The hospitality industry is embracing mobile applications for social media and loyalty programs to reservations, keyless entry and remote check-ins. These apps enhance brand loyalty by simplifying interactions, but raise legal risks in the United States.
Data security, privacy
Cybersecurity is critical. Hotels and restaurants have consistently been a top target for hackers because they hold vast troves of credit card data and their cybersecurity has often been lax. Consumers’ increased use of mobile apps means hospitality companies now collect, store and must secure additional categories of sensitive data (e.g., social security numbers, location, transaction information, personal preferences for goods, services and accommodations, and financial and credit card information).
In 2012, the Federal Trade Commission (FTC) sued Wyndham hotels for “unfair and deceptive” advertising for misrepresenting its security measures. Wyndham’s lack of protection led to a series of breaches of its hotels and subsidiaries, resulting in over 600,000 credit card numbers being compromised. In 2015, the Third Circuit Court of Appeals affirmed the FTC’s authority to regulate “unfair” cybersecurity practices, despite the absence of any specific security requirements articulated by the FTC.
This means that businesses must accurately portray their cybersecurity protection, implement at least the minimum necessary security measures (e.g., firewalls, encryption, access controls, vendor management and incident response planning) and understand that cybersecurity is a dynamic standard. Inadequate or static cybersecurity increases a company’s risk of a breach, and triggers regulatory investigations and fines, consumer class action litigation and reputational damage.
In another case, the FTC fined a company for advertising that its business management software had a level of security that the software did not actually achieve.
The FTC is also pursuing other allegedly deceptive privacy practices involving mobile apps, including undisclosed collection of data and data collected from minors.
To minimize legal risks, hospitality companies must ensure that their mobile apps include a privacy policy detailing what information will be collected, how it will be used, and how consumers can opt out. Companies must ensure that the actual data collection practices correspond to the representations made in that policy, even as new features and functionalities develop.
As a best practice, companies should perform a data privacy and security compliance audit, including a review of privacy policies and data collection/storage; review and address data and privacy issues for all vendor agreements; implement and test a data breach response plan; and consider cyber insurance.
FTC endorsement guidelines
The FTC has been vigilant in enforcing its Endorsement Guidelines, specifically regarding social media marketing activity. The guidelines require the clear and conspicuous disclosure of any material connection between an advertiser and an endorser when the relationship is not otherwise apparent to consumers. As hotels and restaurants increasingly rely on social media for testimonials, compliance with these guidelines is crucial.
Hotels and restaurants incentivize social media users to “like,” post favorable reviews, or upload videos of their experiences, and compensate them with rewards points, for example. This is not illegal, but the FTC has penalized companies if the incentive is not disclosed in connection with the endorsement.
The guidelines state an endorsement is any advertising message, including “likes”, reviews, video uploads, blog posts, etc. A “material connection” includes any form of compensation, including money, reward points, entry in sweepstakes, discounts, coupons, free samples or services, and anything else of value. The brand, on whose behalf the endorsement is being made, is obligated to inform the consumer the need to disclose and must take steps to ensure the consumer complies.
If the endorser is an employee or ad agency acting on behalf of the brand, this connection must be disclosed, and the FTC has a history of strongly enforcing this.
Sweepstakes and contests
Many businesses use social media sweepstakes and contests, allowing users to trade “likes” or other posts for an entry. Under the Endorsement Guidelines, this constitutes a “material connection” and should be clearly and conspicuously disclosed. Companies should provide clear instructions to entrants on how they must make these disclosures. For example, any posts traded for an entry into a sweepstakes may contain a hashtag such as “#contest” or “#sweepstakes.”
Companies must comply with other applicable sweepstakes and contest laws, such as posting “Official Rules” that entrants must review and accept. The official rules must clearly disclose all information surrounding the sweepstakes or contest, including start/end date and time, number and value of prizes, means of entry, odds of winning, prize drawing and winner notification processes, and other rules. Moreover, specific short rules language, stating this information in a more general fashion, should be included in promotional or advertising materials for the sweepstakes or contest.
If sweepstakes are entered via social media platforms, they must comply with the respective platforms’ social media sweepstakes policies.
TOS and EULA
An effective, customized Terms of Service (TOS) and End User License Agreement (EULA) function as a contract between the company and the end user. Often these two agreements are referred to interchangeably, but they are distinct and serve different purposes.
The TOS governs a consumer’s access to online services, which may be via a mobile app or web browser. The EULA is a software license for the consumer’s use of a mobile application that is downloaded.
These agreements are typically given little consideration, under the assumption consumers never read them. However, these documents, if executed correctly, protect the business. Courts have refused to enforce TOS or EULA provisions due to poor drafting that could have easily been avoided.
Protect your IP
As mobile applications proliferate, competitors often copy the features of successful apps. As a result, companies should consider comprehensive intellectual property protection strategies for their apps. Patents can be obtained to protect the functional aspects and processes, and design patents are increasingly being used to protect the look and feel of the app. Copyright and trademarks should also be considered.
In a mobile-first world, the hospitality industry to stay relevant with consumer preferences, but it’s equally important to understand the legal issues that can put a company in hot water with the FTC.
Contributed by James Gatto and Laura Jehl, partners at Sheppard, Mullin, Richter & Hampton LLP’s Washington, D.C., and Danielle Brennan, associate, San Francisco