Welcome

NYC’s ‘Peculiar’ New Delivery App Law Raises Data Breach Fears

Oct. 25, 2021, 9:00 AM

New York City’s novel mandate that apps like DoorDash share customer information with restaurants that cook the meals they deliver could help eateries devastated by Covid-19, but has set off alarm bells with privacy advocates.

Data-sharing runs counter to delivery apps’ efforts to protect privacy by limiting how much personal information is provided for fulfilling food orders, like revealing to restaurants only a customer’s first name, last initial, and what they bought.

“If apps shared user data on their own in other cities,” they would be sued for violating their own privacy policies, said Daniel Castro, vice president at the Information Technology and Innovation Foundation, a think tank. “It shows how peculiar this law is.”

DoorDash Inc.—the most popular food delivery service in the city, according to Bloomberg data—claims in a suit the law invades customers’ privacy and grabs at valuable data that the company considers a trade secret. The city agreed not to enforce the law against DoorDash while the legal challenge plays out in court. But it will still ostensibly be enforced beginning Dec. 27 against other food delivery operations and apps including Grubhub Inc. and Uber Technologies Inc.‘s Uber Eats and Postmates.

City restaurants pushed for data-sharing to allow direct marketing to their customers, giving them a way to sidestep delivery apps that the industry has become more reliant on during pandemic-forced closures.

The law gives consumers the ability to opt out of data-sharing and a right to delete data, and is part of a New York City Council package for regulating the delivery app industry that also includes a cap on the commissions apps can charge restaurants.

Customer Data

“Door Dash and other third-party apps have been collecting and selling personal data for years but they prevented restaurants from accessing information on their customers,” a New York City Council spokesperson said in an email, adding that the consumer opt-out choice protects customers’ privacy.

Delivery apps will need to provide customer data to restaurants that request it on a monthly basis, according to the law. Restaurants don’t typically have access to such data unless an app offers, for a fee, access to data and analytics.

In its lawsuit, DoorDash argues that restaurants will be able to free-ride on data that it’s spent “tens of millions of dollars” to acquire and keep confidential. Gaining free access to customer data would also give restaurants less incentive to partner with or advertise through DoorDash, the suit claims.

“The way it’s set up, apps are the master of that information,” said Pooja Nair, a partner at Ervin Cohen & Jessup LLP who advises companies in the food and beverage sector on issues including trade secrets. That makes it more difficult for restaurants to reach out to customers and market to them directly, she said.

DoorDash sued the city in September, alleging that forced data-sharing is unconstitutional because it obligates the app to turn over valuable information and interferes with existing business contracts. The lawsuit also cites objections to the law from privacy groups, including the Electronic Frontier Foundation and Tech:NYC.

“After ignoring these warnings and shutting out the voices of 5,400 New Yorkers who wrote in opposition, the council left us no choice than to ask the courts to overturn this unconstitutional and ill-advised legislation,” a DoorDash spokesperson said in an email.

It remains to be seen whether other food delivery apps will join the DoorDash lawsuit or file their own. Grubhub is evaluating its legal options, according to an email from spokesman Grant Klinzman. Klinzman added that Grubhub “will continue to protect the privacy of those who entrust us with their data.”

Uber Eats and Postmates didn’t respond to requests for comment.

Compliance Challenges

Restaurants are subject to limits on how they can use the customer data, including a prohibition against selling it, and must delete data if a customer asks.

One of the law’s “shortfalls” is that it doesn’t spell out security protocols for how to keep customer data safe from a breach or a hack, said Kyle Fath, counsel in the data privacy and cybersecurity practice at Squire Patton Boggs. It’s possible that New York City’s commissioner for Consumer and Worker Protection could issue rules that address implementation issues, Fath said.

For delivery apps, setting up a system for transferring data on restaurant customers could also prove a challenge, according to Tyrone Jeffress, vice president of engineering and U.S. information security officer at Mobiquity, a consulting firm for digital design and engineering. The legislative text says the delivery app data on a restaurant’s customers must be shared in a machine-readable format, disaggregated by customer, on at least a monthly basis.

“Imagining how to respond to those requirements kind of started to make my head spin a little bit,” Jeffress said. He said it’s no easy task to build the mechanism needed for sharing the data and making sure it’s secure.

Privacy Protections

California considered adopting a similar data-sharing law as part of a bill regulating delivery apps. But state lawmakers removed the data portion of the bill before it was signed into law in late 2020 out of concern the provisions would conflict with California’s consumer privacy law.

Nair said it’s likely the DoorDash lawsuit focuses on constitutional arguments because New York City, and the state, lack a consumer privacy law similar to the California Consumer Privacy Act, which will evolve into the California Privacy Rights Act in 2023. New York is one of several states with a proposed privacy law that hasn’t passed.

Consumers are gaining new privacy protections under New York City’s delivery data law, including clear disclosure by apps that their data may be shared with restaurants and a way to withdraw their consent to sharing on an order-by-order basis or delete data that a restaurant holds on them.

Other efforts to make it easier to move data from a tech platform to another destination have put consumers in control, according to Hayley Tsukayama, a legislative activist for the nonprofit Electronic Frontier Foundation. The New York City law makes data-sharing the default.

“If you center consumers, there are ways to look at competition and privacy together,” Tsukayama said. “But this law is mandating data-sharing in ways that do not think through the privacy implications.”

To contact the reporter on this story: Andrea Vittorio in Washington at avittorio@bloomberglaw.com

To contact the editors responsible for this story: Kibkabe Araya at karaya@bloombergindustry.com; Gregory Henderson at ghenderson@bloombergindustry.com

To read more articles log in. To learn more about a subscription click here.