All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
It’s been a long 15 months and now people are heading back out into the world. Lots of people are understandably ready for a drink. Pub spending is up seven per cent compared to the equivalent week in 2019, according to data from Barclaycard. But the pub experience is a little different now.
Rather than sidle up to the bar, you’re cemented to your seat. Table service is the new normal, at least until lockdown restrictions lift further. And small talk with the bar staff has been replaced with ordering through an app. Each pub, or chain, seems to have its own app that you need to download to book a table or make an order – and each of these collects information about you.
“When hospitality started to have an obligation to take contact details last year, there was no obvious privacy-preserving tool to do this with,” says Michael Veale, a lecturer in digital rights and regulations at University College London. “In many hospitality venues, they are still using the technology from the earlier part of the pandemic last year to fulfil orders and table service, which collect unnecessary information.”
So which apps collect what – and should you be worried?
Wetherspoon app
Wetherspoon’s order and pay app has existed since 2017, long before the pandemic, but has become more widely used to aid social distancing in pubs. It collects information including any forms you fill in through the app, such as your name, address, email address and phone number.
In order to make sure you’re ordering food and drinks from the right pub, it also uses GPS to track your location, and unusually can request access to location data when the app isn’t open. This practice “seems unnecessary,” says Konrad Kollnig of Oxford University, and the creator of the TrackerControl Slim app, which analyses how Android apps track and share data.
It gives information such as your email and PayPal username to third-party payment providers, and information about your device, such as the type of operating system. “Personal data provided when registering to use the App shall be retained until such time that the User requests that the Data Controller amend or remove the data,” the app’s privacy policy says.
The Android version of the app appears to have wider-ranging access permissions than the iOS version. On Android, it has the ability to read, modify and delete the contents of your USB storage, and take pictures and video from your camera.
Greene King app
The Greene King app can be used to find and book tables at the more than 1,600 Greene King pubs across the UK, as well as ordering and paying for food. The app’s privacy policy links on both the Apple and Google app stores is broken, but a company spokesperson said it would be fixed shortly. Its wider privacy policy, which covers everything from booking rooms and tables to playing pub poker, doesn’t appear to cover the app in detail except for a small section of a table.
There, the privacy policy says it collects users’ names, contact details, booking information, loyalty card info, transaction details, date of birth, email address, telephone number and payment details.
The Apple App Store says Greene King’s app tracks a lot of data from its users, including search history, device ID and how you interact with the app, alongside the usual name, address, email address and phone number gathered by apps. Like the Wetherspoons app, the Google Play Store contains more wider-ranging permissions than the Apple App Store: Greene King can read, modify and delete the contents of your USB storage, as well as take photos and videos.
Young’s On Tap app
Young’s On Tap, the app for the 200 Young’s pubs across London and the south west of England, adds the ability to split a bill with fellow drinkers in your party. The company’s privacy policy says “When you visit or use any of our Digital Applications, we automatically collect certain information from you,” including geolocation data, device type, access times, and the IP address from which you’re accessing the app.
Many app store reviews have criticised the volume of data the app collects. “The fact you have to give so much detail is also worrying,” one on the Apple App Store reads. “The basics – check in, menu – are all people need,” says another. “Make the rest optional: only Young’s benefits from the rest of the details.”
A spokesperson for Young’s says: “Our app does not require any personal information to use.” However, they add that without personal information provided when creating an account, users would not “benefit from the full range of advanced functions, such as ordering to your table and bar tabs” – which some might view as basic functionality. “There is no obligation for customers to use the app in our pubs,” the spokesperson adds.
Young’s privacy policy says it may use your personal data “to facilitate profiling, segmentation and personalisation – these may be based on location, preferences, interests and past actions (including in-pub purchases, hotel stays and restaurant bookings)”.
