TravelTech & OTAs
Liability Check
TravelTech & OTAs handling passport details, itineraries, and real-time location data face immense scrutiny, with potential penalties up to ₹250 Crore for data breaches and non-compliance.
Why TravelTech & OTAs is at Risk
From booking flights on MakeMyTrip to hotel check-ins via OYO, travel platforms gather a treasure trove of personal data. This includes **passport numbers**, **travel history**, **payment details**, and even **health information** for travel insurance. Sharing this data across a complex ecosystem of airlines, hotels, car rentals, and payment gateways without explicit, granular consent or clear purpose limitation can lead to severe DPDP violations. The **cross-border transfer** of personal data, a common practice in global travel, adds another layer of compliance complexity, making you a prime target for high penalties.
Common Violations
- 1.Retaining passenger passport details and visa information beyond the required travel period and legal obligations.
- 2.Sharing customer flight/hotel booking patterns with marketing affiliates for personalized ad targeting without explicit consent.
- 3.Using location data collected during travel (e.g., via app) for purposes unrelated to the booking without informing the Data Principal.
The Immediate Fix
Conduct a data mapping exercise to identify all personal data collected, stored, and shared across your entire travel ecosystem. Immediately review your consent mechanisms, ensuring clear, granular opt-ins for all data sharing with partners (airlines, hotels, insurance). Update your privacy policy to explicitly detail how data is used and who it's shared with, especially for cross-border transfers.
Projected Compliance Deadline: Immediate