When bars and restaurants first began to re-open following the easing of lockdown restrictions, Government policy meant table service was the only option. To assist in processing orders via table service, many operators began using mobile applications (“apps”) which enabled customers to submit orders using those apps. In most cases, such apps require the user to input certain personal data in order for the user to place an order. This may include the customer’s name, address, date of birth, phone number and e-mail address – none of which are strictly necessary to order a drink!
The Information Commissioner
The Information Commissioner, the data protection regulatory body in the UK, has recently commented in respect of the use of such apps, expressing their concern that customers are unaware that they do not necessarily have to give up this level of personal data in order to buy a drink and also that customers do not understand how their data is being used.
So what does this mean for operators?
In order for the collection and use of personal data to be legally compliant, operators should, before collecting any data from customers, provide those customers with clear information about the data that is being collected from them and how this is being used – this is generally done by way of a privacy notice. Operators also must ensure that they have a lawful basis under data protection laws for collecting and using this information.
There will be a temptation for operators, particularly given the tough times the industry has suffered over the course of the last eighteen months, to use the data collected by these apps for marketing purposes or even to seek to sell the data. Operators should exercise extreme caution before doing either of these things and should ensure those activities comply with data protection laws.
Operators should now be taking steps to ensure that, where they provide an app to customers to make their orders:
- Such app is not collecting any personal data other than as strictly necessary to process the order;
- If more data is collected than is strictly necessary to process the order or data is to be used for marketing purposes or sold, that this is in compliance with data protection laws; and
- Users are provided with clear information about how their personal data will be used before the personal data is collected.
Failure to take the above steps could not only damage valuable customer relationships and cause reputational damage but could also lead to interest from the Information Commissioner who – it seems – has an interest in this area now that the bar and restaurant industry is able to operate more normally in post-Covid times.
Get in touch with a data protection lawyer today
If you are an operator and require further advice in respect of how you should be collecting and using personal data, please contact our Data Protection team on 0161 838 7986 or email rebeccabainbridge@kuits.com.
