personal Information (SPI) — CPRA Addition

CPRA added a 'sensitive personal information' category requiring enhanced rights. For hotels: precise geolocation (GPS tracking in hotel apps), account login credentials, health/disability data (accessible room requests), and racial/ethnic origin inferred from loyalty data all qualify as SPI.

Loyalty Programme Data — Do Not Sell Rights

Hotel loyalty members' purchase history, travel patterns, and preference data are personal information under CCPA. Members must be able to opt out of the sale or sharing of this data. Hotels cannot penalise guests (reduce loyalty benefits) for exercising privacy rights — the CCPA non-discrimination provision.

Section 2

CCPA/CPRA Obligations for Hotel Operations

Consumer Rights Under CCPA/CPRA

CCPA/CPRA provides California consumers (hotel guests, loyalty members, job applicants, website visitors) with: Right to Know — what personal information is collected, used, disclosed; Right to Delete — request deletion of personal information; Right to Correct — correct inaccurate personal information; Right to Opt-Out of Sale/Sharing — including via Global Privacy Control (GPC) browser signal; Right to Limit Use of SPI — limit use of sensitive personal information to disclosed purposes; Right to Non-Discrimination — cannot be denied service for exercising rights.

Privacy Notice Requirements

Hotel websites must include: At-collection notice for all data collected online; 'Do Not Sell or Share My Personal Information' link (or 'Your Privacy Choices') visible from homepage; comprehensive Privacy Policy covering all CCPA/CPRA categories; data retention periods by category; and contact method for submitting consumer requests. The CPPA's 2023 enforcement sweep found most hotel websites lacked GPC signal recognition.

Global Privacy Control (GPC)

The CPRA and CPPA regulations require businesses to treat a GPC browser signal as a valid opt-out of sale/sharing. Hotels using analytics, advertising pixels, or A/B testing platforms on their booking websites must configure their consent management platform (OneTrust, Cookiebot, TrustArc) to honour GPC signals. The AG's Sephora enforcement action specifically cited failure to honour GPC signals.

Service Provider Agreements

Under CCPA, if a hotel shares personal information with a vendor for business purposes, that vendor must be a 'Service Provider' under a written contract that: restricts the vendor from selling the data; limits use to the specified business purpose; requires deletion of data at contract end; and grants the hotel audit rights. Without compliant service provider contracts, data sharing may constitute a 'sale' triggering opt-out requirements.

CPPA ENFORCEMENT RAMP-UP 2024-2026:The California Privacy Protection Agency began independent enforcement in 2023 with expanded powers under the CPRA. The CPPA's enforcement priorities include: automated decision-making transparency (regulations adopted 2024); data broker registration; and CCPA compliance by businesses in the retail, hospitality, and travel sectors. Hotel groups should expect sector-specific enforcement actions by the CPPA between 2024 and 2026.

Section 3

How Claire Manages CCPA/CPRA Compliance for Hotels

Claire CCPA/CPRA Hotel Capabilities

✓

Consumer Rights Portal: Self-service portal for hotel guests and loyalty members to submit Know, Delete, Correct, and Opt-Out requests; tracks 45-day response deadline.

✓

Do Not Sell/GPC Signal Handler: Configures consent management platform to honour GPC browser signals and manual opt-out requests; stops data sharing with advertising platforms within 15 minutes.

✓

Cookie & Pixel Audit: Scans hotel website for tracking technologies; classifies each as 'sale or sharing' under CCPA; generates opt-out flow for advertising-purpose cookies.

✓

Loyalty Data Rights Manager: Processes CCPA deletion and opt-out requests for loyalty member profiles; ensures non-discrimination in benefits; logs all requests with verification.

✓

Service Provider Contract Auditor: Reviews all vendor contracts for CCPA service provider clauses; flags missing restrictions; generates compliant DPA addenda.

✓

CPRA Sensitive Data Classifier: Identifies SPI in hotel data systems (geolocation, health/disability, account credentials); applies enhanced rights and use-limitation controls.

