Deliveroo Accused of Violating GDPR by Selling Customer Data to Restaurant Chains
The Curious Codex
Add a Comment
Please enter a valid email address.
Please enter a valid name.
Please enter a valid comment.
48 Votes
2024-05-31 Published
2024-07-04 Updated
1184 Words, 6 Minute Read
By Richard (Senior Partner)
Richard has been with the firm since 1992 and was one of the founding partners
Introduction
Back in February 2019, our staff authored a blog article on food delivery companies, and at the
time that was Deliveroo,
Ubereats and Just Eat. In that article, our staff subscribed to all three services and then over the course of a
month they
ordered food every day from a range of restaurants. The key takeaway from that article was that, whilst the idea was
good,
the people employed by these companies to deliver the food were sometimes of questionable ability, and actually on
more occasions
than we'd like, the delivery person wasn't even able to read building numbers or handle simple navigation. Support
from these companies in the event of an issue was assessed, and they were all found to be 'lacking'.
We updated that article in May 2024, when our trusty staff re-ran the same test and discovered some
interesting facts
on how the industry had evolved over time. We learnt that all three were making multiple deliveries from the same
restaurant, and
both Deliveroo and Ubereats were upfront about that fact, telling the customer that another delivery was before
them. Just Eat
on the other hand wasn't upfront, giving the customer feedback like 'Driver assigned', 'Driver at the restaurant'
etc. when actually
Just Eat was waiting for more orders to come in for the same restaurant before assigning anyone. This is backed up
by a chat transcript and calls to a few restaurants where 'driver at the restaurant' was, at the very least, untrue.
When our staff author articles and do research, they use a specially crafted email address for
every vendor they sign up with, allowing us to track the sale and distribution of those email addresses.
And this isn't a recent thing; we've been tracking illicit information trading for a while now.
Deliveroo
In a shocking revelation (ok fine, not that shocking and not a huge surprise), evidence has emerged
that Deliveroo has
been selling customer data to restaurant chains, enabling them to send unsolicited spam to customers. This
practice is in clear violation of the General Data Protection Regulation (GDPR), which mandates that companies
protect the personal data of their customers and obtain explicit consent before sharing it with third parties.
Deliveroo's Privacy Policy states:
Third-party marketing We will get your express opt-in consent before we share your personal data with any
company outside the Deliveroo plc group of companies for marketing purposes.
But it seems not to be the case. We received an email today from
X-Original-To: [Our specific Deliveroo email address]
Delivered-To: [Our specific Deliveroo email address]
Received: from asrv238.emails.atreemo.co.uk (asrv238.emails.atreemo.co.uk [212.113.20.238])
by [Our border router]
for [Our specific Deliveroo email address]; Fri, 31 May 2024
Message-ID: <.......@news.fiveguys.co.uk>
Date: Fri, 31 May 2024
To: [Our specific Deliveroo email address]
From: "Five Guys UK"
Reply-To: "No Reply"
Subject: What_you_didn't_know_about_Five_Guys_Burgers!
MIME-Version: 1.0
Under GDPR, companies are required to delete customer data upon request and are prohibited from retaining it for
longer than necessary. By holding onto the staff member's data long after they closed their account, Deliveroo is in
breach of these regulations. Furthermore, the sale of this data to Five Guys without the data owner's consent is a
clear violation of the customer's right to privacy and of their own privacy policy, and that's not even taking account of the fact that FiveGuys have passed
this information to a third company, atreemo.co.uk, who are actually doing the spamming.
GDPR
In the years before GDPR, the data protection regulation was fairly weak, and whilst its 'intention' was to
protect personal data, it never really did. Companies
had free rein to distribute your personal data without consequence, and indeed in many countries, they still can.
But on the 25th of May 2018, in the UK and EU, GDPR changed all that, introducing a number of key principles,
including
The right to be forgotten
The right to access your data
The right to have your data corrected
The right to have your data deleted
The right to object to the processing of your data
The right to restrict the processing of your data
The right to data portability
The right to not be subject to automated decision making including profiling.
And this legislation is complex and heavy-handed, and firmly weighted in favour of the data subject, you. In our
business operations,
we have to carefully accommodate GDPR, in our cloud services, our email services and even our data storage services.
If we're
processing or storing personally identifiable information for a client, then we too must be GDPR compliant, and we
must protect that data by all reasonable means.
This incident raises serious concerns about Deliveroo's data protection practices and their disregard for customer
privacy. Customers have the right to expect that their personal data will be handled
securely and ethically, and companies that fail to uphold these standards must face consequences. We have, of
course,
forwarded our evidence to the Information Commissioner's Office for investigation.
In Review
GDPR should protect all citizens of the UK and EU from having their data sold and traded without
their consent; that was the whole point of it. However, in
practice, it really hasn't made a huge difference, with companies like Google, Facebook, etc. still selling your
most personal data to anyone, anywhere with impunity. This raises a question about the legal
reach of GDPR, which in the UK extends only to UK companies' operations, and therefore companies outside the UK, or UK companies with operations outside of the UK, are still able to
do anything they wish. It doesn't matter that the company has a .uk domain, and it doesn't matter that they call themselves "Deliveroo plc is registered in England and Wales. Company No. 13227665." When you use their app or website, where are you talking to?
deliveroo.co.uk:
location:
country: Canada
regionName: Ontario
city: Toronto
zip: M5A
lat: 43.6532
lon: -79.3832
timezone: America/Toronto
org: Cloudflare, Inc.
So when you're filling in the sign-up form, you're filling it in on a server based who knows where,
through a proxy in Canada.
I'm fairly confident that this complaint to ICO will go nowhere
because Deliveroo will simply claim that the head office in the USA sold the data to another USA company 'Five Guys'
and are therefore out of scope. Honestly, there's no way around this; our laws cannot
extend outside of our borders, and the Internet certainly doesn't stop there. It would be 'nice' if Deliveroo didn't
sell your data, but they can and will.
Update 2024-06-17
Yet more spam from 'FiveGuys' is arriving to our custom deliveroo email address, establishing this as a clear 'sale' of data and not a one-off mistake.
From: "Five Guys UK"
Reply-To: "No Reply"
Subject: Football and Five Guys on Father's Day
48 Votes
Comments (3)
Yin Lee
· 2024-07-08 15:42 UTC
Deliveroo are the worst, their riders cant even read street signs and navigate.
Riguard Ltd
· 2024-07-03 17:46 UTC
So is this a policy now, or an accident doesnt really say which, but actually, youre right, deliveroo can sell your data to anyone they want.
Roger
· 2024-07-02 08:41 UTC
Was anyone surprised by this
--- This content is not legal or financial advice & Solely the opinions of the author ---