hotels.com privacy policy — score 48/100 (high risk)
Ultima analisi
Il contenuto del report (sintesi, risultati, citazioni) è stato generato in inglese e non è localizzato.
Hotels.com (Expedia Group) · hotels.com
Dettagli del report
high rischioHotels.com (Expedia Group) collects an unusually broad range of personal data — including sensitive data, voice recordings, and co-traveler info — shares it widely with advertisers and Expedia Group brands, and uses it for extensive AI purposes with no opt-out, making this a data-hungry policy despite decent transfer safeguards.
Hotels.com's privacy statement covers an expansive data collection and sharing ecosystem. While the policy is structured and references EU-relevant safeguards (DPF certification, SCCs, Global-CBPR), the sheer breadth of data categories, purposes, and third-party recipients raises significant minimization concerns. AI usage is pervasive with no opt-out mechanism. Legitimate interest is claimed broadly for marketing and profiling. Retention periods are undefined beyond vague criteria. EU users' rights are described conditionally rather than affirmatively.
Valutazione per categoria
Suddivisione dell'informativa nelle principali aree di conformità. Buono = solido, discreto = misto, scarso = preoccupante.
Collects 15+ categories of personal data including government ID, voice recordings, clickstream reconstructions, sensitive data, and co-traveler info — many used for 6+ purposes, far exceeding what is necessary for booking a hotel.
The policy is detailed with tables mapping data categories to purposes and lawful bases, but it is overwhelmingly long and uses conditional language ('certain countries and regions') rather than clearly stating GDPR rights affirmatively for EU users.
Data is shared with Expedia Group companies (joint controllers), travel suppliers, targeted advertising partners, social media platforms, business partners, and data brokers — some acting as independent controllers with their own separate privacy policies.
DPF certification with SCC fallbacks and Global-CBPR participation provide legitimate transfer mechanisms, but onward transfers to numerous third-party advertisers and social media platforms are not individually assessed or disclosed.
AI is used extensively across 13+ categories including content generation, recommendations, and pricing, all justified by legitimate interest — there is no opt-out mechanism for AI processing and no explicit statement on whether data trains foundational models.
GDPR rights are referenced but described conditionally ('certain countries and regions provide their residents with additional rights') rather than stated as universal EU rights; rights details are outsourced to a separate webpage.
Risultati chiave
Clausole rilevanti, problemi o buone pratiche individuate (critici per primi)
Overly broad legitimate interest claims for marketing and profiling
The policy claims legitimate interest as a lawful basis for marketing communications, targeted advertising, and building enriched user profiles across Expedia Group brands. Under GDPR Article 6(1)(f), marketing via legitimate interest requires a careful balancing test — particularly for profiling and cross-brand data synchronization. The policy states 'we will always assess it against the potential impact on your rights' but provides no specific balancing outcome or mechanism for users to challenge this assessment.
No opt-out for AI/ML processing of personal data
The AI section lists 13+ use categories (pricing, fraud detection, content generation, recommendations, anomaly detection, etc.) all processed under legitimate interest. There is no mechanism to opt out of AI processing of your personal data. The policy only addresses automated decision-making with legal effects, not the broader AI processing. EU users have no way to object to their data being used for AI feature generation, content generation, or enrichment of other applications.
Co-traveler and third-party data collection without direct consent mechanisms
The policy collects 'Friends, connections and co-traveler data' including data about travel companions and referred friends. The lawful basis listed includes 'Consent (including consent you may have received from friends or co-travelers), where applicable' — this implies Hotels.com relies on the booking person's consent for third parties' data, which is legally insufficient under GDPR. Co-travelers have no direct way to learn about or control this processing.
Vague retention periods with no specific timelines
The Record Retention section lists only criteria (duration of relationship, legal obligations, litigation holds, backup needs) but provides zero specific retention periods. GDPR Article 5(1)(e) requires that personal data be kept 'no longer than is necessary for the purposes.' Without defined periods, there is no way to assess compliance or for users to understand when their data will be deleted.
