Tens of thousands of Miamians (in addition to tourists) order food daily via third-party delivery services like DoorDash, GrubHub or Uber Eats.
For some, these platforms offer a convenient way to eat around busy schedules. Similarly, for those without cars, delivery services enable them to experience restaurants that aren’t nearby or close to public transit options.
These services connect residents and tourists to the city’s world-class food scene and allow restaurants, especially smaller establishments that cannot offer their own delivery services, to reach customers across Miami-Dade County.
In short, third-party food delivery services provide a mutually beneficial arrangement that allows restaurants to thrive and tourists and residents to experience Miami’s culinary delights.
Unfortunately, the Board of County Commissioners wants to disrupt this ecosystem while also opening massive cybersecurity vulnerabilities that could serve up sensitive consumer data to criminal networks on a plate — or in this case, in a to-go box.
Later this month, the Miami-Dade County Board of Commissioners will consider an ordinance requiring third-party delivery services to share sensitive consumer information such as names or addresses with restaurants.
Failing to provide this information to restaurants could see the platform slapped with a $100 fine per violation.
While elements of the ordinance are not without merit, particularly provisions that enhance transparency on pricing and charges, forcing third-party delivery services to share data with restaurants will inevitably create massive cybersecurity vulnerabilities.
Restaurants operate on slim margins with small staff and do not have the capital or human resources to implement a robust cybersecurity infrastructure. Such weaknesses would make them easy targets for sophisticated criminal networks looking for a free lunch.
This ordinance would create a government-sanctioned data buffet for criminal networks and force restaurants to deal with a data breach’s significant reputational and financial consequences.
While large chains can absorb the aftermath of a data breach, it could be catastrophic for smaller restaurants, forcing them out of business and entrenching chains as dominant players.
For a city that prides itself on its culinary masterpieces, Commissioners should refrain from creating additional risks for restaurants or creating a more favorable environment for chain restaurants.
More concerning is that Miami’s proposed ordinance bucks the trend of granting consumers more control over how private companies use their data. Over the past few years, state governments have given citizens comprehensive data protection rights, including more control over how private companies use their data and requiring companies to outline how data is used.
Miami’s proposed ordinance, on the other hand, would give consumers less control over their data, with sensitive information forcibly given away without their knowledge, let alone consent.
Under the ordinance’s proposed language, there is no limit to what restaurants could do with consumers’ data. Under the proposed ordinance, a restaurant could sell sensitive data to data brokers without a customer’s knowledge. Consumers are also not allowed to opt out of this data transfer, making it almost impossible for them to control how their data is used once they place an order.
The movement to force data sharing between third-party delivery platforms and restaurants is not unique to Miami; it was first cooked up in New York City in 2021.
Since the City Council passed its data-sharing ordinance, it has been stuck in legal limbo after delivery platforms sued. The delivery platforms argued the provisions violated the U.S. Constitution and represented a “shocking and invasive intrusion of consumers’ privacy.”
Until the courts resolve New York City’s law, Miami’s Board of County Commissioners would be wise not to enact an ordinance that could leave taxpayers on the hook for massive legal bills that result from backing a measure with more holes than Swiss cheese.
While parts of Miami’s proposed data-sharing ordinance has promise, the fact it would create massive and unnecessary cybersecurity risks means Commissioners would be wise to send the ordinance back to the drawing board.
___
Dr. Edward Longe is the director of the Center for Technology and Innovation Policy at The James Madison Institute.