Pubs, bars and restaurants using apps

The opportunity for pubs, bars and restaurants to re-open their doors has led many owners and operators to look at how best to minimise physical interaction between staff and customers and to fulfil the government’s request to keep a temporary record of customers’ contact detail for 21 days. As a consequence, the number of mobile app providers offering solutions has exploded, promising the apps can be quickly deployed by businesses and will be easy for customers to use. These offer services such as collecting customer details, booking tables or seats, ordering and paying for food and drinks, facilitating upselling and providing instant messaging between customers and the serving staff.

While the restrictions in maintaining social distancing for both customers and staff will severely reduce the capacity, the app providers promise they will help businesses mitigate the negative effects.

As attractive as those features may be, it remains important for businesses to consider whether the apps they plan to deploy offer them and their customers adequate legal protection.

Data protection

Faced with an evolving government response, there has already been a proliferation of ‘quick-fix’ apps offered to businesses online. When we have reviewed some of these they have had spurious or non-existent data protection information, and would expose any company using them to a real risk of being non-compliant with data protection law.

Before buying and deploying an app a business should:

• Consider if a data protection impact assessment (DPIA) is necessary – this will depend on a number of issues to do with how the app works and how the company uses it. If a DPIA is necessary a business should complete it, and then take any remedial steps identified;
• Think about how its own employees will have access to any customer data collected in the app, and how they will prevent mis-use (such as harassment or other unwanted engagement with customers);
• Look closely at how any social features are used, and any interfaces the app has with social media sites – particularly if, for example, the app will have permissions to automatically post content to a user’s social media profile or let people at a venue know details about other customers who are there;
• Ensure that the contract in place with the app provider includes the information required by Article 28 of the GDPR; and
• Ensure that the app includes accurate and appropriate privacy notices to all users when their data is collected, and that these are carried across to the company’s own notices if necessary.

If a business is developing its own app, it should ensure that it is developed in accordance with the ‘privacy by design’ principles set out in the GDPR. These require that new technology is created with data protection at the core from the outset. Any business developing an app should also ensure that it:

• Is transparent about the purpose of collecting personal data, and the benefits that the app seeks to achieve;
• Collects the minimum amount of personal data necessary to fulfil its purpose;
• Gives users control by allowing them to exercise their rights over their data through the app;
• Keeps personal data for only as long as it is needed;
• Processes the personal data in a secure way; and
• Protects its users through techniques such as pseudonymisation, where possible.

Contracts and Intellectual Property

It is also important to consider the ownership and protection of IP rights in an app.

Where a business is developing an app in-house, it should ensure that all copyright in the underlying code sits with the company. The default position where an employee develops an app in the course of their employment is that any IP in it is owned by the company, as the employer.

Where a business engages a freelancer or third party developer to create a bespoke app, the developer will retain the IP in that code unless there is an agreement to the contrary. In order to use the IP created by a third party, a business will need an appropriate licence or assignment, or to agree a transfer of IP with the developer.

Where a business procures an ‘off the shelf’ app, it will not own any of the associated IP. The business will need a licence to use it. This tends to be provided by the supplier, but businesses should ensure the licence terms are appropriate and provide it with sufficient rights and protections if something goes wrong (such as a significant loss of customer details). Although buying a licence of an ‘off the shelf’ app is likely to be much cheaper and quicker to deploy than having a bespoke app developed, it is less likely to mesh exactly with a business’s operations, so it’s important to ensure any third party app can be configured for effective use with a business’s particular ways of working.

Contributor: Harry Gillen

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions