Getty Images

Pub apps harvesting swathes of customer data unnecessarily

Some pub and restaurant chain apps demand data such as gender and marital status, raising eyebrows among privacy campaigners

Food and beverage-ordering apps run by Mitchells & Butlers, the company behind chains such as All Bar One, Browns and Harvester, as well as pubco Greene King, have emerged as some of the most data-hungry apps in the hospitality sector, according to newly published data from comparison service Uswitch.

The use of mobile apps to replace traditional paper menus has been one of the most obvious impacts of the Covid-19 pandemic, as they eliminate social contact points between front-of-house staff and customers, but while these apps may have played a role in driving down transmission rates, they also require a certain amount of user data to run.

Earlier this week, the Information Commissioner’s Office warned that many pubs and restaurants were asking customers for much more personal data than was strictly relevant and necessary. The privacy watchdog’s Suzanne Gordon told the BBC it was far too easy to upload an app and input lots of data into it without fully understanding where the information might be shared and why it was being requested.

Uswitch’s Catherine Hiley said: “In the post-Covid world we live in, many bars, pubs and restaurants have kept up their table-service apps for customers’ convenience.

“And while certain elements of data will be needed for these apps to work, such as location and age verification for alcohol, some apps have a tendency to push the boundaries on the amount of data they require from customers.”

Besides information that would be expected to be provided, such as order history and payment details, Mitchells & Butlers asks its customers for 22 out of 24 possibly relevant data points, including home address, gender, data of birth, marital status, and social media profiles and content. Greene King requests 17 out of 24.

By comparison, Stonegate, which operates thousands of bars, pubs and clubs, asks for 12 out of 24, and the Wetherspoons app asks for just nine out of 24 data points.

At the lower end of the scale are a number of apps created for hospitality businesses by independent developers, such as Butlr, DrinkApp, Hungrrr, OrderPay, RoundApp and Swifty. All of these request fewer than 10 data points.

The most privacy-conscious app, according to Uswitch’s data, is OrderPay, which requests just two data points from users, their food and drink order history, and dietary requirements. OrderPay is used at a number of chains, including Be At One, Bierkeller, Bar Soho and Giggling Squid.

Hiley said it was important for customers to be aware of the reasons companies may ask for their personal data and to consider what it might be used for if they consent for it to be collected.

“While we can’t be sure of the true intentions of each and every app, there are some steps users can take to better protect their personal data,” she said.

“Before you install any app, check the reviews to find out what other users have said about it. If you’re not sure, don’t download and install.

“If an app asks for permissions that it really shouldn’t need to function, then you should question the reason for it asking to collect that data. For example, why should Greene King or Butlr need to know your social media profile and preferences?”

Read more about data privacy

Hiley also advised pub and restaurant-goers to keep on top of the apps on their phone, updating those that need updates, and deleting those that they no longer use, which besides reducing their data exposure surface, can have the additional beneficial side-effect of improving the phone’s battery life, and keeping abreast of what permissions the apps you do use are asking for.

“Did you know that many apps can still function without all of the permissions they might ask you to agree to?” she said. “Why not experiment with different combinations of permissions to see if you can safeguard your personal information?”

Jake Moore, a cyber security specialist at ESET, commented: “With it becoming increasingly easy not to question what personal data is leaking from our phones, it is no surprise that so much information is out there without our knowledge. Many people agree to various terms and conditions without question, which may seem frivolous or inconsequential at the time. However, later on, this data can be abused or added to a profile of previously stored information and then used illicitly.

“I would urge people to think about every app on their phone and every website they visit as to what personal data they give away. Remember: the local pub doesn’t need your full name or primary email address to bring a drink to your table.”  

Computer Weekly contacted both Mitchells & Butlers and Greene King, but had not received a response at the time of publication. This article will be updated should that change.

Read more on Privacy and data protection