[pasbesoin]

It seems law and regulation are going to have to clearly define and constrain what these organizations are allowed to collect and what they are not allowed to collect -- or, rather, that everything else is off-limits.

Guests need to be offered the question of whether they care to share X data, and guaranteed that a "no" answer will not affect their ability to do business and receive services in the slightest -- nor the price they receive.

Many people scream bloody murder WRT regulation. However, here we have a clear and repeated industry failure -- one with significant knock-on costs and risks.

So, tough. You failed.

I could also cough up a protest on my part against the whole misleading notion of "self-regulation". And point out that in an era of increasing consolidation into brands under very few and very large holding companies, effective competition -- including and with respect to data and security practices -- is largely absent.

P.S. Where data collection is required, standards and aggressive auditing should be funded and enforced.

People in the U.S. generally seem to have no problem with FDA regulation and inspection of meat production. (Not realizing how industry political initiatives continue to stress and periodically threaten this, e.g. inspection budgets.)

Well, it seems we're to the point of needing and FDA for data, or something like.

I say this with trepidation. And any initiative should come with a healthy dose of "audit the auditor", to keep requirements and process transparency to a maximum and minimize the governments' own carve-outs and attempts to siphon off the data whose processing are under inspection.

Back to my accounting days. How do you prevent mistakes, error, and fraud? Well, orthogonal processes with robust cross-checks certainly help.

[jstanley]

The only reason the hotels are collecting passport numbers in the first place is because of regulations requiring them to.

[lotsofpulp]

It also helps verify against people causing damage to the hotel. Business where the transaction is not a simple "seller provides item - buyer pays seller" have different risks involved, and therefore need to additional measures to protect against them.

Requiring credit cards, government issued photo ID, age over 21 are all methods of preventing guests who trash rooms, sneak in pets and cause noise disturbances, underage partiers, pimps and hookers, drug dealers, excessively dirty and causing pest problems etc from messing up the business. Same with car rentals and flights. Some people are problematic, and it affects other customers, and you need a way to mitigate the problem.

In the US, almost all local ordinances require hotel operators to keep track of who is staying in which room for a year or so (some even require photocopying, although that's not always followed), and to hand over that info to police whenever they demand it.

[true_religion]

With regards to EU law, hotels are required to keep the passport numbers of foreign national guests on file.