UK watchdog issues warning over pub apps

App and web placed ordering became commonplace during the COVID-19 pandemic. With social distancing and restrictions in place, ordering food and drink without going to the bar or interacting with waiting staff was a welcome solution after months of lockdown.

Pubs and chains developed their own apps for customers, usually asking for a name, email address, phone number, and payment details. Chains such as Wetherspoons included a handy GPS tracker to make sure customers were ordering from the right pub.

Young’s On Tap, the app for the 200 Young’s pubs across London and the southwest of England, even added an option for customers to split the bill with members of their party, a popular solution at a time when many found themselves out of work or with less disposable income.

Now that restrictions are lifting, restaurants and bars across the UK can return to pre-pandemic style service at the bar or from waiting staff.

However, ordering online has proved popular with customers and businesses alike, with bar queues being avoided and the ordering process significantly speeded up.

This week, the Information Commissioners Office warned the BBC that customers should be careful when handing over personal data when ordering food and drinks via their mobile phones and reminded them that they had a choice over whether to share information.

“I think its too easy to upload an app and straight away put your name, email address, payment details in, without actually understanding fully where that information may be shared and why its being used,” Suzanne Gordon, Director of Data Protection at the ICO told the BBC. “Ultimately this is your data, its your personal information and you need to be confident when youre handing it over and the reasons why.”

Pubs and bars have since contested that they are following the guidelines to inform customers of their rights and how their data will be dealt with.

However, it is fair to assume that a very small proportion of customers actually take the time to read through these terms and conditions, especially when thirsty for a pint.

Is what the ICO is saying reasonable? In the wake of Apple’s IDFA changes, people are becoming more aware of how their data is used and are customed to being given the option of opting-out of their activity being tracked across other companies apps and websites. Are pub apps not obliged to do the same?

Florian Lichtwald, Managing Director and Chief Business Officer of Zeotap, believes the issue is more complex.

“In its commentary, the ICO is largely just reminding businesses of one of the core principles of GDPR, which is data minimisation (Art. 5, c). This shouldn’t come as a surprise to any business collecting and processing their customers’ personal data,” says Lichtwald. “However, this doesn’t definitively answer the question of ‘how much’ data businesses should be collecting on their customers – and the picture here is more nuanced. It can be too easy to position businesses as being wantonly ‘greedy’ for data, but in reality the relationship between the business and its customer is complex, and the value of data to a business can often be in the service of improving this relationship through creating better services and experiences.

“This is nowhere more true than for the hospitality and travel industry: given the struggle here over the last 18 months, the need for data is greater than ever. This is because survival in this industry depends on being able to create winning customer experiences – to do that, you really need to understand your customer, which means you need to collect the appropriate data from them.”

He continues: “This case – like in any situation involving customer data – is about striking a balance between customer needs and business needs in a fair value exchange. That’s why we’re willing to provide a lot of personal data when we book a flight, but we would baulk at handing over the same amount of information when we order a beer. Attempting to collect amounts of data disproportionate to the service provided is simply a bad customer experience, and businesses who put customers first will know to only collect the data they really need.

“However, none of this excuses any violation of laws around data privacy. Regulations like GDPR need to be complied with, and navigating this world is challenging for businesses and customers alike. Adding new sources of data collection like apps only adds to this complexity, and businesses using them will need to make sure that the consent to use the data collected here properly reflects the intended purposes and channels of communication like email, SMS and digital advertising.”

The Data and Marketing Association (DMA) has its own DMA Code, setting the standard of conduct for the industry and to which all DMA members and their business partners must adhere.

Its CEO, Chris Combemale agrees that to enhance customers’ experience through data exchange, businesses need to be clear about its benefits and transparent about where it will be used.

“When data is used to enhance the customer experience, information sharing is essential to businesses wanting to offer a more personalised, streamlined service. Such valuable insights into consumer preferences often lead to better services and deals for repeat customers, which in turn, increases engagement,” says Combemale. “When consumers are considering whether or not to share their data with an organisation, they seek transparency and trust most. Therefore, when it comes to data sharing, organisations must only seek data that is absolutely necessary, highlight the benefits of sharing it, and make it clear that only their business will have access to it.”