Fast-food chains collect more data on customers' smartphones than most consumers even realize.
— Danni Santana
Phones are very traceable, as the New York Times‘ exposé on ad tech companies and consumer privacy proved this week. But in fast food, restaurants are even more reliant on location data and personally identifiable information (PII) to offer customers a wide range of services.
It’s how chains run loyalty programs, manage delivery orders, and even market limited time offers (LTOs). What many users don’t know about are the ancillary benefits restaurants and chains gain from customer app downloads.
Fast-food operators can request to view other apps users interact with on their devices. In Android jargon, this permission is called “retrieving running apps,” and it can’t be turned off for ad targeting purposes. If granted location access, chains can also track customers’ every move, and see how often they dine at a competitor. By default, all fast-food apps request location access via GPS and mobile networks for the best user experience upon installation.
Burger King used its customer location data to offer a new promotion, the Whopper Detour, earlier this month. Up until this week, customers within 600-feet of a McDonald’s location could order and buy a Whopper sandwich for just one penny.
In a statement about the campaign, Burger King said it was “geofencing McDonald’s locations across the country.” Guests inside one of the aforementioned geofenced areas using the Burger King App on their device would unlock the limited time offer, according to the company. The app permissions users give Burger King in order to get this offer will exist past the promotional period, giving the chain more details about what other restaurants they visit, for instance.
Burger King declined to comment on this story.
iPhone Vs. Android
Based on Skift Table research, fast-food chains don’t always disclose all of their in-app permissions to customers on the Google Play Store or App Store before downloading. Company results also vary on Android and iOS.
(Read about iPhone apps and privacy here.)
As an example, Burger King does not mention in the App Store that it may continuously track customers’ location on the iPhone version of its app, even when the app is running in the background. Consumers have to dig into their iPhone settings, find app permissions, and change it manually. No such capability is mentioned for Burger King’s Android version.
Of the 27 fast-food apps examined by Skift Table, four companies (Cava, Sonic, Arby’s, and Popeyes) had discrepancies in app permissions for Android and Apple devices as well.
Cava, Popeyes, McDonald’s, and Chick-fil-A each disclose in the Google Play Store the ability to track users’ location or activity in the background, ranging from accessing extra location provider commands––used to determine users location for all location-based features––to sending notifications while other apps are in use.
Chick-fil-A goes as far as to publish a location services notice on its app description to ease customers’ concerns, saying “we ask permission to use GPS only to support local offers and promotions, restaurant location finder, and mobile ordering check-in.”
Chick-fil-A also declined to comment on this story.
Android, which is notoriously less strict about consumer privacy than Apple, has slowly crept up to the iPhone maker in making app permissions more transparent to users, according to John Hundley, CEO of security app Glasswire. Recent Android software updates, including the new Android 9 “Pie” operating system, have much more obvious in your face permissions.
“Older Android updates would tell you the app permissions on Google Play, which would run immediately when you downloaded it” said Hundley. “Now, you are prompted to accept permissions after you open it [similar to Apple].”
Glasswire works by managing the Internet usage data apps use up––keeping battery life from draining and Wi-Fi connection from slowing down. If suspicious activity by an installed app causes a spike in data usage, Glasswire sends users alerts with the source of unusual behavior. Mobile apps frequently connecting to servers to update user locations in the background are a prime example of what Glasswire deems unusual behavior.
“We allow customers to take action and block apps that do weird things they don’t like,” Hundley said, adding customers also have the option to turn off location permissions on apps via their phone settings.
Unfortunately, this doesn’t rectify the problem, according to Glasswire. Developers can still get an approximate location on users by using APIs and local cell towers, even if they don’t have exact GPS access to consumers exact whereabouts.
Further complicating the privacy issue for consumers is what most fast-food chains do with collected data––they keep it. At bare minimum, fast-food chains collect payment information, names, and location when completing order information. Not to mention, birthdays and email addresses for loyalty programs.
Arby’s also says it uses this customer information for location-based services, such as locating nearby Arby’s restaurants or identifying special offers that may be of interest to consumers.
“Restaurants need to think is it reasonable what they are asking for. They could just ask for location permission every time if they wanted to,” said Hundley. “Have a little common sense and back off a bit.”
(Read about iPhone apps and privacy here.)