Jun 7, 2024
Privacy’s Impact on QSRs and Retailers
In recent years, an increasing number of states and countries have implemented comprehensive data privacy laws. And many other regions that don’t have privacy laws are working to implement them. Many Quick Service Restaurants (QSRs) and retailers are impacted by these laws.
In this blog post, we’ll touch on some of the key privacy laws that exist today and their potential financial impacts. We’ll also review the types of QSR and retail applications that may be impacted by these laws and what you should do to protect the privacy of your data and avoid potential fines for privacy law violations.
What Data Privacy Laws Are in Place Today?
Here are some of the key data privacy laws that have been implemented to date, including the effective dates and fines for each:
Key Data Privacy Laws
State/Country/Region | Law | Effective Date | Non-Compliance Fines |
California | California Consumer Privacy Act of 2018 (CCPA) | January 1, 2020 | Up to $2,500 for each unintentional violation. Up to $7,500 for each intentional violation. |
California | California Privacy Rights Act (CPRA) | January 1, 2023 | Up to $2,500 for each unintentional violation. Up to $7,500 for each intentional violation. |
Colorado | Colorado Privacy Act | January 1, 2023 | Up to $20,000 per violation. |
Connecticut | Personal Data Privacy and Online Monitoring Act | July 1, 2023 | Up to $5,000 per willful violation. |
Utah | Utah Consumer Privacy Act | December 31, 2023 | Up to $7,500 per violation. |
Virginia | Consumer Data Privacy Act | January 1, 2023 | Up to $7,500 per violation. |
Europe | General Data Protection Regulation (GDPR) | May 2018 | Up to 4% of annual revenue for each violation. |
Canada | Personal Information and Electronic Documents Act (PIPEDA) | January 2004 | Up to $100,000Canadian Dollars. |
If you do business in or handle data from customers in any of the geographies covered by these laws, you will be required to meet certain data privacy requirements and will be subject to fines for non-compliance. For example, if your business is in California, but you have European customers making online purchases, you will likely need to comply with CCPA, CPRA, and GDPR.
While many data privacy laws are similar across geographies, there are some significant differences. We’ll provide links to additional Tevora resources at the end of this post to help you understand those differences.
Some of the fines for non-compliance may not seem significant (e.g., $2,500 per violation), but keep in mind that you could potentially be subject to fines for multiple violations, which can add up quickly.
While data privacy laws have been effective in Europe and Canada for years, the U.S. has been slower to act and has not yet implemented a nationwide privacy law. California has been the leader at the state level with its CCPA law becoming effective in 2020. However, other states are rapidly catching up, and all of the states in the table above (other than California) have privacy laws that will become effective in 2023, which is just around the corner. If you will be subject to the new laws in any of these states, we recommend you start work immediately to bring your organization into compliance.
We’re Just a Small Operation. Do We Really Need to Comply with These Laws?
We often hear from our QSR and retail clients that they don’t feel they should be subject to these laws because they are a small operation that can’t afford to dedicate resources to data privacy. For example, one of our burger restaurant clients said: “We just flip burgers. Our margins are thin, and we have minimal staff in security and can’t afford to hire staff to do this”.
Other clients are simply not aware of the privacy laws that apply in their geographies.
Many clients have taken steps to comply with the Payment Card Industry Data Security Standard (PCI DSS) to protect payment information but don’t realize that they need to go further to protect sensitive customer data that they use for other purposes (e.g., email addresses used for marketing campaigns).
While we are sympathetic to these very real issues, the reality is that privacy laws are either here today or coming shortly, and complying with them will just have to become part of your business. Hoping the laws go away, will not get you off the hook.
However, this doesn’t mean hiring an army of security and privacy experts. There are many third parties (including Tevora) that have the expertise needed to help your organization comply with privacy laws.
What Types of Applications Are at Risk of Violating Data Privacy Laws?
Here are some of the applications (other than payments) we’ve encountered at our QSR and retail clients that may handle personal information:
- Loyalty programs that handle customer name, address, zip code, phone number, etc.
- Mobile ordering applications that handle personal information about customers.
- In-dining applications that enable customers to order and pay from a tablet, then email a receipt to the customer or sign the customer up for notifications or offers from the restaurant.
- Marketing campaigns that use demographic information about customers.
- Online applications that use the customer’s device to take a picture or video of the customer. Photos and videos are considered personal information under most privacy laws.
- Websites that store cookies with personal customer information.
These are just a few of the applications we’ve encountered and are by no means an inclusive list.
Privacy laws generally cover sensitive customer information used in these applications and have prescribed fines that apply if the information is not properly handled and protected in accordance with the laws.
What Should We Do to Ensure the Privacy of Our Data?
Ensuring the privacy of your data can involve a variety of things, including:
- Encrypting personal information when stored or transmitted.
- Fortifying your environment against external attacks by cybercriminals.
- Providing your customers with the ability to request that their personal information be deleted or not used in marketing campaigns. Many of the privacy laws have specific provisions for these types of customer requests.
- Performing a thorough inventory and mapping of personal information used by your organization and restricting storage and use of this information to only those applications that require it.
- Periodically delete personal information that is no longer needed.
These some of the important things that can help ensure the privacy of your data. The legal requirements for your organization will vary depending on the data privacy laws applicable to the region(s) in which you operate.
Additional Resources
Here are some additional resources that provide a deeper dive into the topics covered in this blog post:
- Tevora Privacy Tracker with detailed information on data privacy laws
- Webinar: Privacy Regulation for 2022: What to Expect
- Webinar: ISO 27701 Privacy Information Management: Why to Certify
- Blog: Tevora Data Privacy Law Comparison: CCPA, CPRA, GDPR, and PIPEDA
- Blog: Use the OWASP Top 10 Privacy Risks to Ensure Rock-Solid Privacy in Your Web Applications
- Tevora Data Privacy Services
- Tevora Privacy Engineering Datasheet
- Tevora Privacy Governance Datasheet
We Can Help
Tevora has over 20 years of experience helping QSRs and retailers identify and remediate data privacy risks and vulnerabilities. We also have a deep understanding of U.S. and international data privacy laws and can help bring your organization into compliance with the laws that are applicable for your organization.
If you have questions about data privacy laws or would like help bringing your organization into compliance, just give us a call at (833) 292-1609 or email us at sales@tevora.com.