Gone are the days of thinking your business only needs to comply with certain privacy laws if it’s a “tech” company – or one that handles particularly sensitive information such as health information. Under the California Consumer Privacy Protection Act (“CCPA”), which went into effect on January 1, 2020, even brick and mortar companies must provide notices of their privacy practices at the point of collection, and this includes a number of retailers, wineries and restaurants (or restaurant groups).
Not so long ago, technology and the restaurant industry were worlds apart. If you wanted a reservation, you’d leave a voicemail that would be transcribed only to be deleted shortly thereafter. Loyalty cards were punch cards with no name attached. And if the wait for brunch was too long, you’d add your first name to a scrappy list that was discarded at the end of the day, or be handed a small buzzing device to let you know when your table was ready. Those “carefree” (or data-free) days have been replaced with a multitude of interconnected applications that all require the collection of personal information in some way – and importantly, that hang on to this information for longer periods. Restaurants and restaurant groups that collect the personal information of California residents and meet any one of the CCPA thresholds (i.e., over $25 million in annual revenue, collection of data on more than 50,000 consumers or 50% of revenue from sales) must comply with California’s stringent new law. Because the definition of personal information under CCPA is very broad and includes online identifiers, email addresses, and location data, as well as offline data (just to name a few), many successful restaurant groups are likely to fall within these thresholds and be subject to the CCPA.
Even if a restaurant group is not physically located in California, but is found to be doing business in California, such as by marketing to California residents, or having a website that collects data or allows purchases online from California residents, the CCPA may apply. Restaurants that are close to the California border or have a high number of patrons or employees from California also may be subject to the CCPA.
With respect to the CCPA’s provisions around affiliates, it is questionable how franchisees and franchisors will be affected. While the definition of a business under the CCPA includes another entity that has “the power to exercise a controlling influence over the management of a company” and with common branding, we do not yet know how the California Attorney General will consider franchisees and franchisors. However, based on the current letter of the law, a franchisor entity that is itself subject to the CCPA and shares common branding, and has management control of a franchisee may render the franchisee subject to the CCPA. What’s more, if the franchisor and/or franchisees share personal information with each other, these transactions may be considered a sale under the CCPA, requiring additional obligations.
Companies that collect the personal information of California residents online have been required, under CalOPPA, to maintain an updated privacy notice since 2004, though many do not. But with CCPA, restaurants need to consider both online and offline (or in-person) collection of personal information. Email lists, loyalty programs, raffles with business cards in a fishbowl, payment card data and reservations that notify others of the reservation all involve the collection of personal information and could potentially trigger the requirement to provide a privacy notice.
Applications and software that are intended to provide reservation and delivery services to restaurants also collect and retain a lot of personal information. Restaurants must therefore carefully consider the handling of personal information received or collected by third-party online reservation or delivery services, such as OpenTable and Doordash. These relationships will need to be addressed with a service provider or third-party contracts that include CCPA-mandated or recommended language between the restaurants that are subject to CCPA and the third parties that provide these services.
Another important question raised by CCPA is how must restaurants provide the required privacy notice? The latest CCPA draft regulations indicate that for in-person or offline collection of personal information, the privacy notice may be given to the consumer either manually via a paper notice or with prominent signage directing the consumer to the online privacy notice. Additionally, notice may be provided orally, although this begs the question of how the business would then prove that the required information was properly provided at the time of collection. Although we have yet to see restaurants providing privacy notices when we show up for a table, it is possible that we will start seeing privacy notices on the back of restaurant menus and/or signs in restaurants directing consumers to their privacy notices.
The CCPA’s financial incentive notice requirements will affect how restaurants provide special offers – such as requesting a consumer’s email in exchange for discounts or free meals. The coupon flyer for that free dessert in exchange for your loyalty signup accompanying your bill will (or at least should) include the required notice of financial incentive. That’s because if a consumer signs up, but later requests that his or her information be deleted, taking away the discount and removing him or her from the loyalty program is likely to be considered discriminatory and in violation of the CCPA. Does this spell the end to this type of loyalty program? Likely not, but these programs will need to be more carefully crafted.
Complicating matters a bit more, customer service personnel and those directly interacting with consumers must, at a minimum, have a general awareness of privacy, know where to direct consumers requesting to see a privacy notice, and in some cases be trained as required for CCPA if they handle consumer requests. Speaking of consumer requests, restaurants will need to consider how to handle those if a customer exercises his/her rights while in the establishment.
Lastly, ensuring that any personal data is securely transferred and/or stored should be a priority – especially where payment information or employee information is involved. CCPA carries a private right of action for certain security breaches, which, if exercised by way of a class action, could wipe out an otherwise thriving restaurant in no time.
As different industries merge with technology that collects and stores their customers’ personal information, stakeholders must consider the various applicable privacy laws and rules, and how to properly implement them. There is no question that the CCPA affects businesses in all sectors, even those that operate largely “offline”, and in fact, some of the language was drafted with those specifically in mind. In turn, consumers everywhere will begin to see more privacy notices, which may alter their experience and awareness of the personal information that is required, these days, to make an entire industry run.