New Yorkers love our neighborhood restaurants. When COVID scared us into staying home and avoiding crowds, it was great that so many restaurants embraced home delivery. Millions of New Yorkers downloaded apps that simplified our lives and helped our restaurants: DoorDash, GrubHub, Seamless, Caviar, Uber Eats, and the list goes on. These apps are not perfect as the fees can be high and restaurant choices limited. Still, they were a lifesaver for many restaurants and made the pandemic much easier for consumers.
It may be obvious that chefs are not experts at building websites, managing delivery staff, and handling consumer data, and that app companies don’t cook great meals. But by working together, the delivery apps free restaurants from the mundane yet important tasks of remote business so they can focus on our food. It’s a partnership that works well for the businesses and consumers, which makes it perplexing that the New York City Council wants to change these relationships. Other cities have capped delivery fees 10 or 15 percent, but only New York City is considering forcing apps to share customers’ personal data with restaurants. This could be a recipe for a data disaster.
The City Council is undoubtedly trying to do right by New York City restaurants. Every restaurant would like to ask customers directly about the delivery experience and the food, make sure the customer is happy, and perhaps send discount offers or other promotions. But forcing companies to share customers’ personal information with others violates every privacy and data protection guideline that’s ever been written, including laws passed in Europe and several U.S. states.
The first rule of data privacy is to respect personally identifiable information. “PII” shared with the wrong person can quickly lead to scam emails, phone calls, identity theft, stalking, or worse. That’s why sophisticated companies tell consumers precisely what will be done with their information and why they don’t share sensitive data with anyone – including with business partners. No website should ever give your data away without your permission, and no legislature should require that your data gets transferred without your explicit approval.
Ten years ago, millions of Target department store customers learned that cybercriminals hacked their personal and financial data. Most people never learned that this happened because one untrained contractor working at one store was needlessly connected to Target’s national consumer database – and that contractor got hacked. The lessons of that data breach have been learned and put into practice by DoorDash, Uber Eats and every respectable food delivery app. But very few restaurants – and likely none of our favorite small restaurants – are professionally trained how to manage and protect consumer data.
I prefer to order food directly from restaurants, but if you prefer to order through an app then your personal data should be respected by the app – and by the City Council. Mobile app companies spend millions of dollars on sophisticated data security. Their privacy experts are educated about how to protect our data. Local restaurants typically don’t have privacy experts or invest in data security. And when a law requires a company to share data with others, there is no incentive for the data recipient to guarantee that the data is secure or employees are properly trained.
If the City Council wants to help restaurants get direct access to delivery app customers, there are options that will not put consumers at risk or offend their data privacy rights. Consumers can be empowered to choose, and restaurants can be required to ensure that data is protected. All New Yorkers deserve the right to choose and control who gets their data. These choices should not be made for us by the City Council or by our favorite local restaurants.
Jonathan Askin is Professor of Clinical Law at Brooklyn Law School and Director of the Brooklyn Law Incubator and Policy Clinic.