Theme Park Insider

Congress starts asking questions about Disney's NextGen reservation system

January 25, 2013, 11:17 AM · So Congress is asking questions about Disney's new MyMagic+ system for reserving ride and dining times on a Walt Disney World vacation.

U.S. Rep Ed Markey (D-Mass.) has sent a letter to Disney CEO Bob Iger, asking questions about Disney's new MagicBands and their use, particularly regarding children and privacy.

I think some perspective might be helpful before anyone reacts to this story, one way or the other.

NextGen at the Haunted Mansion
Using an interactive element in the queue of the Haunted Mansion at Disney World's Magic Kingdom. Interactive queues, the new FastPass+ and MyMagic+ are all part of Disney's billion-dollar-plus "NextGen" initiative.

First, I believe it is entirely appropriate for lawmakers to be asking questions about new technology and its application in business. The last thing any of us should want is for legislators to make laws (or fail to make laws) in ignorance. They should be learning about new tech, and if it takes a letter to a corporate CEO to start that process, so be it. I also believe that it is entirely appropriate for our elected representatives to create laws that set ground rules about the application of technology, to ensure that it is not used to damage or destroy the quality of our lives. (And if we don't like the way our representatives are doing that, the solution is to elect different representatives, not to say that lawmakers should quit making laws.)

Also, keep in mind that lawmakers (and reporters!) often know the answers to the questions they ask. They're simply looking to get the person they're questioning "on the record" with a response. (I should note that Rep. Markey's office has helped get information for Theme Park Insider in the past, especially with the Accident Watch feature we started back in 2001.)

There's a federal law, called the Children's Online Privacy Protection Act, that prohibits businesses from collecting personal information online about children under age 13, without their parents' consent. That's why website registration forms almost always include a line saying "You must be 13 years of age or older to register" or something like that. Does COPPA apply to My Magic+? That's a fair question -- it uses wireless technology that might (or might not) be transmitted over the Internet, and there's definitely an online registration element to the system. If parents are compelled to give up their kids' identity and personal info to get access to Disney attractions, the government might choose to argue that's a violation of COPPA, as Disney would be taking away something it previously offered kids in retaliation for their parents not giving up their personal information. (FWIW, I think continued standby lines provide Disney an easy "out" here.)

That said, as a parent, I want full control of how my children use their Disney wristbands. I don't want Disney making decisions for me about my kids using charging privileges, and such, based on arbitrary age cut-offs. Let me decide. The spirit of COPPA was to give us parents that control for our children under 13. It's appropriate for members of Congress to defend that.

Two more thoughts, about privacy. First, about the use of personal information for marketing purposes. The big fear seems to be that companies are collecting all this information about what we do, write and share in order to send us more ads. It's true that companies crave information about consumers, but having worked with many advertisers over the years as a news publisher, I think it's worth noting that the primary aim of microtargeted ads is to stop sending advertisements to people who don't want them. Companies want to stop wasting their money buying ads seen by people who aren't ever going to buy the company's stuff. When microtargeting works, you get fewer ads you don't care about, not more. So the whole "advertisers are collecting information about you!" thing's pretty much a non-starter for me.

It's the non-marketing use of my personal information that worries me. And that's my second thought. I want some assurance that anyone tracking my day in a theme park has locked down access to that information so that it can't be used for any purpose beyond what I and the theme park have intended. Here's an example: A cast member sees a cute guest during the day, then logs into the park's reservation system to find out where that guest will be going in the park later in the day, in order to stalk him/her. That's creepy and potentially dangerous and I'm totally cool with Congress tightening laws to try to prevent that from happening.

So I hope that Rep. Markey's questions lead to some honest answers from Disney and show that the company's done the planning necessary to prevent problems with MyMagic+, FastPass+ and all of its NextGen initiative. This is some really neat technology that creates the potential to make theme park vacations into even more fun and engaging experiences. If Disney (or any other theme park company) is going to take this step, they ought to do it right.

Replies (22)

January 25, 2013 at 12:05 PM · I agree with you on all of your points. I'm not sure I'm understanding exactly (out here in California we don't have this yet.) But I know that I don't want people knowing when we are out of town. I'm a little paranoid and I tell the kids not to post anything to facebook until we've arrived home. Would this show that the entire family is gone and their house is empty to be robbed?
January 25, 2013 at 12:33 PM · Not any more than Disney knowing a family of four just made a room reservation.
January 25, 2013 at 12:52 PM · You would think that congrees would have more important things to worry about like the trade and account deficit...
January 25, 2013 at 1:10 PM · In the long run, the Disney strategy of rationing experiences versus building capacity is going to backfire in a big way. They just drop $1 billion+ into something that is not going to move the meter. This inquiry will just delay the inevitable.
January 25, 2013 at 3:02 PM · Also, keep in mind that lawmakers (and reporters!) often know the answers (that they want to hear) to the questions they ask. They're simply looking to get the person they're questioning "on the record" with a response (confirming whatever pre-conceived conclusion they think voters want to hear).

There I fixed that for you.