Sensitive data collection with minimal justification
The policy collects 'Sensitive data — data that could reveal racial or ethnic origin, religious or philosophical beliefs, sexual orientation, or health or disability information' and cites legal obligations and consent as lawful bases. The example given (cancellation evidence) is narrow, but the category is listed as available for Platform Usage, Communications, and Security purposes broadly. This creates a risk of scope creep beyond the narrow justified use case.
Extensive onward sharing to independent controllers without equivalent safeguards
Data is shared with targeted advertising partners, social media platforms, and business partners who may act as independent controllers. The policy notes these parties are 'primarily independently responsible for their compliance with applicable data protection laws' but does not describe what contractual or technical safeguards Hotels.com imposes on these onward transfers, beyond noting DPF onward transfer liability for Expedia, Inc. specifically.
Clickstream data reconstruction across devices and visits
The policy describes collecting clickstream data to 'reconstruct your site journey modeled on the timing and location of your actions, and include data from different devices, distinct site visits, and visits to our other platforms.' This constitutes cross-device profiling that combines data from multiple contexts, raising concerns under GDPR Article 22 and ePrivacy requirements, yet is justified solely by legitimate interest and consent 'where requested.'
Sintesi per l'utente
Your data flows far beyond booking a hotel — it's shared across the entire Expedia Group, used to train AI systems, and sent to advertisers for targeting, with no way to opt out of AI processing.
Postura di conformità
Mixed compliance posture: strong on international transfer mechanisms (DPF, SCCs, CBPR) but weak on data minimization, purpose limitation, and AI transparency. Legitimate interest claims for marketing are aggressive and may not survive scrutiny under GDPR Article 6(1)(f).
Trasferimenti UE
Data is transferred to the US and other countries. DPF certification is in place with SCC fallbacks, which is adequate under current EU law, but the breadth of onward transfers to third-party advertisers and social media platforms creates risk if those parties lack equivalent safeguards.
Segnali rilevati
Dati e pratiche specifiche identificate nel testo
Estratti probatori
Citazioni dirette dall'informativa a supporto di questi risultati
We may reconstruct your site journey modeled on the timing and location of your actions, and include data from different devices, distinct site visits, and visits to our other platforms.
We will not engage in automated decision-making that involves a decision with legal or similarly significant effects solely based on automated processing of personal data, unless: you explicitly consented to the processing, the processing is necessary for entering into a contract, or when otherwise authorized by applicable law.
Consent (including consent you may have received from friends or co-travelers), where applicable
We will retain your personal data in accordance with all applicable laws, for as long as it may be relevant to fulfill the purposes set forth in this Privacy Statement, unless a longer retention period is required or permitted by law.
These third-party service providers are primarily independently responsible for their compliance with applicable data protection laws.
Certain countries and regions allow us to process personal data on the basis of legitimate interests... this interest will typically be to operate or improve our platform and communicate with you as necessary to provide our services to you... to undertake marketing, or for the purpose of detecting or preventing illegal activities.
Mancante o poco chiaro
- No specific data retention periods defined
- No DPIA summary or reference for high-risk processing
- No explicit opt-out for AI/ML training use of personal data
- No detail on co-traveler rights notification mechanism
- No description of data protection impact assessment for sensitive data processing
- No specification of which third-party advertising partners receive data
- No clear mechanism to object to legitimate interest processing beyond marketing
- No information on data breach history or notification timeline
Domande da porre
- What specific balancing test has Hotels.com conducted to justify legitimate interest for marketing and cross-brand profiling, and can you provide the documentation?
- How can EU users opt out of their personal data being used for AI feature generation, content generation, and model enrichment?
- What mechanism exists to notify co-travelers whose data you collect through a booking person, and how can they exercise their GDPR rights independently?
- What are the specific retention periods for each category of personal data, not just the criteria for determining them?
- Which targeted advertising partners and social media platforms receive personal data, and what specific safeguards (beyond DPF certification) apply to those onward transfers?
- Has a Data Protection Impact Assessment been conducted for the clickstream reconstruction across devices and the processing of sensitive data categories?
Condividi questa analisi
Chiunque abbia questo link può visualizzare il risultato sopra.
Realizzato da DentroChat
Chat IA 100% europea per tutti
Chatta con l'IA, lavora con file, genera immagini e cerca sul web. I dati restano in Europa.