Pubs, bars and restaurants: is the sector risking a privacy nightmare?

The reopening of the leisure, food and drink sector came as welcome relief for business owners and customers alike, but a proliferation of ‘quick fix’ table ordering apps as re-opening quickly got underway has exposed companies to a risk of breaching the GDPR.

What information is my app collecting?

This is a question all businesses using an app to facilitate bookings or customer orders should be asking. Most apps offer services such as booking tables or seats, ordering and paying for food and drinks, facilitating upselling and even providing instant messaging between customers and the serving staff - all of which require the collection of customer details. Therefore, as attractive as those features may be, it remains important for businesses to consider whether their apps are offering them and their customers adequate legal protection.

Many venues are still using technology developed and deployed during the earlier part of the pandemic (when the obligation fell on hospitality to collect information about its customers) to fulfil orders and provide table service, but in the process are now collecting unnecessary information.

While a customer might expect to provide basic details, such as a name, address, email address and phone number, some apps are also collecting data on the type of device being used, its IP address, location data, marital status, date of birth and gender, along with payment information which is being processed by third-party payment providers. Some apps can even read, modify and delete the contents of a device’s USB storage, as well as take photos and videos.

What do I need to do?

Customers are starting to question and even criticise the volume of data these apps are collecting. While it’s likely that some customers are accepting privacy policy terms without fully understanding or possibly even reading them in an attempt not to delay the ordering process, it’s still essential to ensure this information is provided and that they have the recourse to ask for their data to be deleted.

It is essential that a business: 

• is transparent about the purpose of collecting personal data, and prevents data collected from being used for any other purpose (such as marketing), unless a lawful basis for that use has been properly established;
• collects the minimum amount of personal data necessary to fulfil its purpose;
• gives users control by allowing them to exercise their rights over their data through the app;
• keeps personal data for only as long as it is needed; and
• processes the personal data in a secure way.

Businesses should also:

• check if a data protection impact assessment (DPIA) was carried out when the app was rolled out and if it is necessary to complete one – this will depend on a number of issues to do with how the app works and how the company uses it. If a DPIA is necessary a business should complete it, and then take any remedial steps identified;
• think about how its own employees can access any customer data collected in the app, and how they will prevent mis-use (such as harassment or other unwanted engagement with customers);
• look closely at how any social features are used, and any interfaces the app has with social media sites – particularly if, for example, the app has permissions to automatically post content to a user’s social media profile or let people at a venue know details about other customers who are there;
• ensure that the contract in place with the app provider includes the information required by Article 28 of the GDPR; and
• ensure that the app includes accurate and appropriate privacy notices to all users when their data is collected, and that these are carried across to the company’s own notices if necessary.

Looking ahead

Now, as we all start to settle into these new ways of operating, is a good time to review your apps and booking systems to make sure you are only collecting information that’s truly necessary for your purposes and are providing sufficient data protection information to remain compliant with data protection law.

Up to now it has been highly unlikely that the ICO would consider taking enforcement action - as long as businesses have taken reasonable steps to ensure GDPR compliance – given the initial wait for government guidance and subsequent frequent changes to regulations. However, as time goes on, businesses that don’t make substantial efforts to ensure compliance may face hefty fines and are certainly likely to face customer criticism if they’re seen to be over-collecting or misusing personal data.