New NYC Law Requires Food Delivery Services To Share Customer Data with Restaurants

Life And Privacy

Last month, NYC passed a law regulating customer data collected by food delivery services from online orders.  Effective at the end of the year, the law will require delivery services (such as DoorDash, Grubhub, Uber Eats) to furnish customer data (including name, phone number, email and delivery addresses, order contents) at least on a monthly basis to restaurants that request it until the restaurant requests not to receive it.

The law also requires that delivery services disclose to customers data that may be shared and the name of a restaurant fulfilling an order and potentially receiving their data. Delivery services must provide a mechanism on their websites for customers to request that their data not be shared in relation to a specific order. If a customer does not opt out when placing an order, consent to have their data shared may be assumed from their inaction.

The law, inapplicable to phone orders, was passed to help restaurants, many of which suffered heavy losses due to the pandemic. The data is valuable both to restaurants and food delivery services because of its financial benefit. The law permits restaurants to use the data for marketing and other purposes with the express consent of the customer, and delivery apps are prohibited from restricting such use. The law gives customers the rights to request their data, require that it be deleted, and to withdraw their consent, and provides a $500 per day penalty for each violation.

Privacy advocates say that the law violates data privacy. Personal data could end up being provided to restaurants who don’t have sound information privacy practices in place: questions have arisen as to how data will be stored and protected by restaurants, and how a restaurant will respond to a data breach (for example, if the information is hacked into or otherwise exposed).

Questions have also arisen whether the law promotes unfair competition by requiring business assets (food delivery services’ customer information) to be handed over to another business (restaurants). Recently, DoorDash sued NYC claiming that the law violates customer privacy and promotes unfair competition.

Customers placing orders through food delivery services who do not want their information shared with restaurants should remember to opt out of data sharing each time they place an order. Further, while the law will not be effective for a few months, restaurants should develop policies to manage their collection, use, and storage of this data, and to process customer requests to withdraw consent or delete their data.

All businesses, including restaurants, should ensure that they are in compliance with applicable data protection law.

The information contained in this column is provided for informational purposes only and should not be construed as legal advice.

 By Gille Ann Rabbin, Esq., CIPP/US, CIPP/E

Sign up via our free email subscription service to receive notifications when new information is available.