DoorDash's suit on data privacy in NYC

What is meant to help restaurants actually puts them in a sticky situation and also hurts consumers' right to privacy

I am back!

I took another month off from writing this newsletter and spent time in Yellowstone and Grand Tetons to do a lot of thinking. There isn’t much else to do when you are left alone with just your mind and miles of trails in areas with no cell service.

Since mid-September, we’ve seen DoorDash file a lawsuit against New York for its ordinance compelling third-party delivery platforms to share customer data with food service establishments. For simplicity, I’ll just refer to these food service establishments—which also encompass bars, food hall kiosks, quick-serve concepts, and more—as restaurants.

And while the suit is active, the city agreed early last month to hold off on enforcing the law for the time being. As the suit drags on, I wanted to take a look at it to figure out what it entails and articulate some of the issues that I have with it, as consider some of DoorDash’s arguments against the law.

Breakdown of the ordinance

According to NYC Int. No. 2311-A and NYC Int. No. 2311, the following are the main points of the local law:

  • Customer data includes the following:

    • Customer’s name

    • Customer’s telephone number

    • Customer’s email address

    • Delivery address of the online order

    • Contents of the online order

  • Food service establishments can request “all applicable customer data” to be furnished on a monthly basis (or on a quicker cadence if requested)

  • All customers are presumed to consent to this data sharing, unless they actively opt out each time they order through a third-party food delivery service

  • Data can be used for “marketing or other purposes” outside the third-party food delivery service’s ecosystem

  • Data is not to be sold, rented out, or disclosed by restaurants to any other party in exchange for financial benefit unless express consent from the individuals has been given

  • Customers can request deletion of their data from restaurants at any time

As we will see below, the ordinance’s vast scope creates issues on behalf of consumers’ privacy and also makes assumptions that in spite of trying to be be in the interest of the restaurant, are actually harmful to all parties involved.

Restaurants aren’t winning here, despite what the ordinance wants us to think

The public company ($DASH) makes several valid points in its filing (which of course is done so with a self-serving purpose). I want to take the opportunity to explore three of them: consumable data; consent and privacy; and data protection.

Give us all the data

It does not appear that anyone remotely familiar with data privacy or ethics was consulted in the development of this bill. One of the first questions that should be asked is what purpose does each field of data serve? For me, I limit the data I process to names and email addresses only, since that is what I strictly use for my customer satisfaction surveys and promotional emails. I have no immediate use for mailing addresses or phone numbers, so I readily discard those data sets, as opposed to house them and carry the burden of data protection.

The approach that is apparent here in the drafting of the ordinance was one that casted an oversized net, necessitating third-party delivery platform to give restaurants everything from the customer’s full name to address to what they ordered follows a “do it now, ask questions later” approach.

The argument could be made that the all-encompassing information gathered can help small businesses in driving hyper local marketing and advertising campaigns what with having the actual delivered-to addresses. But is a faulty premise.

In addition to the issues with data safety, I’d point out that not a lot of these small businesses have the knowledge to make use of such data or the funds to implement such campaigns. In a more likely scenario, businesses may want to have addresses and phone numbers to create additional points of contact to re-engage with customers, but the question of how to do so effectively and ethically is one that remains.


The ordinance is fixated on this relationship between third-party delivery platform and the restaurant, but forgets that the consumer is very much involved as well. With a lot of our online purchases, we’ve become accustomed to buying something once and receiving a never-ending deluge of promotional emails thereafter. This practice is known as “implied consent”, and it is way to grow email lists, but they are not necessarily the most engaged lists, since it includes a wide gamut of gift, one-off, and sometimes, frequent purchases.

But have you ever received mail from somewhere that you never shopped from, but seems kind of similar to what you would’ve bought? Think about those Broadway shows or those pre-approved credit card applications. That’s what the ordinance is trying to get at here with this sharing of data from delivery platform to restaurant where you can receive marketing from a multitude of sources.

At the high level, I don’t mind that idea. I’m ordering from a specific restaurant, and would like to know a little more about them. A lot of what we see now, though, especially as we move toward a more mindful approach in how customer information is acquired is the active opt-in, whereby you have to actually click a box stating you want to receive promotional emails from said company.

