March 18, 2022

Expansion of state data privacy laws has implications for restaurants

Lack of compliance in protecting customer data can result in costly lawsuits.
Data Privacy
Data is one of, if not the most, important assets in today’s digital economy. Yet reining in the use of consumer data has been like stepping back in time to the Wild West. Although the European Union established the General Data Protection Regulation, which sets concrete consumer privacy rights and dictates how companies must protect consumer data, the United States has been slower to act on this front.

Congress has held hearings on the subject, but those hearings have not resulted in a national data privacy framework. States have stepped in to fill the void, taking action to cover residents and business interactions in their respective jurisdictions. The patchwork of state data privacy laws has begun to take form with the passage of the California Consumer Protection Act and Privacy Rights Act, Virginia Data Protection Act, Colorado Privacy Act, and just this month, the Utah Consumer Privacy Act.

However, the state-by-state patchwork approach is not ideal in today’s global marketplace. “Congress needs to pass a federal data privacy law that preempts the patchwork of differing state laws to better protect consumers and allow businesses to comply with one, uniform set of rules,” said Brennan Duckett, Association director of Technology and Innovation Policy.

These laws give consumers the right to access, correct, and delete their information, and businesses that control or process the data of 100,000 or more consumers are obligated to fulfill data subject requests. As consumer behavior has changed over the last decade, the laws still cover on-premise traffic but also website visits and transactions via third-parties.

Additionally, laws like the Illinois Biometric Information Privacy Act prohibits private companies from collecting an individual’s biometric data unless they inform and obtain consent from the individual. 

While there may not be a data privacy law in your state now, Duckett warns that there very well could be one coming in the next couple years. “Restaurants should start determining how many consumers they interact with both digitally and in-store, and what kind of personal information they collect and store, and with whom that data may be shared.”

Noncompliance with data privacy claws is costly; nearly 200 legal actions have been filed relating to California’s Consumer Protection Act, alone.