Privacy & Cybersecurity Law Blog

On August 29, 2021, a New York City Council bill amending the New York City Administrative Code to address customer data collected by food delivery services from online orders became law after the 30-day period for the mayor to sign or veto lapsed. Effective December 27, 2021, the law will permit restaurants to request customer data from third-party food delivery services and require delivery services to provide, on at least a monthly basis, such customer data until the restaurant “requests to no longer receive such customer data.” Customer data includes name, phone number, email address, delivery address and contents of the order.

Although customers are permitted to request that their customer data not be shared, the presumption under the law is that “customers have consented to the sharing of such customer data applicable to all online orders, unless the customer has made such a request in relation to a specific online order.” The food delivery services are required to provide on its website a way for customers to request that their data not be shared “in relation to such online order.” To “assist its customers with deciding whether their data should be shared,” delivery services must disclose to the customer (1) the data that may be shared with the restaurant and (2) the restaurant fulfilling the order as the recipient of the data.

The law will permit restaurants to use the customer data for marketing and other purposes, and prohibit delivery apps from restricting such activities by restaurants. Restaurants that receive the customer data, however, must allow customers to request and delete their customer data. In addition, restaurants are not permitted to sell, rent or disclose customer data to any other party in exchange for financial benefit, except with the express consent of the customer.