Media Statements

In the light of the growing popularity of online travel platforms and mobile applications, the Office of the Privacy Commissioner for Personal Data (PCPD) reviewed 10 online travel platforms (including the relevant websites and mobile applications) commonly used by citizens to understand how these platforms collect and use the personal data of their users, and released a report titled “A Study of the Collection of Personal Data by 10 Online Travel Platforms” today. The 10 platforms are (in alphabetical order) Agoda, EGL Tours, Expedia, Goldjoy Holidays, Miramar Travel, Sunflower Travel, Travel Expert, Trip.com, Wing On Travel and WWPKG.
 
In the course of the review, some of the travel platforms have taken actions to make improvements to the provision of privacy protection information and the user interface design of their platforms. Upon conclusion of the review by the PCPD, the practices regarding the collection of users’ personal data by the platforms are summarised as follows:

• All the online travel platforms reviewed have displayed their privacy policies on their websites and mobile applications (if any);
• All the online travel platforms reviewed have stated in their privacy policies the purposes of the collection of personal data, and the categories of third parties (e.g. airlines, hotels and insurance companies, etc.) to whom the collected personal data may be transferred;
• Only seven of the online travel platforms reviewed (Agoda, EGL Tours, Expedia, Goldjoy Holidays, Trip.com, Wing On Travel and WWPKG) have stated their data retention policies in their privacy policies;
• Expedia ranks the highest in the readability of its privacy policy amongst the 10 platforms for, among others, its succinct and clear presentation as well as effective use of headings and tables;
• All the platforms reviewed track user activities on their platforms, collecting data such as user location information and/or browsing histories;
• All the platforms reviewed have obtained users’ consents for direct marketing. Sunflower Travel only provides an option for users to provide their bundled consents. Expedia, Goldjoy Holidays, Travel Expert, Trip.com and Wing On Travel provide users with the option to accept or decline the use of their personal data for direct marketing, but the default option is “agreed”;
• Users are not required to register for or log in to an account to make reservations or purchase some travel products on all the platforms reviewed;
• If users choose to register for an account, the platforms reviewed will collect one to six types of personal data in the registration process;
• Four of the platforms reviewed (Agoda, Expedia, Trip.com and Wing On Travel) provide an option on the checkout page to automatically save the personal data entered by users; and
• Agoda and Expedia state in their privacy policies that they use artificial intelligence (AI) technologies to provide services which may involve the use of users’ personal data.

The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said “I am pleased to see that some operators of the online travel platforms have taken actions to improve the provision of privacy protection information and the user interface design of their platforms in the course of the review. The review aims to assist travel platforms in enhancing the quality of their services and increasing transparency in their collection of personal data. It also seeks to help citizens better understand the privacy protection policies and user interface design of these platforms, thereby strengthening the protection of personal data privacy when they place orders for travel products online.”
 
In view of the review results, the PCPD would like to make the following recommendations to the operators of online travel platforms on the best practices and enhancement of privacy protection:

1. Implement a Personal Data Privacy Management Programme and appoint a Data Protection Officer to monitor compliance with privacy regulations;
2. Incorporate privacy-protecting elements into the design of platforms by adopting “Privacy by Design” and “Privacy by Default”. For instance, setting the most privacy-protective option as the default option and providing users with relevant consent options timely;
3. Only collect personal data that is necessary;
4. Provide a clear and easy-to-understand privacy policy;
5. Enhance transparency in the processing of personal data by AI: If a platform uses AI to process personal data for automated decision making or other purposes in its operation, the platform should disclose in its privacy policy the purposes of the use of AI and the categories of personal data involved, as well as provide a clear explanation on how users can exercise their options in this regard;
6. Provide a convenient option to delete accounts;
7. Use third-party services (e.g. payment systems) cautiously: Ensure the reliability of the third-party service providers in the areas of privacy protection and data security;
8. Provide sufficient user control, including preferences for receiving various messages, deletion of user records, etc; and
9. Provide an option for using personal data in direct marketing: Obtain users’ consents. Should avoid configuring the default setting as “agreed”. Bundled consents from users should also be avoided.

The PCPD also provides the following tips to users of online travel platforms:

• Read the privacy policy;
• Adjust privacy settings;
• Pay attention to direct marketing settings and make corresponding choices based on personal needs;
• Provide the minimum amount of personal data;
• Beware of the use of AI, understand whether the platform uses AI to process personal data for automated decision making or other purposes, and understand the options available to the users in this regard; and
• Delete accounts that are no longer in use to reduce the risk of data leakage.

In addition, the PCPD noted that recently there are scammers impersonating operators of online travel platforms and creating bogus pages on social media platforms to perpetrate frauds. The PCPD urges members of the public to verify the authenticity of websites and social media pages before purchasing travel products online. They should stay vigilant about the merchants’ payment names and bank account numbers, and should only purchase travel products through official channels to avoid being cheated.
 
If members of the public suspect that their personal data has been swindled out of them, they may make enquiries or lodge complaints with the PCPD (“Personal Data Fraud Prevention Hotline”: 3423 6611 or email: communications@pcpd.org.hk)
 
Report on “A Study of the Collection of Personal Data by 10 Online Travel Platforms” (Chinese version only) can be downloaded from the website of the PCPD: https://www.pcpd.org.hk/english/resources_centre/publications/files/10_online_travel_platforms.pdf  

The PCPD published a report on “A Study of the Collection of Personal Data by 10 Online Travel Platforms”.
 

－End－