Food delivery services became a lifeline for many restaurants during the COVID-19 pandemic shutdowns, allowing many restaurants to quickly pivot to delivery and curbside pickup. Since the beginning of the pandemic, however, cities such as New York and San Francisco implemented local legislation aimed at helping restaurants and curtailing certain activities of third-party delivery services, such as limiting the amount of fees charged to a restaurant by these delivery services. On July 29, the New York City Council passed Int. No. 2311, which amended the New York City Administrative Code to address customer data collected by delivery applications from online orders. The bill became law Aug. 29 and will come into effect after 120 days, on Dec. 27. Through the amendment, New York City essentially mandated a redistribution of commercial assets in favor of one type of business over another and introduced city-level privacy legislation.
Among other things, the amendment:
- Permits restaurants to request individual-level customer data from third-party delivery apps and requires the delivery apps to provide the information unless the customer has opted out of such sharing.
- Subjects restaurants that receive such customer data to privacy limitations and requirements, including use and sharing limitations and provision of certain customer rights.
- Permits restaurants to use the data received for marketing and other purposes, and prohibits delivery apps from restricting such activities by restaurants.
- Requires delivery apps to assume customers opted into restaurant sharing by default and seemingly restricts delivery apps from providing a “global” option to opt-out of all restaurant sharing.
- Provides a $500 per violation per day civil penalty, enforceable by city agencies and tribunals, but does not provide for a private right of action. However, it may tee up litigation between restaurants and delivery apps under other laws such as New York’s unfair competition or unfair/deceptive practices laws.
Restaurants’ right to request customer data
Under the amendment, restaurants can obtain “customer data” — defined as name, telephone number, email address, delivery address and contents of the online order — by requesting it from the delivery apps. Upon such a request and assuming the customer has not opted out, the delivery apps must provide “all applicable customer data,” disaggregated by the consumer and at least at a monthly interval. Because the current default for most restaurants is that delivery apps do not provide restaurants with customer data other than what is needed to fulfill an order, the amendment provides access to valuable order-by-order and customer-by-customer data restaurants would not otherwise have. (Of course, there are certain fulfillment-type services delivery apps provide where the restaurants control the ordering process and initial collection of data where the amendment would likely not apply.)
Sharing with restaurants assumed
The amendment requires delivery apps to apply a presumption that the customer understands their personal information will be provided to the restaurants food is ordered from. While delivery apps’ sharing with restaurants is not permitted where the customer has opted out of sharing with restaurants, the amendment regulates when and how delivery apps can collect opt-outs. It appears to require delivery apps to provide customers an opt-out option on an order-by-order basis while at the same time restricting delivery apps from providing a “global” opt-out option for all sharing. However, it is less clear whether a delivery app might be able to provide the option for a customer to opt out of all future sharing with a particular restaurant during a specific online order:
“ … a third-party food delivery service shall not share customer data applicable to an online order pursuant to subdivision a of this section if such customer requests that such data not be shared in relation to such online order. The customer shall be presumed to have consented to the sharing of such customer data applicable to all online orders unless such customer has made such a request in relation to a specific online order. The third-party food delivery service shall provide in a conspicuous manner on its website a means for a customer to make such request. To assist its customers with deciding whether their data should be shared, a third-party delivery service shall clearly and conspicuously disclose to the customer the customer data that may be shared with the food service establishment and shall identify the food service establishment fulfilling such customer’s online order as a recipient of such data.”
It will be interesting to see how delivery apps and restaurants interpret the opt-out requirement and the way it will be presented within the delivery apps. Delivery apps have raised privacy concerns over the sharing required under the amendment and will likely continue doing so, particularly where their existing privacy policy and business practices may clash with the obligations under the amendment.
