Deploying AI in a hotel chain? How to mitigate privacy & digital regulatory risk

Written By

heather catchpole Module
Heather Catchpole

Associate
UK

I am an Associate in our London Privacy & Data Protection team with strong expertise in Online Safety.

This article is based on Bird & Bird’s presentation at the webinar “Decrypting Data & AI in hotels” co-hosted with HVS, AlixPartners and EP Business in Hospitality –you can also access the recording here

AI is, of course, the buzzword of the moment and the hotel sector presents a number of exciting opportunities. However, due to regulatory enforcement and increasingly high fines combined with a desire to ensure the guest experience retains a “personal touch”, there can be a reticence in the sector to implement AI technologies. 

This article explores how you can identify and mitigate privacy and other digital regulatory risks in the EU and UK when rolling out AI in the hotel sector. 

What are the AI opportunities, and which risks do we need to mitigate? 

In our experience, three key use cases have driven uptake of AI tools in the hotel sector: 

  1. AdTech, sales and marketing;

  2. Guest experience (Chatbots); and

  3. Optimising operational efficiency, including via “Internet of Things” (“IoT”) Devices.The above drivers have been  set out below. To help with the scoping of your regulatory risk assessment, we have also set out the digital regulations most likely to be relevant to each use case.  
Adtech, sales and marketing  Adtech partner companies offer services involving running web visitor or guest data through AI-powered algorithms to help better target a hotel’s marketing campaigns or online advertisements.

AI can also be used to generate dynamic pricing.  
Adtech tools usually involve the processing of personal data, so the GDPR is likely to apply. Inform privacy teams early on where a new Adtech vendor is being onboarded. To the extent cookie or other tracking technology data is fed into these tools, ePrivacy rules will also be relevant. 

Hotel brands advertising on third party online platforms in-scope of the Digital Services Act (“DSA”) will find they are indirectly affected – for example, the DSA requires platforms to make brands’ campaign targeting parameters public, and campaigns relying on profiling using special category or minors’ data will be prohibited.

If planning to use dynamic pricing, be aware of consumer regulations that may impact these practices.   
Guest experience (chatbots)   The largest hotel brands have been rolling out “virtual concierges” to give guests personalised recommendations about local attractions and provide customer service. 

Examples include Renaissance Hotels’ (owned by Marriott) “RENAI” bot; Hilton’s AI-powered concierge “Connie”; and Edwardian Hotels' (owned by Radisson Blu Hotels) AI chatbot “Edward”. 
The AI Act (already in force but becoming applicable on a phased basis) has important provisions around transparency of chatbots. Additional transparency rules will apply if the chatbot integrates an emotion recognition system, for example in the context of customer service. 

Chatbots has been a focus of GDPR regulatory interest to-date. It’s therefore important to be clear whether guest or other consumer personal data has been used to finetune your chatbot’s training dataset or used to target the chatbot’s recommendations. 

If the chatbot is making promotional offers to guests (including via instant messaging such as WhatsApp) then these are likely to constitute direct marketing, meaning ePrivacy rules will apply on top of GDPR.   
Optimising operational efficiency, including via IoT devices  AI can play a critical role in maximising the operational efficiency of a hotel. For example, sensors or IoT devices measuring occupancy and environmental data can help adjust ventilation, heating and air conditioning to reduce energy waste.  Where IoT devices are used to obtain information, they (along with apps used to control them) may qualify as connected products and related services under the Data Act. Although in a hotel context a careful factual analysis of applicability will be needed, it is possible that hotels might be able to leverage the Data Act to benefit from increased access to IoT data from device manufacturers. 

The GDPR will not always be relevant (for example, operational data collected may only relate to communal areas) but where relating to specific rooms for example, the possibility of such data being personal data should be considered. 

Lastly, the impact of new cyber-security regulations in the EU should be considered when diligencing connected product manufacturers, for example the EU cyber resilience act.  

 

Top tips to navigate AI legal risk – your digital regulation checklist 

We recommend teams keep the following points in mind when analysing the digital regulatory impact of a new AI tool. 

  • Understand the tech you are implementing – by knowing the facts (for example, the specific training data , or the location of model hosting), your teams will be able to scope effectively for applicable laws. 
  • Start with scoping, and think broad – although GDPR and security considerations remain important, there are new regulations across the EU and UK which need to be considered – a number of which have fines set at GDPR level or above. 
  • Diligence vendors and review contractual risk allocation – in particular, review liability provisions to avoid being held responsible for vendor non-compliance. Careful consideration will also need to be given to apportionment of risk between hotel owner and operator. Bird & Bird has produced a “contracting for AI” guide with key pointers – to request a copy, contact a member of the Bird & Bird team here. 
  • Diligence acquisitions for digital regulation compliance – there have been previous examples (for example the ICO fine of Marriott in connection with its Starwood acquisition) of brand owners being penalised for failing to pick up on regulatory issues during due diligence. 
  • Risk assessments are key – a number of digital regulations (such as the GDPR, AI Act and UK Online Safety Act) place emphasis on risk assessments. Privacy regulators have also focused on the importance of risk assessments when enforcing AI compliance to-date. It’s therefore critical to get risk assessment stage right. 
  • Document the decisions you take – this is important, so you are able explain and demonstrate your reasoning to a regulator or during an acquisition process. 
  • Use compliance to build trust with guests – Ultimately, AI compliance can help persuade guests you are continuing to provide a personal experience with their welfare at heart.

Looking for legal support in deploying AI tools? 

Please contact a member of our team. 

You can also register your interest to receive a copy of our upcoming “Guide to the EU AI Act” here