Overview: While much of the existing legislation and regulation around data privacy – and the ongoing national conversation – can trace its roots back to Europe and its activism in this space starting in the 1960s and continuing to the present day, the concept of privacy itself as a national policy imperative is, at its core, a uniquely American invention. Our national conversation around “privacy” actually began near the end of the nineteenth century. In 1890, Samuel Warren and Louis Brandeis (who would go on to be a Supreme Court justice) published a 42-page article called, “The Right to Privacy” in the Harvard Law Review, which is one of the first-known writings recognizing the importance of consent when being photographed or recorded. For context, the country had just recently witnessed the invention of the phonograph by Thomas Edison and the camera by George Eastman and there was soon an escalating debate around whether people had the “right” not to be photographed or recorded without consent. Warren and Brandeis ultimately concluded that citizens had an inherent “right to be left alone” and the vast majority of Americans soon embraced that as a fundamental right. Despite what laws we have enacted over the last few decades, or legislative proposals that we are facing now or in the future, the precedent of being “left alone” remains the fundamental building block of how Americans view the issue of privacy.
Background: In many respects, the United States was ahead of Europe in the privacy space. For instance, the 1967 Freedom of Information Act (FOIA) was the first such law of its kind in the world and allowed Americans to request information about themselves from government agencies. It has obviously been expanded over the years to have a much broader scope but it demonstrates that concern over data privacy is not a “new thing”. Additionally, the Health Insurance Portability & Security Act (HIPAA) enacted in 1996 was landmark legislation designed to streamline and legislate the safeguarding of an individual’s health information. Like the FOIA, this law has been amended and expanded multiple times in the decades following its passage. And the latest example is President Biden’s inclusion in the recent State of the Union address of a call for enhancements to the Children’s Online Privacy Protection Act (COPPA). The point is that the national conversation around privacy has been going on for generations and the U.S has been at the forefront. But Europe has been very active as well and over the last 20 years, it has certainly been the aggressor in the data privacy space. In 2016, the European Union (EU) passed the General Data Protection Regulation (GDPR), to date the most comprehensive data protection legislation in the world. The GDPR goes above and beyond any prior data protection law and emphasizes the importance of accountability, consent, and security. The two most important concepts embedded in the GDPR are the establishment of data protection requirements for companies to keep data secure and safe from unauthorized access, while also empowering end-users to make their own decisions about who can process their data and for what purpose. It also has by far the largest fines of any data protection legislation. Much of the energy of the legislation was focused on Big Tech – Facebook, Google and the rest and that issue set has now made its way to our shores. And so too have the proposed “solutions” – ironically, much of the state legislation passed in this country to date was modeled either entirely or largely on the GDPR.
Current Political Environment: Often it takes a major incident or in some cases a scandal to ignite a vigorous policy debate. The context and contours of our current debate on data privacy can be traced back to our national elections in 2016 and its aftermath. In 2018, two leading newspapers, The Guardian and The New York Times, revealed that the personal data of over 87 million Facebook users was given to Cambridge Analytica without their knowledge or consent for political advertising purposes. These revelations led to an FTC investigation and numerous apologies from Facebook and its CEO Mark Zuckerberg and has served as a major catalyst to further elevate data privacy to the forefront of the nation’s public policy dialogue. In response to both the Cambridge Analytica scandal here at home and implementation of GDPR in Europe, Congress held numerous high-profile hearings with Big Tech CEOs focused on how these companies ought to better protect consumers’ personal data. While Congress held hearings and debated, California went ahead and passed its own privacy bill setting other states off in pursuit of their own laws, which notably includes Utah and Connecticut becoming the fourth and fifth states to pass privacy laws onto the books this year. However, the data privacy conversations have also reignited in D.C. beginning in May, and has since resulted in the release of a draft data privacy bill with bipartisan and bicameral support, known as the American Data Privacy and Protection Act. While this certainly represents a massive step toward establishing a federal, uniform data privacy framework, it still seems likely at this point that Congress will be unable to pass the legislation this year, and that any meaningful action will still most likely take place at the state level going into next year.