But what the ordinance wants to do here, though, is something that is antithetical to moving forward in data privacy and protection. Instead, by stating that the consumer will always be presumed to consent to data sharing unless they actively opt out every single time they order from a place, the onus of privacy—as opposed to that of active participation—is put on the consumer. It is also a more positive marketing and relationship-building tactic to have a customer say they want to hear from someone once, as opposed to having the customer reinforce with every purchase that they do not want to hear from a business.

Ownership of data and best practices

Considerably glaring is the lack of consideration of what it takes to house data in terms of monetary expense and knowledge. If we look to Mailchimp as an example (which is what I use) as a CRM (customer relationship management platform), there is a free tier, but if you are a small business that relies on delivery, you are bound to exceed the 2000 contacts at some point during business operations. And after those 2000 contacts, the monthly fees can add up.

The better question to ask, though, is whether or not restaurants see a CRM as a necessary and beneficial expense. Some businesses may very well just use an Excel sheet under the guise of it being a free service, but not realize that there are potential liabilities at stake here. In the event of a breach or theft, how are small businesses expected to cope with any potential fallout? They are most likely far from proficient in the area—their area of expertise is hospitality, not data security.

The ordinance’s clauses about not selling data unless express consent is given or to delete customer information upon request again shift the burden of data handling onto the restaurant. Again, these nuances are not their expertise. I have seen such types businesses share customer lists, not realizing there is anything wrong with it, and not know how to delete customer data that they weren’t sure they even imported in the first place. With that said, there is no mention of a specific body anywhere in the bill that will oversee compliance of these rules.

To back up this concern of availability of data and inability to handle it properly, both Tech:NYC and the Electronic Frontier Foundation cite concerns that this bill leaves the consumer’s right to privacy out of the equation. DoorDash, of course, it believes it is the responsible party here, given that it is able to hire those that specialize in data protection and pay for the services that house the information safely, but I believe we can empower small businesses as well if given the opportunity. If we are going to make consumer data readily available—which again, I believe should be opt-in, as opposed to opt-out—small businesses should be given the resources and tools as companion pieces to the customer information that is being solicited.

DoorDash is indeed looking out for DoorDash

Where there are the valid points that contest the ordinance’s current reach, there are also the arguments that are more self-serving than anything else. Specifically, when citing that the ordinance would impact DoorDash’s trade secrets, provide a pathway to the development of new and competing products, and a violation of the equal protections clause, the case makes itself clear that the lawsuit here is about protecting DoorDash’s interests first, and maybe the consumer second.

Trade secrets

One of the most aggressive assertions that DoorDash makes is that the ordinance will “allow restaurants to free-ride on DoorDash’s confidential, commercially valuable data.” The amount of first-party consumer data that the company possesses is what they regard as their trade secret—it is going to be their moneymaker, they believe. After all, this statement comes on the heels of the public company making a play to court advertisers with its advertising offerings. But to say that the restaurants are benefiting from the platform for free feels reckless.

Even though DoorDash provides the platform for restaurants to sell in an expanded ecosystem with delivery, these small businesses are doing the work and heavy lifting that has created such a large database of consumer data. Granted, the contractual agreement allows for DoorDash to own the customer information that passes through the system by their playing the middleman between restaurant and new customer.

And DoorDash tries to make this distinction clear: its contractual dealings with the restaurant have been fulfilled (a marketplace to sell on where they take a % cut). Providing consumer information is another transaction, albeit one where DoorDash does not gain anything outright. However, contractual law aside, it is hard not to associate the two transactions with one another. Sure, I get that we are talking about a second dealing or contract, but how about we not bite the many hands that have made you so plump?

Development of new and competing products

In perhaps is a way to lay the groundwork for the argument for equal protections, this lawsuit posits that by providing the trade secrets (i.e. customer information) that businesses can “aggregate [the data] with other restaurants to create a competing delivery platform. Yes, there are co-op delivery services, but if we are talking about something that can take on a public company with a current market cap of $65.83B, we’d need a lot more than customer names, emails, phone numbers, and addresses.

If the market cap number doesn’t faze you, let’s look at market share. DoorDash commands a 57% share of sales across the US as of this past September. Customers may not be loyal to a single service in particular, but a ragtag band of restaurants isn’t going to upend the public company with this ordinance.

Corporate personhood and the fourteenth amendment

As a reminder, I am not a lawyer. I am just interpreting what I read, learning as I go, and piecing everything together in attempts to make sense of what I observe.