OK snark aside, I generally agree with your points. Initially my thought was that coming from such an established business as Disney, their lawyers would run through everything to make sure it is legal. They're not amateurs. But you raise good points that it may be abused in ways that law currently doesn't cover and it is good to find out what those ways are and perhaps refine the law. The biggest problem with crafting good legislation is that if it is too broad, then it can be misapplied, and if it is too narrow then loopholes can be exploited (consider the legal definition of "assault rifle" for a case in point of good intentions running afoul of reality). I personally hadn't considered your example of a CM stalking a guest, but I have a friend who really did encounter a CM that creepy.

January 25, 2013 at 3:47 PM · I take my daughter to Disney for four days. We stay on property. The reservationist asks the names of my family members. On day one, under my name, I purchase a Sleeping Beauty t-shirt for my daughter. On day two I purchase, under my name, a Sleeping Beauty drinking cup for my daughter. Disney identifies that "someone" in the family likes Sleeping Beauty. Disney programs the wake-up call in our room, to be from Sleeping Beauty.

And this is a violation of a federal statute? Please.

January 25, 2013 at 7:44 PM · But it's for the kids as some would put it in posts....and you know what it is for the kids and you as a parent should know what your kids are doing. It's just that now have 2 billion people knowing what your kids are doing at any particular time, I and many others have a problem with that. Many of those people don't give a flying heap what your kids do but it's the few crazy ones that you have to look out for. Personally, I don't want any of my family being spied on. I said in a lot of posts that I think this is a horrid idea because of other factors and you put security on top and they made up a nice big fat sundae of "not going to see the mouse ears ever for my family" I don't care if they have the best damn thrill ride in the universe, I'm not going to a place that heightens my family's proneness to get terrorized. Whether it be theft, stalker, or child predator. Once your info goes out on wi fi it can be easily hacked to be at anyone's beck and call. I'm sure there is some safe guards but really do you want to throw it all out there like your kids identities. It's for the kids they say, we'll do you want a child predator knowing what your kids are doing at any given moment? I am trying to scare people because this is great until someone finds a way to use it to harm someone else. Everything is not a happy place and fairy tale land and people should know the risks.
January 26, 2013 at 2:31 AM · "The spirit of COPPA was to give us parents that control for our children under 13."

And I think that's the problem with most legislation. In this day and age, the spirit of any law doesn't really matter. It's the letter that gets all of the attention.

January 26, 2013 at 3:04 AM · I would rather see my favorite resort spend a billion on all new state-of-the-art rides / attractions. Oh, wait... they already are.

This whole bizarre Disney thing only brings one thought to mind. Data mining.....

January 26, 2013 at 5:55 AM · I think this becomes a moot point with Facebook and Google out there. I have a different interpretation of TH's response. Disney is going to know you like Sleeping Beauty because you charge things to the room. How is the wristband any different than your key to the world card and your ticket?
January 26, 2013 at 9:16 AM · Making the park the platform, by increasing interactivity, by creating a fully immersive experience (whether on a ride vehicle, sitting in a theater, standing in a queue or just walking through an area) is in fact the exact same thing as spending "a billion on all new state-of-the-art rides / attractions."
January 26, 2013 at 9:21 AM · Todd Donahue writes: "It's for the kids they say, we'll do you want a child predator knowing what your kids are doing at any given moment?"

I Respond: Really? You honestly believe that Disney's interactive NextGen technology represents a significant risk that participating families may be exploited by "a child predator."

Um ... okay.


January 26, 2013 at 2:30 PM · Laugh now my 3rd person perspective TPI blogger, with out some serious safe guards it will be easy to track the where a-bouts of your whole family using the new system. What I said earlier is an extreme case but someone could find out as simple as looking at the computer and finding out that your family is having a great time with the interactive ques at said theme park and that someone could take there time robbing you out of your precious house hold goods. Especially the complete sleeping beauty mug and shirt set that you bought your kids on the last visit. Oh wait they have your name and address because thats being linked to you in the park through the new nextgen where everyone knows where everyone is. Also how hard do you think the crime check is on cast members? Do you trust a 17 year old with all your information including but not limit to you entire families identity? Because that is what will happen if nextgen goes through....
January 26, 2013 at 8:48 PM · Que the Terminator music... The wristband machine is taking out mankind. We must stop it before it knows what rides we like.... Lol really congress? Go back to work. Next thing they will say is that Disney is the reason for the debt ceiling problems... Or is it? Now que the Twilight Zone music.
January 27, 2013 at 6:51 AM · Under the current system (a system that has been in place for years) when a guest registers at a Disney hotel (or Universal hotel for that matter), they provide their name and address which is entered into a computer data base. When they book a dinner reservation the date and time is entered into the same system.

So where's the crime spree?

From your perspective it should already be "easy to track the where a-bouts" of a family using the Old/EXISTING system.

After years and years and years and hundreds of millions of resort guests, where is the significant, documented, detriment?

January 27, 2013 at 1:39 PM · My wife and I travel from Michigan to WDW twice a year and have been doing so for many, many years. Two brief comments:

1. Apparently Mr. Markey is doing what he is known for doing best---being a jerk and gadfly who just automatically assumes Disney either does not understand the privacy laws or will not follow them if it does. Typical reaction from him.