California – AB 375 – The California Consumer Privacy Act (CCPA) of 2018, was signed into law by Gov. Brown in June of 2018 and is the only one of the handful of privacy bills passed to date that has actually taken effect. Highlights include:
- The right for consumers to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);
- The right for consumers to have a business delete their personal information, with some exceptions; and
- The right for consumers to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.
- The Act requires that companies make certain disclosures to consumers via their privacy policies, or otherwise at the time the personal data is collected.
- The Act also forbids businesses from “discriminating” against consumers for exercising their privacy rights under the Act. More specifically, that means businesses cannot deny goods or services, charge different prices for goods or services, or provide a different quality of goods or services to those consumers who exercise their privacy rights.
- The Act also provides a private right of action that allows consumers to seek, either individually or as a class, statutory or actual damages and injunctive and other relief, if their sensitive personal information (more narrowly defined than under the rest of the Act) is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’s failure to implement and maintain required reasonable security procedures. Statutory damages can be between $100 and $750 per California resident per incident, or actual damages, whichever is greater.
Virginia – S. 1392, The Virginia Consumer Data Protection Act (VCDPA), the nation’s second consumer data privacy law, builds on frameworks used in California’s early legislation and the EU’s GDPR. But unlike in Europe and California, Virginia’s new law garnered support from tech industry trade groups and businesses like Amazon and Microsoft. Its coverage and compliance regime may be less onerous than its predecessors, but still represents a major change in data regulation. Highlights include:
- The law obliges some businesses to give consumers the ability to access and control personal data that the business collects about them;
- Virginia consumers will have the right to submit a request to access, correct inaccuracies within, and delete personal data they have provided or that has been obtained about them;
- The law includes a right to obtain a copy of data the consumer has previously provided, in a usable format “to the extent technically feasible;”
- For each business collecting data on them, Virginia consumers can opt out of targeted advertising, the sale of their personal data, or “profiling” (defined as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements”) that results in the business providing or denying “financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water;”
- A business that controls personal data must respond to requests within 45 days;
- There is no private right of action, and;
- The law takes effect Jan. 1, 2023.
Colorado – SB 190, The Colorado Privacy Act (CPA), the nation’s third consumer data privacy law, provides nearly identical consumer rights to both Europe’s GDPR and Virginia’s law. They are also very similar to those under California’s law, but Colorado’s opt-out rights are broader with respect to targeted advertising, and the state’s data security requirements for businesses are the most robust on the books yet. Highlights include:
- Consumers may opt out of the processing of their personal data for: (i) targeted advertising; (ii) the sale of personal data; and (iii) profiling in further of decisions that produce legal or similarly significant effects concerning a consumer (provision or denial of financial, lending, housing, insurance, education, criminal justice, employment, healthcare, or essential goods or services);
- The CPA requires that controllers provide a “clear and conspicuous” method to exercise the right to opt-out of the sale of personal data or targeted advertising, which must be in the controller’s privacy notice as well as in a readily accessible location outside the privacy notice. Controllers may also allow users to opt-out through a universal opt-out mechanism that meets technical specifications established by the Attorney General (this becomes mandatory on July 1, 2024);
- Consumers have the right to confirm whether a controller is processing their personal data and to access that data;
- Consumers have the right to correct inaccuracies in their personal data;
- Consumers have the right to delete their personal data;
- Up to two (2) times per calendar year, consumers have the right to obtain their personal data in a portable and readily usable format that allows the consumer to transmit the data to another entity “without hindrance;”
- The CPA requires that controllers take security precautions during storage and use of data by imposing a duty of care. Precautionary measures must be “appropriate to the volume, scope, and nature of the personal data processed;”
- There is no private right of action, and:
- The law takes effect July 1, 2023.
