As more restaurant brands gather customer information in beefing up such technological tools as order, pay, pickup and other app offerings, they are nudging into new data privacy territory.
The U.S. House Energy and Commerce Subcommittee on Consumer Protection and Commerce on Thursday marked up the American Data Privacy and Protection Act (H.R. 8152), which would set a national standard for data collection and protection. It still needs to be considered by the committee, the full house and the Senate.
The Washington, D.C.-based National Restaurant Association said that any preemptive federal data privacy law that creates a single, uniform standard would benefit the industry.
However, the association said it had concerns that proposed data privacy act, as drafted, would present significant challenges for large and small restaurant operators.
Sean Kennedy, executive vice president of public affairs for the National Restaurant Association, said in a statement: “As the cornerstone of communities throughout America, restaurant operators build their business on trusted relationships with their guests, and they rely on robust data privacy and security practices to strengthen that trust in today’s digital economy.”
Some areas of the bill raised association concerns.
“This bill is moving very quickly through the committee, and we are working with members to address these concerns,” Kennedy said. “The good news is that all these concerns have resolutions that would vastly improve this bill for the restaurant industry while still strengthening protections for consumers.”
Areas being addressed by the association include:
- Carveouts in the federal preemption: The association said it is concerned that too many carveouts exist for state-level privacy laws, consumer protection laws and laws that govern both employee and biometric data, among others.
“These carveouts essentially nullify the bill’s preemption provision and would require national restaurant businesses to complying with both federal and state laws,” the association said.
- Inclusion of private right of action: Bill language would allow civil action in federal court, which the association said would allow trial lawyers to embroil operators in litigation. “These actions do not improve consumer protection but do often penalize the operations targeted,” the association said.
- Loyalty programs: The proposed act includes language intended to preserve consumer loyalty programs, but the association said the provision would inhibit consumers and restaurants’ ability to establish loyalty relationships voluntarily. The association said it hopes the bill can be amended to reflect state data privacy laws that have been effective.
- Service providers and third-party requirements: The association said restaurants are often a first point of collection for consumer data. However, restaurants should not be held liable for potential data privacy violations committed by downstream business partners, the association said, adding that it would like to see the service provider and third-party requirements strengthened.
- Small data exemption: The bill includes a threshold for small business data exemption, but the association said the current definition would still place significant burdens on small-business restaurants.
- Covered entity definition: Under the current bill, the covered entity definition would mean that restaurants with common branding all become liable for one operator’s infractions, the association said. It would like to see the bill take into consideration the industry’s franchise structure when defining covered entities.
The association’s concerns were outlined in an earlier letter to the subcommittee.
The National Restaurant Association, founded in 1919, is a business association for the restaurant industry.
Contact Ron Ruggless at [email protected]
Follow him on Twitter: @RonRuggless