Deliveroo Accused of Violating GDPR by Selling Customer Data to Restaurant Chains

The Curious Codex

          42 Votes   Published 2024-05-31, Updated 2024-06-17



Deliveroo Accused of Violating GDPR by Selling Customer Data to Restaurant Chains

The Author
GEN UK Blog

By Richard (Senior Partner)

Richard has been with the firm since 1992 and was one of the founding partners

Introduction

Back in February 2019, our staff authored a blog article on food delivery companies, and at the time that was Deliveroo, Ubereats and Just Eat. In that article, our staff subscribed to all three services and then over the course of a month they ordered food every day from a range of restaurants. The key takeaway from that article was that, whilst the idea was good, the people employed by these companies to deliver the food were sometimes of questionable ability, and actually on more occasions than we'd like, the delivery person wasn't even able to read building numbers or handle simple navigation. Support from these companies in the event of an issue was assessed, and they were all found to be 'lacking'.

We updated that article in May 2024, when our trusty staff re-ran the same test and discovered some interesting facts on how the industry had evolved over time. We learnt that all three were making multiple deliveries from the same restaurant, and both Deliveroo and Ubereats were upfront about that fact, telling the customer that another delivery was before them. Just Eat on the other hand wasn't upfront, giving the customer feedback like 'Driver assigned', 'Driver at the restaurant' etc. when actually Just Eat was waiting for more orders to come in for the same restaurant before assigning anyone. This is backed up by a chat transcript and calls to a few restaurants where 'driver at the restaurant' was, at the very least, untrue.

When our staff author articles and do research, they use a specially crafted email address for every vendor they sign up with, allowing us to track the sale and distribution of those email addresses. And this isn't a recent thing; we've been tracking illicit information trading for a while now.

Deliveroo

In a shocking revelation (ok fine, not that shocking and not a huge surprise), evidence has emerged that Deliveroo has been selling customer data to restaurant chains, enabling them to send unsolicited spam to customers. This practice is in clear violation of the General Data Protection Regulation (GDPR), which mandates that companies protect the personal data of their customers and obtain explicit consent before sharing it with third parties.

Deliveroo's Privacy Policy states: Third-party marketing
We will get your express opt-in consent before we share your personal data with any company outside the Deliveroo plc group of companies for marketing purposes.

But it seems not to be the case. We received an email today from X-Original-To: [Our specific Deliveroo email address]
Delivered-To: [Our specific Deliveroo email address]
Received: from asrv238.emails.atreemo.co.uk (asrv238.emails.atreemo.co.uk [212.113.20.238])
by [Our border router]
for [Our specific Deliveroo email address]; Fri, 31 May 2024
Message-ID: <.......@news.fiveguys.co.uk>
Date: Fri, 31 May 2024
To: [Our specific Deliveroo email address]
From: "Five Guys UK"
Reply-To: "No Reply"
Subject: What_you_didn't_know_about_Five_Guys_Burgers!
MIME-Version: 1.0
Under GDPR, companies are required to delete customer data upon request and are prohibited from retaining it for longer than necessary. By holding onto the staff member's data long after they closed their account, Deliveroo is in breach of these regulations. Furthermore, the sale of this data to Five Guys without the data owner's consent is a clear violation of the customer's right to privacy and of their own privacy policy, and that's not even taking account of the fact that FiveGuys have passed this information to a third company, atreemo.co.uk, who are actually doing the spamming.

GDPR

In the years before GDPR, the data protection regulation was fairly weak, and whilst its 'intention' was to protect personal data, it never really did. Companies had free rein to distribute your personal data without consequence, and indeed in many countries, they still can.

But on the 25th of May 2018, in the UK and EU, GDPR changed all that, introducing a number of key principles, including

  • The right to be forgotten
  • The right to access your data
  • The right to have your data corrected
  • The right to have your data deleted
  • The right to object to the processing of your data
  • The right to restrict the processing of your data
  • The right to data portability
  • The right to not be subject to automated decision making including profiling.

And this legislation is complex and heavy-handed, and firmly weighted in favour of the data subject, you. In our business operations, we have to carefully accommodate GDPR, in our cloud services, our email services and even our data storage services. If we're processing or storing personally identifiable information for a client, then we too must be GDPR compliant, and we must protect that data by all reasonable means.

This incident raises serious concerns about Deliveroo's data protection practices and their disregard for customer privacy. Customers have the right to expect that their personal data will be handled securely and ethically, and companies that fail to uphold these standards must face consequences. We have, of course, forwarded our evidence to the Information Commissioner's Office for investigation.

In Review

GDPR should protect all citizens of the UK and EU from having their data sold and traded without their consent; that was the whole point of it. However, in practice, it really hasn't made a huge difference, with companies like Google, Facebook, etc. still selling your most personal data to anyone, anywhere with impunity. This raises a question about the legal reach of GDPR, which in the UK extends only to UK companies' operations, and therefore companies outside the UK, or UK companies with operations outside of the UK, are still able to do anything they wish. It doesn't matter that the company has a .uk domain, and it doesn't matter that they call themselves "Deliveroo plc is registered in England and Wales. Company No. 13227665." When you use their app or website, where are you talking to?

deliveroo.co.uk:
location:
  country: Canada
  regionName: Ontario
  city: Toronto
  zip: M5A
  lat: 43.6532
  lon: -79.3832
  timezone: America/Toronto
  org: Cloudflare, Inc.

So when you're filling in the sign-up form, you're filling it in on a server based who knows where, through a proxy in Canada.

I'm fairly confident that this complaint to ICO will go nowhere because Deliveroo will simply claim that the head office in the USA sold the data to another USA company 'Five Guys' and are therefore out of scope. Honestly, there's no way around this; our laws cannot extend outside of our borders, and the Internet certainly doesn't stop there. It would be 'nice' if Deliveroo didn't sell your data, but they can and will.


Update 2024-06-17

Yet more spam from 'FiveGuys' is arriving to our custom deliveroo email address, establishing this as a clear 'sale' of data and not a one-off mistake.


From: "Five Guys UK" 
    Reply-To: "No Reply" 
    Subject: Football and Five Guys on Father's Day

          42 Votes   Published 2024-05-31, Updated 2024-06-17

--- This content is not legal or financial advice & Solely the opinions of the author ---


Version 1.009  Copyright © 2024 GEN, its companies and the partnership. All Rights Reserved, E&OE.  ^sales^  0115 933 9000  Privacy Notice