Utah – While there are some minor differences with the Virginia and Colorado bills regarding exemptions and notice provisions, SB 227, The Utah Consumer Privacy Act (UCPA), follows the same general cadence of those two new laws. Highlights include:
- The UCPA grants consumers certain rights to their personal data. Specifically, consumers may request to:
- Access the personal data that a controller processes about them;
- Delete personal data that the consumer provided to the controller;
- Obtain a copy of the personal data, in a “portable” format, that the consumer provided to the controller; and
- Opt out of the “sale” of personal data (defined as disclosure by a controller to a third party for monetary consideration) or processing of personal data for targeted advertising.
- The law creates a novel, dual structure for enforcement when responding to consumer claims. First, the Utah Department of Commerce’s Consumer Protection Office will consider and investigate a claim. Only if deemed legitimate will the claim proceed to the state Attorney General’s Office, where the office may either concur with the Consumer Protection Office’s findings or reject the claim. Businesses also enjoy a right to cure under the new law.
- There is no private right of action
- The law takes effect December 31, 2023.
Connecticut – The legislature has just passed SB 6, the Connecticut Data Privacy Act. Closing mirroring the Virginia law, the new law calls for:
- The CDPA grants consumers certain rights to their personal data. Specifically, consumers may request to:
- To confirm whether or not a controller is processing their personal data and to access such personal data;
- To correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data;
- To delete personal data provided by or obtained about them;
- To obtain a copy of their personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the data to another controller without hindrance, where the processing is carried out by automated means and without revealing trade secrets; and
- To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) sale, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
- The law affirmatively requires controllers to establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
- The law imposes a new requirement for controllers: conduct data protection assessments (as mentioned above regarding sensitive data). Controllers must conduct and document data protection assessments for specific processing activities involving personal data that present a heightened risk of harm to consumers. These activities include targeted advertising, sale of personal data, profiling, processing of sensitive data.
- There is no private right of action.
- The law takes effect January 1, 2023.
Other States with Legislation Pending
- Massachusetts – HB 4514 & SB 2687
- Michigan – HB 5989
- New Jersey – S 332 (recent action)
- North Carolina – S 569
- Ohio – HB 376
- Pennsylvania – HB 2202 / HB 2257
States Where Bills Have Failed This Session
- Missouri – HB 2716
- New York – AB 680 & SB 6701
- Washington – HB 1850 & HB 1433
- Wisconsin – HB 957
- West Virginia – HB 2064 (Biometrics Privacy Act)
Restaurant Privacy Principles & Talking Points
- Federal preemption. Congress should enact one standard set of rules to create clarity for both consumers and businesses across the nation as opposed to making businesses navigate a complicated patchwork of state laws.
- Transparency for consumers. Restaurant operators value their customers’ privacy, and the industry believes that consumers should know how their personal information is used within the digital ecosystem and be empowered to control their data.
- Risk-based scope. The current 100,000-consumer threshold for compliance covers many more small businesses than lawmakers realize. Online and on-premises traffic can add up quickly for restaurants, but when it comes to consumer data abuse, restaurants are not the businesses making national headlines. Legislation should not burden tens of thousands of small business restaurants across the country with compliance costs they can’t afford.
- Statutory obligations for all. Legislation should be industry-neutral and should not place liability solely on restaurateurs for the acts and practices of entities over which they have no operational control. This applies in both the franchisor-franchisee context as well as with respect to our downstream business partners who process consumer data on our behalf, including payment processors, third-party delivery platforms, and reservation websites.
- Preserve loyalty programs. Businesses should be permitted to maintain the loyalty programs in which their customers already willingly choose to participate so that they may continue to offer the discounts and benefits customers enjoy today.
- Federal Trade Commission & State Attorneys General enforcement. Restaurants and other consumer-facing industries are often targeted with frivolous lawsuits. Because of this, the enforcement of data privacy laws should stay with the FTC and State AG offices as opposed to using a private right of action.
- Notice and cure period. The industry believes a notice and cure period should be included to allow first-time offenders who had no intention of violating the law to come into compliance.
Other Restaurant Privacy Considerations
- Third-Party Delivery Platforms
- These types of services have exploded in popularity in the last few years and have been helpful to restaurants to expand their reach during the pandemic.
