Restaurant operators must make changes to the way they collect, use and protect data about their guests in light of a sweeping new consumer privacy protection law adopted by California lawmakers in June.
Described by some attorneys as the nation’s most extensive consumer privacy law, the California Consumer Privacy Act, or CCPA, is modeled after the European Union’s General Data Protection Regulation, or GDPR, that established data privacy mandates for companies doing business in Europe.
The CCPA doesn’t go into effect until July 1, 2020. But legal experts warn that restaurant operators should begin preparing now for what will likely be an onerous challenge to maintain compliance.
Many restaurant operators may believe data privacy is something only big tech companies like Facebook or Google have to worry about. In fact, the law applies to most restaurants doing business in California that collect the most basic information about guests: names, phone numbers and email or IP addresses, for example.
Noncompliance could leave restaurant companies vulnerable to costly liability with civil penalties up to $7,500 per violation.
The CCPA was adopted quickly by the state legislature, which was rushing to beat a deadline that could have put an even stricter proposal up for a ballot vote in November.
Dodging that bullet, state lawmakers now are likely to tinker with the CCPA before it goes into effect. But attorneys warn that the intent of the law — which fundamentally is to give consumers more control over how their personal information is collected, used and shared — is not likely to change.
“The ballot initiative was withdrawn, but that is still looming. If they try to water this down too much, that could be put it back on the ballot and a ballot initiative is a lot more difficult to change than legislation,” said Danielle Urban, a partner with law firm Fisher Phillips in Denver.
Here’s a look at the CCPA basics:
To what does it apply?
The CCPA applies to all “personal information” collected, either online or offline, by nearly any type of commercial enterprise, said attorney Helen Foster, a technology, privacy and security specialist at law firm Davis Wright Tremaine in Washington, D.C.
This could include just about any information that could be linked to a consumer or household — though the definition of “household” is likely to be a term that will require clarification, she added.
For restaurants, however, the CCPA would cover the type of data now routinely collected, whether in stores, online, through mobile apps or by third parties, such as delivery providers or online reservation sites.
Many restaurant and tech partners feel they may own that data, said Kinesh Patel, co-founder and chief technology officer of guest management firm SevenRooms.
“But this is a change in the way we think about that,” he said. “It creates civil rights for data.”
To whom does it apply?
The law applies to any company that does business in California — even a single franchised unit that might be part of a larger chain operating primarily outside the state.
It applies to companies that meet any of the following criteria:
- Companies with a gross revenue of more than $25 million
- Companies that receive or share information from more than 50,000 consumers, households or devices
- Companies that earn more than half of annual revenue from the sale of personal information
Foster warns that even relatively small restaurants could be subject to the CCPA, especially if they use a website for reservations or a mobile app to interact with customers. Over the course of a year, it wouldn’t be difficult to surpass the 50,000-device threshold pretty quickly, she said.
What do restaurant companies have to do?
Conduct an audit.
Restaurant companies need to be able to identify and retrieve all the personal information related to consumers across business units or third-party partners, and be able to promptly disclose that information to any individual guest that may request it.
That means a good first step is probably an audit of the personal information collected from customers, including how it was obtained, how it is used and shared, said Urban.
“I think it behooves every company to take a careful look at what they’re keeping in all the departments,” she said. “It’s not an excuse to say, ‘I didn’t know Joe in this department had access to this information and I’m not sure why he ever had access.’”
Update data use-disclosures at least once a year.
Many companies use such disclosures already, even though people probably rarely read them. Under the CCPA, those disclosures must include more detail about how companies collect and use personal information, and deviation from that practice could open a restaurant operator up to liability, Foster said.
Take a hard look at your security compliance and update your data incident response protocols.
“This is the real kicker,” said Foster. The CCPA effectively supplements the California Data Breach Notification Law and gives consumers private right of action. That means consumers could have the right to sue a business if there is a breach of data and that business does not maintain “reasonable” security procedures.
The standard for “reasonable security,” however, is not defined, Foster noted. But the California attorney general has previously cited the 20 controls in the Center for Internet Security’s Critical Security Controls as a minimum standard.
Urban added that restaurant companies should make sure their cyber security insurance policies cover the terms of the CCPA.
“Does it cover, for example, your liability under the CCPA?” she said. “Not only do people need better coverage, but the truth is policies vary so much, and, in most cases, people find out at the time they need it, ‘Oh wow, it doesn’t cover what I thought it did.’”
If asked, restaurant companies will have to promptly provide consumers access to all of his or her personal information, including how it was collected, the purpose and to what entities it was sold or disclosed for business purposes.
Restaurant operators must first verify the identity of the person making the request. The information must be provided in a readily useable format, and accuracy is key, Foster said.
Give consumers an opt-out/opt-in option.
That means they can opt-out of the “sale” of their personal information to a third party, or across business units or product/service lines. Service providers must also honor those requests, unless they are prohibited by contract from using the personal information for their own purposes.
“The CCPA doesn’t require contracts, but it’s a good idea to put those in place specifying how [third parties] are going to respond to those requests and what they’re going to do with your customer data,” said Urban.
Consumers under age 16 must also give opt-in consent. Those between the ages of 13 and 16 can opt-in for themselves. Those under age 13 must have a parent or guardian’s authorization.
Allow consumers to request that their data be deleted.
Foster recommends that restaurants update their homepage and all online and offline privacy policies to inform consumers that their personal information could be sold to third parties and that they have the right to opt-out. Use a web link on the homepage titled: “Do not sell my personal information.”
Restaurant companies must also be careful not to discriminate against guests that opt out. That means restaurants may not be able to reverse discounts offered to those who join a loyalty program, for example, but then ask for their data to be deleted.
How will this be enforced?
In the event of a data breach, consumers may recover “not less than $100 and up to $750 per violation” in private actions, said Foster. But businesses will have a 30-day period to cure any deficiencies — though she noted that it’s hard to imagine a scenario where a breach could be cured after it happens.
In such cases, the attorney general could also take action. Civil penalties could be up between $2,500 and $7,500 per violation.
California may be ahead of the game on data privacy, but Foster warned that other states are likely to follow suit.
Patel at SevenRooms, meanwhile, sees the new law as an opportunity.
Large restaurant tech companies like his have already spent a lot of time readying for compliance with the GDPR and they are ready to help restaurant companies meet the demands of greater consumer data protection, he said.
“I think the GDPR was so sweeping globally, that the cat’s out of the bag. There’s no going back,” he said. “It’s coming, no matter what.”
Contact Lisa Jennings at [email protected]
Follow her on Twitter: @livetodineout
Correction: This story has been updated to correct the implementation date.