UPDATE: October 5, 2021: New York City agreed not to enforce the contested statute while the suit between the city and DoorDash continues, according to court documents filed Monday. As part of the agreement, DoorDash withdrew an injunction filed during the lawsuit. The agreement does not constitute an agreement by NYC that the statute is unconstitutional.

Dive Brief:

• DoorDash filed a lawsuit against New York City on Wednesday objecting to a ordinance that requires third-party ordering and delivery companies to share customers' personal information with restaurants with each order.
• "The Ordinance imposes virtually no restrictions on what restaurants may do with that data, and it does not mandate any data-security requirements once the customer data is transferred to restaurants," the company said in the lawsuit.
• Several municipalities and attorneys general have recently taken aim at third-party aggregators' business practices, and delivery firms are fighting back with lawsuits of their own. Recently, major delivery providers sued New York City and San Francisco over permanent delivery fee caps enacted in each city.

Dive Insight:

Diner data has long been a sticking point for restaurants that partner with third-party delivery providers. Many of these business relationships require the restaurant to cede control of consumer delivery information to the aggregator — exluding them from valuable data that could otherwise help operators improve their offerings.

In order to maintain control of diner data, many restaurants have created their own online ordering websites and apps while partnering with third-party aggregators to complete last-mile delivery. In a blog post, DoorDash said it offers various ways to provide transparency and choice for restaurant partners. These operators can choose to pay commissions as low as 15% and gain access to order insights "to make informed decisions about their menu, and offerings," the company said. In 2020, the company rolled out a turnkey online ordering option that allows restaurants to build direct ordering into their website and to control the customer experience while Dashers complete the orders

But DoorDash alleges that New York City's data sharing requirement goes a step too far, and the platform says several community groups agree, according to a company blog post.

"The New York City Council passed harmful legislation despite clear warnings from several civil rights, immigration, business and privacy advocacy groups about how it would jeopardize New Yorkers' safety and privacy and create a dangerous precedent," a DoorDash spokesperson said in an email. "After ignoring these warnings and shutting out the voices of 5,400 New Yorkers who wrote in opposition, the Council left us no choice than to ask the courts to overturn this unconstitutional and ill-advised legislation." 

The New York Hospitality Association disagrees wih this argument.

"DoorDash spends millions of dollars to take restaurants' customers and withhold their information so they can control the market and extract more fees from small businesses," Andrew Rigie, executive director of the NYCHA, said in an emailed statement. "The Court should reject these claims as sour grapes and uphold the critical information sharing law that allows restaurants to connect directly with their own customers."

The ordinance, which the city council passed in August as a part of a package of bills to regulate third-party marketplaces, requires delivery companies to share customers' phone numbers, email addresses, delivery addresses and the contents of their orders. The legislation allows customers to opt out of sharing information "on an order-by order basis," according to the suit, but also requires third-party aggregators to provide a disclosure saying that dinner information will be shared. 

"In an era of heightened concerns about data privacy and identity theft, this compelled disclosure is a shocking and invasive intrusion of consumers' privacy," DoorDash said in the lawsuit. "It is also an unconstitutional compulsion of speech in violation of the First Amendment, an unconstitutional taking of DoorDash's valuable commercial information, an unconstitutional impairment of private parties' contractual bargains, and a flagrant violation of other constitutional rights."

DoorDash said the company has created robust controls to protect sensitive personal data, but the law doesn't create any restrictions on how a restaurant can use this customer information.

"The Ordinance allows all restaurants to obtain this private customer data, whether or not they have the technical capacity or resources to safely maintain it," the lawsuit states. "Of course, not all restaurants will have the resources to invest in a secure operating system to keep this information protected against modern ransomware and other cyber threats—or even to maintain access controls to ensure that customers' personal information is used only for the restaurant's business purposes."

Third-party companies have been expanding product offerings to provide restaurants with better access to customer information within the last year. Uber Eats added its Uber Eats Manager tool last year, giving restaurants the ability to view customer insights to better understand consumer ordering patterns and improve customer engagement by allowing restaurants to address complaints. Grubhub also launched its Grubhub Direct for independent restaurants, which provides access to customer data and orders, earlier this year.