- Using a third-party delivery or even reservation apps like OpenTable and Resy has the potential to get complicated under state privacy laws. Although the third-party provider does most of the heavy lifting in these cases, you could be found in violation if a user’s location, name, email address, or payment information is improperly handled.
- QR Codes
- The codes also saw a massive revival in popularity due to the pandemic and have served restaurants well as the industry continues to face labor shortages.
- They also can be operated by third parties, which is another source for potential liability.
- Biometric Privacy
- Illinois’ Biometric Information Privacy Act (BIPA) has been rife with litigation, and this is a key component to keep in mind with the overall sensitive nature of this type of data and could be an issue within the employment context moving forward. Other states have introduced similar legislation, including:
§ CA SB 1189
§ MA SD 269
§ Missouri HB 2716
§ SC HB 3063
§ WV HB 2064
- Online Advertising
- States often include opt-outs for targeted advertising in their bills, and there are some federal and state bills that seek to ban this business practice altogether.
- Geolocation privacy
- These are an important consideration for restaurants that utilize sophisticated curbside pickup practices.
- Children’s Privacy
- A priority for Congress and specifically mentioned during Biden’s SOTU.
Summary: There are countless reasons why we will continue to see an explosion of data privacy laws in the next few years. First and foremost is the exponential growth of data sharing itself. NASDAQ is forecasting that by 2026, the number of devices sharing data across platforms will be roughly double those in 2021. While that will produce greater productivity, the flipside is that more connected devices will mean greater threats to personal data privacy and more opportunities for information to be compromised. And the volume of legislative responses to those concerns such as the GDPR in Europe and the California Consumer Privacy Act (CCPA) among others, will grow exponentially as well. Secondly, there is general consensus among privacy advocates that the punitive nature of these laws works very effectively. Regulators in the EU are convinced that steep fines associated with these laws are both significant deterrents to violating privacy laws and excellent revenue generators as well and thus have only served to embolden them to look for more violations and more fines. In California for example, the CCPA states the maximum civil penalty is $2,500 for every unintentional violation and $7,500 for every intentional violation of the law. The key here is that those penalties are per violation. Suddenly a company that has 50,000 records compromised, could be on the hook for $250-$750 million. The bottom line is that this issue set will not only be a permanent part of our industry’s issue agenda going forward but a major one – especially for our chain partners.
Action Items: As with all emerging issues, the learning curve on data privacy is particularly steep and is not only complicated in its own right, but a significant departure from our traditional, core business model issues. But, as stated above, the stakes are getting very high, very quickly. As such, industry association leaders should consider:
- Highlighting and prioritizing the data privacy issue in all legislative updates, board materials, issue presentations and appropriate member communications.
- Helping members understand that data privacy laws not only apply to tech companies and big chain restaurants but could also apply to smaller restaurants based upon certain consumer data thresholds.
- Talking with member restaurants about how they are utilizing customer data to understand potential exposure to legislation.
- Partnering with all other appropriate trade organizations in a given state, especially those representing other large consumer-facing brands to coordinate advocacy efforts.
- Working with the NRA or other appropriate partners to identify compliance vendors as a resource to members.
- Engaging quickly when privacy legislation is introduced in a state legislature to ensure that industry concerns and interests are heard and addressed.
- When legislation is introduced, working with CSRA & NRA staff to compare the legislation to similar legislation introduced and passed in other states.
- Electronic Frontier Foundation – https://www.eff.org/issues/privacy
- U.S. Chamber of Commerce – https://www.uschamber.com/major-initiative/data-privacy
- Retail Industry Leaders Association – https://www.rila.org/retail-works-for-all-of-us/supporting-free-markets-and-fostering-innovation/retail-privacy
- National Retail Federation – https://nrf.com/privacy
- Bloomin’ Brands – https://www.bloominbrands.com/privacy-policy
- McDonald’s – https://www.mcdonalds.com/us/en-us/privacy.html
- OneTrust – https://www.onetrust.com/