Among DoorDash’s causes of action for such a suit, the company cites violation of the Equal Protection Clause of the United States Constitution (42 U.S.C. § 1983). Usually, we’ve seen this clause used in cases for individuals, as the clause itself states:

All persons born or naturalized in the United States, and subject to the jurisdiction thereof, are citizens of the United States and of the State wherein they reside. No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws.

However, we have seen cases—Citizens United v. FEC and Burwell v. Hobby Lobby Stores, for instance—in which corporations have adopted personhood in order to leverage an equal protections argument. It’s not to say that “we the people” as corporation has always been widely accepted. There has been opposition to the treatment of corporations as “we the people”, citing corporations as artificial vs. natural persons (Justice Rehnquists’s dissent in Bellotti) and a stretching of the Constitution’s definition of personhood (Justice Steven’s dissent to Citizens United).

For two or more groups to be treated differently than one another, the court must determine if the favoured party falls under a suspect classification (a class or group or persons meeting a series of criteria that suggests they are the likely subject of discrimination; think Board v. Brown).

Some of the criteria cited in previous equal protections cases have included:

  • Having been historically been discriminated against or been subject to prejudice, hostility, or stigma

  • Possess an immutable or highly visible trait

  • Having been historically unable to protect themselves via political process (“discrete” and “insular minority”)

In DoorDash’s case, the delivery platform says that it is being unfairly discriminated against. While third-party delivery platforms contracted with 20+ food businesses are legally bound to the ordinance (and to the fee cap law), delivery platforms that work with fewer than 20 businesses are exempt. This number of 20 businesses strikes a chord with DoorDash, who claims the number to be arbitrary. And I agree with them. There isn’t any proof that this specific number is a tipping point of a small vs. large business. But this argument is a red herring, distracting us from who needs the actual protection.

Another example that DoorDash cites as a violation of their equal protections is that other third-party platforms, such as reservation systems, are not obligated to disclose customer data. As a quick counter, such data is often available to restaurants; it might have to be requested, but it is seldom withheld from my personal experience. In any, this argument is yet another distraction from the actual discussion.

The real question for the courts is who is the actual other group—is it the emergent delivery platforms, other types of third-party platforms, or is it the restaurants? If DoorDash positions itself against the first two, they are much more on equal footing with one another. However, if we position it as a case of DoorDash vs. small businesses, we can see where the argument for equal protections may fall. Given that these small businesses often do not have the resources to protect themselves against unfair the legislation that has allowed big tech to flourish, being able to regain a part of the ecosystem that has made delivery platforms succeed may actually be leveling the field, as opposed to making it disadvantageous.

Again, not a lawyer, so I may very well be wrong here, but I figured I’d share my interpretation of suspect classification and how this particular argument could go.

What do restaurants really need when it comes to data?

Being able to craft a full sales funnel digital relationship with customers is what restaurants need now more than ever. With so many of the interactions taking place online, these small businesses cannot just rely on their social accounts, which are only a part of the equation. Especially when you don’t have the ad dollars to put behind a spend on social, these marketing tools become more about the brand, as opposed to performance, and more about generating awareness than conversions.

Third-party delivery platforms, for better or worse, are a source to piggyback off their large sums of ad dollars on TV, digital, and out-of-home ads for a chance at growing an audience while generating sales. This revenue benefits both the restaurant (minus the commission) and the third-party delivery platform, but we unwittingly, as restaurants, sell ourselves short in not knowing that we should be getting more for having helped propel these platforms into giants.

Yes, DoorDash does have a product (and GrubHub too) that lets the restaurant own first-party data, but it’s not enough to create a product that generates CSVs of customer information. And it’s also not enough to create bills that tell platforms to give us a fairer exchange for our work. None of this information is helpful if it isn’t used and if the consumer isn’t a willing active participant.

What we need are actual local laws that give the consumer the right to protect their details and the opportunity to share their information if they would like. And for restaurants and other food establishments, they need to be equipped with at least the basic tools and skills to actually use this data so that they have a chance to succeed and grow their business. I would love to see these third-party platforms create a best practices guide and walk restaurants through the do’s and don’ts of housing first-party data. If at the very least, I hope that the small businesses who might read this newsletter consider asking their delivery platform account managers for resources, and to start researching CRM best practices on their own.

Further reading

Loading more posts…