This week, we'll explore how Vail Resorts handles the security of your personal information
Privacy Policy
As discussed in my week 4 blog, Vail Resorts focuses a lot of their Search Engine Marketing tactics in foreign countries. However, we'll be looking at their privacy policy, which states that their data collection and usage are based on US laws, and the usage of this site gives permission to share information worldwide according to this policy.
In the United States, laws and regulations are generally much looser than regulations worldwide. The United States favors self-regulation for data privacy on the internet. However, the Federal Trade Commission has federal privacy legislation passed in three sectors: Children under 13, the financial industry, and the healthcare industry. Vail Resorts follows the FTC's guidelines where relevant.
This part of the privacy policy clearly outlines what is available for users of the site and services that are under the age of 13. Parental consent is necessary, and the child's information can not be used for marketing purposes, nor be shared with third-parties.
FIPP Guidelines
The fair information practices principles attempt to set a standard of personal data collection for all internet using countries. These principle are listed below:
- Notice/Awareness - Giving the user notice before the information is collected
- Choice/Consent - Giving the user control how much and what information is used
- Access/Participation - Giving the user transparency on the accuracy of the data, and allowing them the opportunity to change if necessary
- Enforcement/Redress - Having a mechanism in place to enforce these principles and how affected parties can be compensated if these terms are violated
Although this section is labeled "consent", this section outlines the notice of data collection.
This lengthy section provides information about what information is collected, and how the data is used. This would fit into the choice/consent guidelines. I am pleasantly surprised with the examples provided. The language is suited towards the benefits for the user, rather than the use of the data for Vail's benefit. The way this was written provides more clarity and trust than other privacy policies I've read. Usually, the trust isn't there, and I'd rather not participate in providing personal data, but the benefits of the service I'm reading about are worth the data collection.
The access and participation part are very short. I haven't created an account on this site, but I assume a user could change their information after logged in. However, there are contact points provided here if someone needs information changed.
Finally, the enforcement/redress section is covered here. Again, the disclosure of US operations is included here, and contact address for Vail Corporation is located here.
Although this privacy policy was written 6 1/2 years ago, it is still relevant and effective. Vail hasn't been involved in any major controversies or data breaches. One of their biggest competitive advantages is a value added service that tracks the vertical feet that a visitor skied/snowboarded that day, as well as keeping track of any professional photography that Vail employees took of that user. These items are available for social share, so Vail has deep links to a user's information, but provides plenty of incentive for a user to provide private information.
The only hole I can see in the handling of private identifiable information is as Vail Corporation continues to acquire mountain resorts in other countries (recently Whistler, BC, Canada and Perisher, Australia), their privacy regulations may suffer from the expansion.