Section 4

CCPA/CPRA Hotel Compliance Checklist

Privacy Policy — CCPA/CPRA Categories:Annual update of website Privacy Policy covering all 11 CCPA categories of personal information collected; disclosure of data selling/sharing activities.
Do Not Sell/Share Link:Visible 'Do Not Sell or Share My Personal Information' link on homepage and booking pages; operational opt-out mechanism within 45-day SLA.
GPC Signal Recognition:Consent management platform configured to honour Global Privacy Control browser signals as valid opt-out; tested monthly.
Consumer Rights Response Process:Documented procedures for Know, Delete, Correct, and Opt-Out requests; 45-day response SLA; identity verification process; request log.
Service Provider Contracts:CCPA service provider restrictions in all vendor contracts involving California guest data; no permissive 'sale' of data to analytics vendors.
Sensitive Personal Information Controls:SPI (geolocation, health, account credentials) identified in data systems; use limited to disclosed purposes; right-to-limit-use mechanism operational.
Loyalty Programme Opt-Out:Do Not Sell rights applied to loyalty member data; no reduction in loyalty benefits for members exercising CCPA rights.
Employee/Applicant CCPA Rights:CCPA rights extended to California employees and job applicants from January 2023 (CPRA expansion); HR processes updated accordingly.
Data Retention Schedule:CCPA-compliant retention periods documented by data category; automated deletion triggers in PMS, CRM, and loyalty systems.
Annual CCPA Training:Annual training for staff handling consumer data requests, cookie consent platforms, and loyalty data; includes CPRA SPI updates.

Section 5

Frequently Asked Questions

Does CCPA apply to my hotel?

CCPA applies to for-profit businesses operating in California or targeting California consumers that meet one of three thresholds: (1) gross annual revenues exceed $25M; (2) buy, sell, receive, or share personal information of 100,000+ California consumers or households annually; or (3) derive 50%+ of annual revenues from selling personal information. Most branded hotels, hotel chains, and major independent hotels with online booking platforms meet threshold 1 or 2.

Does using Google Analytics on my hotel website trigger CCPA?

Yes. The Sephora enforcement action (AG, August 2022) established that sharing guest web-browsing data with third-party advertising platforms — including via cookie analytics — constitutes 'sharing for cross-context behavioural advertising' under CCPA Section 1798.140(ah). Hotels must provide an opt-out mechanism, honour GPC signals, and enter service provider agreements with analytics vendors that restrict them from using the data for their own purposes.

Can a hotel reduce loyalty points for guests who opt out under CCPA?

No. CCPA Section 1798.125 prohibits discrimination against consumers who exercise their privacy rights. Hotels cannot deny service, charge different prices, or provide a different level of quality of service — including loyalty benefits — to consumers who opt out of the sale or sharing of their personal information. Financial incentive programmes tied to data sharing require separate, explicit consent and a good-faith value calculation.

What is 'sensitive personal information' under CPRA and how does it affect hotels?

CPRA (effective January 2023) added a category of 'sensitive personal information' (SPI) with enhanced rights. For hotels, SPI includes: precise geolocation data from hotel apps; account log-in credentials; racial or ethnic origin; health or medical information (accessible room needs, dietary health requirements); and government ID numbers. Consumers have the right to limit the use of SPI to the purpose for which it was collected; hotels must provide an 'Limit the Use of My Sensitive Personal Information' option.

How does the California Privacy Protection Agency differ from the AG?

The CPRA created the California Privacy Protection Agency (CPPA) as an independent agency with dedicated CCPA/CPRA enforcement authority from January 2023. The CPPA has rulemaking authority (it issued final CPRA regulations in March 2023) and civil enforcement powers including $2,500/violation (unintentional) and $7,500/violation (intentional or involving minors) penalties. The Attorney General retains concurrent enforcement authority. The CPPA has announced automated decision-making transparency, data brokers, and large-business compliance as 2024-2025 enforcement priorities.