Those of us venturing out to enjoy a drink or a meal with our friends and family lately will no doubt have noticed the proliferation of apps allowing us to order direct from our table without having to queue at the bar or get the attention of a member of staff. While many customers may like this development, believing it is safer, quicker and even how technology should be used, businesses need to be careful and communicate clearly what data they are asking for and why in order to provide such services.
If you have used such an app, what data were you asked for? Did you read the options and tick the relevant check boxes or did you just go ahead and fill in the form as you were in a hurry, too hungry or thirsty to wait, or thought you had to give the details requested if you wanted to order? If you stopped and thought about it, what might a business learn from such data? Perhaps your name, email address, home address (not just your postcode for payment transactions), full date of birth (not just confirming you are over 18 if ordering alcohol), what you like to drink, what you like to eat, whether you have food allergies, where you are sitting, who you are sitting with, what time you visited, roughly how long you stayed, whether you ate or just had drinks, if you re-ordered - how often, how much you paid, how you paid etc.
If some or all such data is gathered and stored then a business has an opportunity to learn a lot about their customers. Not only can they tailor special offers or discounts to individual customers, but they can learn more about their preferences, behaviours and over time their habits. But can they do this? Some customers will freely give their consent as they like receiving such offers, others may find this a bit creepy. They might have concerns about what else the data might be used for. Would health insurers, car insurers, or other eating establishments potentially be interested in such data? Is it being sold on to anyone else? Did you spot something in the small print about third parties?
This is where businesses must be clear they understand what data their apps, whether built in-house or using those available on the market, are collecting – what are they asking their customers for, why are they asking for it and make sure it is relevant and necessary for those purposes - in order to comply with data protection legislation (Article 5(1)(c) of the UK GDPR). Businesses must communicate the what and why clearly to their customers signing up for the app and make sure they understand what is happening with their personal data.
Privacy professionals both here and in the US are raising questions about these apps and how such data is being mined. As customer awareness of this issue rises it would be wise to ensure staff understand and are trained to answer queries about the app and of course know to offer the alternative of ordering in person where appropriate.
“Personal data shall be: … (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);”