Dashing Consumer Privacy: NYC Mandates Food Delivery Apps to Share Customer Data with Restaurants

Sameer Ahirrao -

On August 29, 2021, New York City bill Int. No 2311, an amendment regulating customer data collected by food delivery applications from online orders, became law. The new law grants restaurants the ability to obtain consumer data from third-party food delivery services, while also limiting what restaurants can do with this data. Consumers are also now able to opt-out of the third-party data sharing between delivery services and restaurants. The ability for restaurants to analyze customer data and consumer trends can greatly benefit their business and guide their marketing strategy, but as restaurants start requesting and gathering personal information, they will need to ensure the privacy and security of their customer’s data.

Restaurant requests:

The central act of the law grants restaurants the ability to request individual customer data from third-party food delivery apps such as GrubHub and Uber Eats. The law does not define what information makes up “customer data,” but it could be assumed it would be order history, names, addresses, and other information that a user gives to a delivery service when placing an order.

Restaurants and third-party delivery services will only be able to share consumer data if the customer has consented. However, under the new law, delivery services and restaurants will operate under a presumption that consumers have consented to the sharing of information between the delivery services and restaurants when the customer placed an order. A customer will need to take active steps to opt-out of the data sharing between apps and restaurants. The law does not clarify if delivery services will have to offer an opt-out per order, or if a customer can enact a global opt-out for all orders made through the application.

Obligations:

Once a restaurant receives customer data, there are limitations to what can be done with the newly acquired data. The new law states that restaurants may not “sell, rent, or disclose such customer data to any other party in exchange for financial benefit, except with the express consent of the customer from whom the customer data was collected.” Restaurants must also offer the option for customers to withdraw their consent to the restaurant selling or sharing their data, after it has been collected by them. Restaurants will also be required to provide a right to customers to request that the restaurants delete their stored data.

Marketing and other purposes:

The new law does not prohibit restaurants from using data for marketing or advertising purposes. Without consumers opting out, restaurants can use and share this newly collected data for targeted advertisement, digital marketing strategies, and any other business benefit.

Violations:

The new law provides a $500 per violation per day civil penalty, enforceable by city agencies, however, the law does not grant a private right of action. However, legal experts believe that the law may still lead to litigation between restaurants and delivery apps under other laws, such as New York’s unfair competition or unfair/deceptive practices laws.

Conclusion:

The ability to access customer data and order trends will greatly benefit restaurants that are looking to use data to keep up with industry changes and better serve their customers. The new law will take effect, and restaurants will be able to start collecting customer data on December 27, 2021. But with the rewards of collecting data comes the responsibilities and risks. Failing to protect consumer data adequately can result in data breaches, loss of consumer trust, and a loss of revenue. Restaurants will need to establish a robust data management and security program to best protect their customer’s personal information.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with  data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.