2. We really question the need for a system to reserve a ride. This takes all spontaneity out of the Disney experience and if it means longer waiting in line for an attraction because they are allowing people to reserve rides months or weeks in advance, then people like us will just stay home. The trips to WDW are costly enough as it is. To put up with a system like this would be the final straw.

January 27, 2013 at 3:39 PM · Paranoia. Typical paranoia.
I'm sorry but I just can't get worked up about this. Compared with every other way that your personal details are already 'out there' this is so insignificant that it really doesn't merit discussion...
And if you are afraid to come to Disney in case your children get stalked then I hope you don't ever let them use the internet. Period.
I'm just waiting for someone to post that of course in Universal land there'd be no issue of data stalking....
Gosh, I don't usually sound that polemic but really guys.....
January 28, 2013 at 10:33 AM · "After years and years and years and hundreds of millions of resort guests, where is the significant, documented, detriment?"

Shall we use the Google example?

"The lawmakers said the announcement raises questions about whether consumers will have enough power to opt-out of data sharing systems. They also asked what security steps are being taken to ensure the safety of customer data."

In a move that alleviates some privacy concerns, a federal judge granted part of a Justice Department request for Google search data but said users' search queries were off-limits.


Thus the data collection problem is two-fold, actually three-fold.

1. Is Disney providing sufficient privacy protections for their customers?

2. Since the data is collected, will Disney be forced to give the data to the Federal Government if so ordered? (Contradicts what lawmakers are concerned about.)

3. (Not in the articles) I heard Google has been giving the customer data to the government all along.

4. Insider customer data leakage. What do you do if a rogue employee decides to use this information?

"NEW YORK – A former admissions department employee of New York Presbyterian Hospital/Weill Cornell Medical Center confessed April 11 to stealing the personal records of nearly 40,000 patients and selling the information."

January 28, 2013 at 12:17 PM · From AdWeek: "While the MagicBand sounds like it can do everything except make coffee, it acts more as a pass key than portable computer. It doesn't collect nor hold personal information. Nor does it use GPS to track location. Like the plastic card keys used by hotels, if lost, the MagicBand cannot be linked to an individual.

But Anon Mouse asks some reasonable questions:

1. Is Disney providing sufficient privacy protections for their customers?

Has their existing system been deemed inadequate -- lacking protection from external invasion? And what information does the NextGen program provide a thief that is more tempting than the names, addresses and credit card numbers that are already in Disney's system?

2. Since the data is collected, will Disney be forced to give the data to the Federal Government if so ordered?

I'm not sure. But here's the link to Disney's privacy policy.

3. (Not in the articles) I heard Google has been giving the customer data to the government all along.

Okay. And ...?

4. Insider customer data leakage. What do you do if a rogue employee decides to use this information?

It's already happened:

"Former Walt Disney resorts employee Ana Rosa admits that she used various credit card skimming devices to steal bank or credit card numbers from traveling tourists—all while she worked for Disney in the role of receptionist for Disney's Saratoga Springs and Old Key West resorts."

But that incident was certainly not unique to the Disney system. Credit card numbers can be stolen at any business. In the Disney case, the thief was caught and sent to jail.

January 28, 2013 at 12:31 PM · "Has their existing system been deemed inadequate -- lacking protection from external invasion?"

That is the unknown. If you're aware of the hacking activities from "Anonymous", nothing is safe ANYWHERE for anyone that draws their ire.

"I'm not sure. But here's the link to Disney's privacy policy."

Which means what(?) if the court orders Disney to hand out customer data? It means your customer data is in the government's hands to use at its pleasure.

Read here "Please keep in mind that when you provide information to us on a third-party site or platform (for example, via our applications), the information you provide may be separately collected by the third-party site or platform."

Are you naive to think a third party is capable of keeping your data safe?

"Okay. And ...?"

I suppose this is your attitude for #3 and #4. Customers beware. Your data isn't as safe as you expect.

January 28, 2013 at 12:40 PM · But why are these privacy concerns and threats unique to Disney NextGen? And that is an academic question noty intended to imply you (Anon Mouse) are wrong.

If I check into a Universal Orlando resort or a Holiday Inn in White Plains, New York why should is the onus on the Disney system any greater when "nothing is safe ANYWHERE for anyone that draws their ire"?

I know I am missing something here and I'm hopeful that someone can slap me into consciousness.

Anon Mouse: "Customers beware. Your data isn't as safe as you expect."

I Respond: I could not agree more!

January 29, 2013 at 9:27 AM · The privacy concerns will take a while to sort out. There may not be anything to it, but then again, there may well be. Disney's policy as posted is very general. The unknown details may be where the questions arise.

This article has been archived and is no longer accepting comments.

Facebook YouTube Twitter Instagram Email Newsletter

Rate & Review

Walt Disney World

Universal Orlando


Tokyo Disney Resort

2017 Best Park Winners

Get Our Newsletter


Plan Your Vacation

© Theme Park Insider®   About · Rules · Privacy · Contact
Facebook YouTube Twitter Instagram Theme Park Insider T-shirts and Hoodies Email Newsletter