On June 23, the House Energy and Commerce Subcommittee on Consumer Protection and Commerce marked up the American Data Privacy and Protection Act. The bill would set a national standard for data collection and protection. The National Restaurant Association believes that a preemptive federal data privacy law that creates a single, uniform standard would benefit the industry, but have concerns that this bill, as drafted, would present significant challenges for large and small operators.
“Whether it's putting cash and receipts in a register or safe, or maintaining the highest standards when selecting, storing, and preparing food, security is a priority for restaurant operators,” said Sean Kennedy, executive vice president of Public Affairs for the National Restaurant Association, in a press statement. “Securing our customers’ personal information is no different. As the cornerstone of communities throughout America, restaurant operators build their business on trusted relationships with their guests, and they rely on robust data privacy and security practices to strengthen that trust in today’s digital economy.”
The Association has concerns about specific areas of the bill, including:
- Carveouts in the federal preemption – The Association is concerned that there are far too many carveouts for state-level privacy laws, consumer protection laws, and laws that govern both employee and biometric data, among others. These carveouts essentially nullify the bill’s preemption provision and would require national restaurant businesses to complying with both federal and state laws.
- Inclusion of private right of action – The Association is concerned that the language allowing civil action in federal court would enable trial lawyers to embroil operators in litigation. These actions do not improve consumer protection but do often penalize the operations targeted.
- Loyalty programs – The bill includes language intended to preserve consumer loyalty programs, but the Association feels the provision would inhibit consumers’ and restaurants’ ability to voluntarily establish loyalty relationships. These types of programs are essential to the business model of many restaurants, and the Association hopes the bill can be amended to reflect state data privacy laws that have already been shown to work.
- Service providers and third-party requirements – Restaurants are often a first point of collection for consumer data, however they should not be held liable for potential data privacy violations committed by their downstream business partners. The Association would like to see the service provide and third-party requirements strengthened so that no consumers are left unprotected when their personal data is handled by any business, regardless of where they live.
- Small data exemption – The bill includes a threshold for small business data exemption; however, the current definition will still place significant burdens on small business restaurants. The Association would like to see the requirements amended so that they will work for the smallest restaurant operators.
- Covered entity definition – Under the current bill, the covered entity definition would mean that restaurants with common branding all become liable for one operator’s infractions. The Association would like to see the bill take into consideration the industry’s unique franchise structure when defining covered entities.
“This bill is moving very quickly through the Committee, and we are working with members to address these concerns. The good news is that all these concerns have resolutions that would vastly improve this bill for the restaurant industry while still strengthening protections for consumers,” said Kennedy.