People don't generally associate restaurants with data storage, but they do actually deal in a ton of personal information. Restaurants take credit card information when they are accepting payment, they take phone numbers when they deliver food or make reservations, and they often get email addresses during transactions, to name just a few examples. This is why the new privacy law going into effect in California in 2020 could have a big impact on restaurants.
The New Law
California adopted a law called the California Consumer Privacy Act, or CCPA, in June of 2018. It requires businesses to tell consumers what categories of information they are collecting, what sources they are using to get the information, and what they are going to use it for. Businesses will also have to reveal what types of 3rd parties they share information with. This law also gives the consumers the right to request that information free of charge and gives a business 45 days to comply, though that can be extended to 90 days. Uniquely, the consumer has the right to ask a business to delete information about them and that the business has to tell the consumer that they have that right. When a business gets a verified request to delete a consumer's personal information, they will have to delete it.
What Restaurants Will Be Affected
This law affects any restaurant that makes more than $25 million in gross revenue or collects information on more than 50,000 consumers, households or devices. Email addresses, IP addresses, phone numbers and other information that restaurants use absolutely count as personal information collected. Restaurants with websites or mobile apps that they use to make reservations could be particularly subject to the CCPA.
How Will It Be Enforced
This law gives consumers the right to bring civil actions against businesses if their information was stolen because the business didn't comply with the law or take reasonable actions to keep the information safe. The consumer will have to give the business a written notice 30 days in advance of initiating the action so that the company can cure the data breach, at which point the Attorney General may take action against the restaurant.
If the restaurant was found to be intentionally violating the law, the company could be liable for up to $7500. If the Attorney General decides not to prosecute, the consumer can take the restaurant to court, which may find them liable for damages. In that case, a company could wind up paying between $100 and $750 per data breach.
What Can Restaurants Do To Get Ready
The first step a restaurant should take it to find out what information it is recording, who in the company stores the information, and what the restaurant is doing with the information.
Then a restaurant should scrutinize and update the data security operations. A good place to find a framework for dealing with data breaches can be found on the National Institute of Standards and Technology or the National Restaurant Association website.
It's also important for restaurants to create procedures for consumers to choose whether or not their information is shared with third parties. Companies can also create or update data-use disclosures so that they have something to give customers when they ask about how their personal information is being used.
If a restaurant already has a good handle on their cybersecurity and has all the paperwork in order, the CCPA should be only a small addition to the workload.