A bill passed by New York City Council regulating data collected by food delivery apps – requiring them to divulge identifiable, customer-level data to restaurants – became law on August 29. The bill, which amends New York City’s Administrative Code, becomes effective on December 27, 2021. As detailed by Kyle Fath on the International Association of Privacy Professionals (IAPP) Daily Dashboard (article linked here), the amendment:
-
Permits restaurants to request individual-level customer data from third-party delivery apps and requires the delivery apps to provide the information unless the customer has opted out of such sharing.
-
Subjects restaurants that receive such customer data to privacy limitations and requirements, including use and sharing limitations and provision of certain customer rights.
-
Permits restaurants to use the data received for marketing and other purposes, and prohibits delivery apps from restricting such activities by restaurants.
-
Requires delivery apps to assume customers opted into restaurant sharing by default and seemingly restricts delivery apps from providing a “global” option to opt-out of all restaurant sharing.
-
Provides a $500 per violation per day civil penalty, enforceable by city agencies and tribunals, but does not provide for a private right of action. However, it may tee up litigation between restaurants and delivery apps under other laws such as New York’s unfair competition or unfair/deceptive practices laws.
This restaurant-focused data legislation comes on the heels of NYC’s passing of a city-level biometrics law as we detailed here and at a time where the ever-growing hodgepodge of state privacy laws have some calling for federal privacy legislation.