December 17, 2019

Last Updated on January 19, 2024

As an information security and privacy firm, we talk to a lot of people in businesses like financial services, healthcare, legal, municipalities, Software-as-a-Service… because their cyber security and privacy risks are large and obvious. But a recent series of discussions with several restaurant chains has been an eye-opener.
Issues around data protection, privacy laws and third-party risk management (TPRM) are looming large in the restaurant industry. Nearly every restaurant takes credit card payments, and many capture customer data (e.g., name, address, behavior data points) for loyalty programs. Regulatory compliance concerns around this data are escalating not only for major chains, but also for local restaurants. At the same time, people are demanding more control over what data businesses—including restaurants—keep about them, how it is used, and how it is protected.

“Whatever your industry, the ability to prove privacy compliance and ease customers’ minds about data security can be a competitive differentiator.”


Two rapidly emerging privacy concerns for restaurants include:

  • Compliance with new privacy laws like the California Consumer Privacy Act (CCPA). It’s clear that US-based restaurants with locations in California are subject to CCPA and/or. But even eateries with no footprint in California could still be subject to these laws if they regularly serve California citizens. And with more privacy laws undoubtedly coming soon, “universal” data privacy compliance may soon be “on the menu” for restaurants of all sizes, regardless of their clientele.
  • Third-party risk management (TPRM). Calling your favorite restaurant to book a reservation is going the way of the VCR. Patrons now have a real-time view of table availability and can conveniently make reservations online through services/apps like OpenTable on their smartphones. Restaurants need to partner with these services to increase traffic and manage table-turns more efficiently. But such services process significant personal information (PI), including physical addresses. How well does the app provider protect that data? How might the provider be sharing that sensitive data with other third-parties, with or without a restaurant’s knowledge? Will restaurants experience reputational damage and/or legal sanctions if this data is hacked? Will major service providers like OpenTable “turn the tables” and require their restaurant partners to prove they can protect the PI shared with them?

Emerging data protection challenges are driving restaurants to recognize the value of PI and embrace their responsibility to handle it with care and common sense.
Whatever your industry, the ability to prove privacy compliance and ease customers’ minds about data security can be a competitive differentiator.
To brainstorm with an expert about the privacy and data protection issues your business may be facing, contact Pivot Point Security.
For more information:

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!