Gotham Gazette - Surveillance and The City: NYC’s Delivery Data Dilemma

Small restaurants have always been the lifeblood of New York City, and as we struggle to emerge from the devastation of the past year, the New York City Council is right to support these crucial businesses. The sweeping shift we saw in restaurant regulation in 2020 saved New York City dining as we know it, including expanded outdoor dining, reducing permit requirements, and (most enjoyably) allowing drinks to go. But this legislative effort has taken an unappetizing turn with the Council’s latest set of proposals, serving up your data as the main course.

Last month, the New York City Council held a hearing on Intro. 2311, a bill that would force delivery apps to share your data with restaurants. Even as professional privacy advocates, we were torn about whether to speak out against the move. That’s because, at the end of the day, we’d side with our local pizza joint over the likes of Grubhub every time. But as well-intentioned as this bill may be, the details are concerning.

Sharing a customer’s name, phone number, e-mail address, delivery address, and the contents of their order is easy for a single meal, but it gets a lot harder for a city that orders thousands of deliveries every hour. But what happens to that data next is the concerning part.

Under the new law, restaurants would be able to use that information however they want. If they want to advertise you lunch specials, that doesn’t sound too bad. But if they want to sell that data to credit firms, insurers, and your boss, then this all starts to sound very, very creepy.

Simply put, this is heading in the wrong direction. We should be limiting the way that the delivery apps can monetize our data, rather than inviting every restaurant we order from to do the same. And while the terms of service with delivery apps are usually problematic, this law would wipe away what few rights consumers have under these contracts.

It may seem harmless enough to put this information in the hands of your local takeout place, but just wait for the feeding frenzy of data brokers who step in to buy up the information. Times are still tough for many restaurants, and even pre-pandemic a lot of them struggled to keep the lights on. Can we really expect them to say “no” when the data firms start offering them a lifeline? We should give restaurants every financial support we can, but not if it comes at the cost of increased spam, identity theft, and stalking.

This is what data brokers do, they buy up our information wherever they can and then sell it to the highest bidder, damning the consequences. And there is no reason to let our data be siphoned off from delivery apps, especially when there are so many other steps that the Council can be taking to help small restaurants.

Intro. 2311 was introduced as part of a seven-bill restaurant rescue package. Other measures include a new “food establishment surcharge,” a suspension of sidewalk café fees, and termination of personal liability on commercial leases. Helping restaurant owners know they won’t go bankrupt if they lose their business does far more to help than handing out our delivery data.

If the Council does insist on data portability, they need to mandate privacy protections and a ban on data resale. If we want this data to benefit small businesses, we need to make sure that no one else can buy or steal it from them. Above all, New York should continue to push for protections against having any of our data misused when it falls in the wrong hands.

***
Albert Fox Cahn is the founder and executive director of the Surveillance Technology Oversight Project (S.T.O.P.), a New York–based civil rights and privacy group, and a fellow at Yale Law School’s Information Society Project and the Engelberg Center for Innovation Law & Policy at New York University School of Law. On Twitter @FoxCahn & @StopSpyingNY.

Levy is a communications intern at S.T.O.P. and a rising senior at Tulane University.