GDPR Compliance in a Tourist Town


New Orleans is a tourism haven. Folks from all edges of the Earth are lured to the magic of this city again and again. In 2016, we broke a tourism record hosting 10.45 million out-of-towners, and this year, with our tricentennial celebrations and the addition of Condor’s direct flights to Germany and over 130 European destinations to Armstrong Airport this summer, international tourism is only projected to increase. In fact, The New York Times named New Orleans the #1 travel destination of 2018.

Come May 25, every business in New Orleans that does business with Europeans whether in the tourism space or beyond, will have to implement new systems to protect the data of EU citizens and comply with the new data privacy law, the General Data Protection Regulation (GDPR). With all of these tourists staying at hotels, using our online forms to find restaurants, get festival details, and signing up for newsletters, we can’t proceed with “business as usual” anymore. Choosing to do nothing could put your business at risk being fined of up to 4% of your organization’s global turnover or 20 million Euros (about $24.5 million), whichever is higher.

If you’re not freaking out yet, it’s okay we’re freaking out for you.

WARNING: While this piece is focused on the hospitality industry, it would be unwise to think that those offering services that Europeans do research or purchase from abroad are immune. 

  • If you sell and ship products overseas (digital or physical) from your site;
  • Offer a medical procedure that draws attention and clients from around the world (such as plastic surgery, fertility, or reconstructive);
  • Provide information via a newsletter that people beyond the US borders like to receive.

These are simple examples and by no means cover all scenarios, but if you are engaged in similar exchanges within other industries, then the following piece is worth a read. Better safe than sorry.

What is GDPR?

In a nutshell, the GDPR is a new European Union data privacy regulation that is designed to provide strong protections to the personal data of EU citizens. As individual’s data has become more valuable to obtain and more harmful to have stolen, the EU has taken steps to make sure that their citizens are giving their personal data to reputable organizations and are aware of the exact intentions for their use of the data. So they have set new obligations and large penalties for noncompliance on every business inside the EU and for businesses outside that collect or use EU citizen data.

Who is affected?

You may be saying to yourself that you’re off of the hook here, but you’d be surprised. Depending on what your website is built on and what technology you use to process bookings, reservations or even just simple contact/contest forms, you need to evaluate your processes as well as third party providers that you use on your site. If a third party provider is not GDPR compliant, the fault rests on you. We had one such case here in New Orleans just last week.

Here’s a scenario to consider:

A couple from France makes their way to New Orleans for a weekend vacation. While they are in town they want to try out one of our incredibly reviewed restaurants for dinner. Le pair visit the restaurant’s website and proceed to book a reservation (which happens to use third party reservation provider OpenTable). 

You may be thinking that this all falls on OpenTable’s shoulders to be GDPR compliant, but you would be wrong. According to these new rules, you need to get your own house in order, as well as assess if third party vendors that you are collecting potential EU citizen information through, are also compliant.

How do you do that? You ask them.

If you can’t find it via a Google search for something as simple as “Opentable GDPR Compliance” then you ask them. We reached out to OpenTable (via Twitter) and asked them. 

Screen Shot 2018-04-25 at 4.12.54 PM

While I am happy to see they are on it, had we not asked, we would not know that they did have a plan.

Don’t assume that those with access to your contact/customer data are "on it". Ask them. Ask ALL of them. Your hotel reservation booking engine, your email provider, marketing automation provider, take stock of every company that has access to your data and find out if they are working toward compliance.

Steps to Getting Compliant

Most resources for GDPR compliance, like this awesome resource provided by the UK Information Commissioner, have been created by those in the EU for those in the EU. But, we can glean a lot from their rules since so many of us will have to follow them. The key point that the GDPR hits on is the idea that our current user agreements exist with the philosophy of implied consent, which the EU believes abuses the rights of their citizens. 

Depending on the sophistication of your marketing or web staff, you may not be able to limit your efforts to those in the EU. One thing to consider, especially the scrutiny around increased access to personal data is at an all time high - data protection looks good to all of your visitors. It shows that you are dedicated to transparency and user empowerment. Following and advertising your GDPR compliance could even attract new customers from the EU, but may also create trust with your existing clientele right here in The States.

Here are items to start with as you work toward GDPR compliance:

1) Update your Privacy Policy

A lot of privacy policies are lengthy pages written in "legal-ese" that occupy individual pages on websites and are incredibly inaccessible to the vast majority of internet users.

The GDPR has mandated that when a citizen of the EU fills a form with their data, the privacy policy must clearly explain what information you are collecting and how you intend to use it. This information has to be concise, transparent, accessible and free of insider jargon.

2) Affirmative Cookie Notices

Cookies can no longer hide in the background of your site. You must advertise that you are using cookies and require your webpage users to accept their use.

These users also need to be given the opportunity to opt out of cookie tracking in their browser’s privacy settings. Moreover, the exact use of cookies needs to be outlined in your new privacy policy to disclose what the information collected will be used for. This agreement aims to replace the standard text box, “by using this site, you are accepting the use of cookies” by allowing users to give informed consent to the use of cookies.

3) Capturing and Storing Personal Data

Do you know your data capture functionalities? They probably need to be changed.

Under the GDPR, all personal data must be explicitly safe and a requirement that users opt-in to having their data saved. This can be in the form of large data collecting into databases through forms and even IP tracking if you are looking into region of search. If you do use IP tracking, make sure that it is expressed clearly in your new privacy policy.

4) Email Cleanup and Opt-ins

Any subscribers in your email database that were not collected according to the GDPR standards (i.e. did not give active consent) need to be removed or re-engaged with the option to give active consent to remain on your list. This re-permission email will act as your proof of consent for GDPR compliance.

5) Website Opt-In Forms 

In order to be GDPR compliant, you will have to update your contact forms. Most standard forms have pre-ticked boxes for agreeing to privacy policies and signing up for future emails. That is not okay anymore. These boxes need to explicitly ask for people to opt in to each separate item of consent. That means a different tick box for email subscribing, privacy agreement, newsletters, etc. The Information Commissioner's Office states that “People should not be forced to agree to all or nothing - they may want to consent to some things by not to others.”

In addition, you need to make sure that you have a clearly defined option for opting out once they have filled the form.

The Compliance Clock is Ticking

It’s time to face the facts. You have less than a month to get your site GDPR compliant so that you can take advantage of the international tricentennial tourism boom and avoid potentially business-closing fines.

The items above are a start, but there is more to be done. You’re best bet is to get moving on these, while determining a full strategy around handling these new requirements for the long haul.

We’ve curated a links to additional resources and articles that help to answer any lingering questions you might have.

One final note, if you are currently targeting digital ads to any European countries, keep an eye on the paid search and digital traffic, conversions and ad spends. These changes will impact how ads can be targeted which will likely result in some drop in ad impressions, site visits and potential revenue.

Don’t have the time or the personnel to make the changes that you need, contact us to discuss a strategy to get your website on the path to compliance.

Contact Story Block