Penned by our Chief Legal Officer, Barbara Sinsley.‍

Likely gone are the days of long chats at hotel front desks. The new “socially distanced” hotels would prioritise personal space and comfort over repeated interactions.As hotels attempt to navigate and adapt to COVID-19 regulations and best-practices, let us keep in mind that hotels have taken the lead for years in compliance with the American with Disability Act (ADA) privacy and security laws.While there is no long-term precedent for screening for COVID-19 symptoms or how to best exclude those with such symptoms, it is potentially problematic and could expose a business to liability for a hotel to not attempt to adapt to new practices. The ADA precludes a place of public accommodation from using “eligibility criteria” to determine entry to a hotel: unless the public accommodation can establish that it is “necessary” to the conduct of the services or activities of that business if there is a “direct threat” to the health or safety of others. COVID-19 certainly appears to fall into the category of “direct threat”.Perhaps high temperature alone could be used to define “direct threat”, yet asymptomatic individuals with COVID-19 could still enter and present the same risk to employees and other customers. There needs to be other ways for management to assess a potential threat. In the circumstance where a hotel customer has self-identified as having COVID-19, thus presenting a “direct threat” to the health or safety of others, a hotel operator’s decision will likely turn to whether the “threat” presented can be mitigated by preventive measures taken either by the business or the customer.

Detecting temperature during check-in

One solution could be the use of self-service check-in kiosks that uses artificial intelligence (AI) to detect temperature (with the consent of the guest). When above normal temperatures are detected, hotel management would be notified. In a case whereby the guest self-identifies as possibly having COVID-19, the issue then becomes the privacy of the guest and whether or not self-identification is a strong enough case for the hotel to declare the incoming guest a “direct threat”.* Noting that temperature alone may not be a sufficient “direct treat” unless that guest were to consent to further testing.

Navigating privacy policies in the US

United States hotel customers have a right to privacy and the protection of their data (i.e. no intrusion on seclusion). California has taken the lead on privacy initiative with the California Consumer Protection Act (“CCPA”) as well as the California Online Privacy Protection Act (“CalOPPA”).  CalOPPA requires operators of websites and online services to “conspicuously post” privacy policies about the personal information that is collected, how the consumer can access or request changes to personal information, how the operator of the site will notify consumers of changes and the effective date of the policy. While CalOPPA does not define an “online service” or mention “mobile” or “smartphone” applications (likely due to the fact that when the state law was passed in 2004, smartphones and mobile applications were just being developed), the California Attorney General considers any service available over the internet or that connects to the internet, including mobile apps, to be an “online service”.

Addressing privacy issues with technology

Hotels can address privacy and “direct threats” related to COVID-19 with consumer disclosures and consents given to or by the consumers. Some possible solutions to mitigate the risk of posing threats:

• Self-service check-in kiosks with temperature checks. For privacy reasons, this information can be anonymized if necessary, yet tracked for compliance and risk mitigation purposes.
• The implementation of rigorous cleaning and disinfecting routines
• New technologies such as antimicrobial touch screens for kiosks,

A self-service kiosk can also be a dual-purpose technology, not just to detect a customer’s temperature, but also at the same time provide privacy disclosures and “opt-ins” to the sharing of information as a condition to entry - allowing the business to use that person’s personal information with consent.  Any privacy disclosure should be accompanied by with standard Terms of Use and other data protection safeguards.

Learning to live alongside COVID-19

Moving forward, social distancing, masks, temperature checks, and self-identification of symptoms will be part of the “new normal”. At the same time, the use of technologies such as artificial intelligence, technology, tracking, and tracing must consider not only the privacy of incoming new customers, but also the health and safety of all employees and existing customers. Find out if your hotel or business is ready for the new normal with our free privacy compliance checklist!