Consumer guideline protects diners' personal information

Food vendors should take moves to protect consumers' personal information as a guideline was released by the Shanghai Consumer Council on Tuesday to combat the excessive collection and use of personal information from consumers.

They will have to modify their Internet service programs to include policies of privacy protection or simply provide services without the need to reveal personal information.

The violations of frequently tricking consumers into providing irrelevant personal information or compulsorily requesting such information from diners when they scan QR codes to order food and drinks have been widely found at catering firms in the city based on tips-off and investigations, officials revealed.

Excessive collection of unnecessary personal information from consumers has been widely detected by catering businesses in the city, according to Shanghai's cybersecurity authorities and market regulators.

Legal, necessary, honest and proper

The guideline is implemented from Tuesday.

• Catering operators need to remind consumers of privacy policy via a pop-up notification or other obvious ways when consumers first use their dining service via a WeChat program, app or other Internet means, and receive their consent in noticeable ways.
• The personal information collection cannot exceed the authorized scope of consumers, according to the guideline.
• The collection and use of personal information must follow the principles of legal, necessary, honest and proper.
• Restaurants should properly obtain relevant limits of authority and information during different scenes such as registration, meal ordering, and payment. They are banned from collecting irrelevant information at their catering services.
• They are prohibited from forcing or tricking consumers into following their official accounts or sending promotional information to consumers.
• They should bear the responsibility of protecting personal information of consumers and ensure it will not be exposed, stolen or abused.
• Training should be conducted for staff at catering venues regularly to raise their awareness of personal information protection, the guideline says.
• Undercover investigations and public monitoring would be conducted to make sure catering operators abide by the guideline.

Supervision on the way

Inspections on major catering businesses in the city would be conducted in the coming weeks and those failing to fix the problems would face administrative penalties, Shanghai's cybersecurity authorities said.

Last month, cybersecurity authorities and market supervisors collared the SimplyThai, Shake Shack and Starbucks chains for excessive collection of user information.

The three brands were accused of illegally collecting personal consumer information by their failure to provide an option for consumers to refuse to provide data such as names, birthdays, addresses, ID card numbers, and even bank accounts.