Privacy rights and obligations
Under the amendment, restaurants obtaining customer data from delivery apps are subject to certain, limited privacy obligations and consumer rights. Restaurants may not “sell, rent, or disclose such customer data to any other party in exchange for financial benefit, except with the express consent of the customer from whom the customer data was collected.” Moreover, restaurants must “enable customers to withdraw their consent to use of their data by the food service establishment.” It is not clear whether permitting customers to withdraw their consent refers to the consented-to selling, renting or disclosing, or more broadly to a restaurant’s general use. The amendment also requires restaurants to provide a deletion right to customers. By providing these consumer rights, the city is essentially giving some data subject access rights inspired by the EU General Data Protection Regulation and California Consumer Privacy Act to consumers, but on an industry-specific basis.
Despite the brevity of the amendment and its obligations, compliance with its provisions might prove somewhat challenging because of ambiguous drafting and the lack of standard exemptions. It remains to be seen if and how these will be interpreted by the city agencies and tribunals that enforce the city’s administrative code. It does not appear that the relevant agency is required to implement regulations like some of the other delivery app-directed amendments passed concurrently by the NYC Council. That said, city agencies have discretion to do so and should issue regulations that clarify the amendment’s obligations.
Marketing activities permitted
Despite the lack of clarity regarding consumer rights, the amendment makes clear that restaurants may use the customer data they obtain for marketing or other purposes outside the delivery apps, absent any customer opt-out. This would include email marketing and use in digital advertising campaigns, such as custom and lookalike audiences, though the consent for sale requirements above (along with other applicable laws and regulations such as the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 and ad industry self-regulations) would have to be considered. Importantly for restaurants, the delivery apps may not limit restaurants’ abilities to carry out these activities contractually or (seemingly) technically.
Is the data worth the bother?
Restaurants should weigh the benefit of gaining access to customer data from delivery apps against the cost of operationalizing a privacy program or folding the amendment’s requirements into an existing program. Restaurants should take care to understand what data originates from delivery apps and what data originates from other sources so that it does not limit the use of other data unnecessarily as required by the amendment.
Timing, enforcement and litigation risk
The amendment became law on Aug. 29 after the 30-day period for the mayor to sign or veto elapsed, and will become effective 120 days thereafter, putting the amendment’s effective date at Dec. 27. The amendment provides a civil penalty of up to $500 per violation per day per restaurant, enforceable by city administrative trial tribunals and administrative agencies. In addition to monetary penalties, injunctive relief along with attorneys’ fees and costs may be sought.
While there is no private right of action provided, it will be interesting to see how this amendment contributes to the feud taking place between the restaurant industry and delivery apps. One area ripe for spurring disputes is how delivery apps will “clearly and conspicuously disclose to the customer” the required information and present the opt-out mechanism. Another area of potential dispute is what constitutes “all applicable customer data.” It could be argued that it includes all historical data prior to the effective date of the amendment, plus all data collected thereafter. It is possible any statements that may mislead customers or otherwise communicate the customers’ options in a way that unreasonably persuades them to opt out of sharing with restaurants, or an alleged limitation on the scope of data provided to restaurants, may be used as a basis for a claim under New York’s unfair competition or deceptive acts or practice laws.
Conclusion
It is likely lost on the average consumer that most restaurants do not obtain access to the data the consumers provide to the delivery apps, and that assumption forms the basis of the amendment’s implied consent approach. However, restaurants are aware of the value of such data and this amendment is, on its face, beneficial to restaurants scrambling to collect data about their consumers in order to address changes to the industry (such as the cookie-free future) and forthcoming privacy legislation. That said, in view of the obligations imposed on restaurants that are less than clear, companies should weigh the costs against the benefits of obtaining delivery apps' customer data. Certainly, it may be more worth it for large restaurant chains who have already operationalized a privacy compliance program for other laws and regulations — such as the CCPA or GDPR — to access what may be scores of data from delivery apps. It remains to be seen how restaurants and delivery apps alike interpret and take advantage of their rights and obligations under this new amendment, which is being penned by many as city-level privacy legislation.
Photo by Veronika Bykovich on Unsplash