Nicholson’s app
Nicholson’s privacy policy is open about the level and type of data it collects. It may process personal data including your name, username, email address, marital status, title, date of birth and gender. It also collects payment and purchase information, including “the date, time and location of sale and your purchasing activity (including vouchers and coupons activity)”.
That worries Rowenna Fielding, a data protection consultant. “Why does a pub app need date of birth or gender, for heaven’s sake?,” she says. A Nicholson’s spokesperson says users are asked to input their date of birth to confirm that they are over the age of 18. “We also ask for an app user’s date of birth so we can send them a complimentary treat on their birthday, however only if they have opted in to receiving our marketing communications.” They confirmed the request for a user’s gender is optional, and due to be removed from the app. They did not say when gender would be removed from the app.
“These pubs are acting as covert data collection agents for the adtech industry,” says Fielding. She worries pub apps haven’t incorporated the requirement under GDPR, Europe’s data regulation rules, for “data protection by design and by default”. “It’s shocking,” she says.
Nicholson’s app also gathers “technical information about the devices you use to access our websites and mobile apps”. This can include your phone's unique identifying codes, IP address, and details about the operating system, browser and geographic location.
As you may expect, it’ll collect details of the orders you make, but it also claims it may also profile information from third-party organisations including “credit reference agencies and ‘customer insight companies’ who give us their views on your household, your status, as well as your possible preferences and behaviours”. Its privacy policy also says: “We do, from time to time, process personal data about you in an automated way to evaluate certain personal aspects about you, including to enable us to analyse and make predictions about your interests and how you are likely to interact with our Group.”
The app has similar differences between its Apple and Android permissions to those like the Wetherspoon and Greene King app. Unusually, the Nicholson’s Android app has permission to run on a device when it starts up. It also shares data with at least five companies – more than most other apps we looked at, according to Kollnig. It shares information with Dynatrace, Airship, Facebook, Google, including the unique advertising identifier that allows user tracking across apps, Kollnig says after running it through his app.
OrderPay app
More than 1,500 pubs, bars and restaurants across the UK use OrderPay. OrderPay says it only collects personal information that “we need and that is relevant for the purposes for which we intend to use it.” That includes your name, email address, telephone number and details of how you log in to the app. It also stores your payment information, but not details of your credit or debit card.
Every time you open and use the app it collects data on where you are using GPS, allergen and dietary information, your transaction history, your IP address, mobile phone service provider, model of phone and “cookie, pixel and beacon identification information”, plus Bluetooth signals. Like Nicholson’s app, OrderPay can run right from starting up your phone.
According to Kollnig, OrderPay sends data to six tracking companies – the most of all Android apps analysed. It also sends location data to OrderPay, which Kollnig claims is unnecessary. “A list of all pubs could be downloaded on the Android device, as is done by the Wetherspoon app,” he says.
All that data could be used and analysed “for market research, insight and intelligence in order to improve our understanding of our market and industry and, as a result, the App and the Services that we deliver”. It says it could hold your data for up to six years, and “may transfer your personal information outside of the United Kingdom (UK) and European Economic Area (EEA)”. If that happens, OderPay says, it will take measures to protect that information in countries where data protection laws aren’t as stringent as the UK.
MyPub app
Stonegate Pub Company, which operates Slug & Lettuce pubs, Walkabout bars and 4,500 pubs around the country, uses its app MyPub to handle orders. The app’s privacy policy says it may collect a user’s name, email address, contact telephone numbers, user IDs and passwords and date of birth, gender, interests, and preferences.
That data could be used to “better understand our customers and online users, including profiling”. The app itself has the ability to read, modify or delete the contents of your USB storage on your phone, according to its Google Play Store page, and can take photos and videos if necessary, as well as tracking your location using GPS.
“MyPub and Greene King seem to have the best privacy properties among the apps studied,” says Kollnig. However, he notes the analysis was only done for a short period – “a few minutes for each app.”
That’s something that didn’t escape the notice of Kollnig’s Oxford colleague, Reuben Binns. “Some of these apps appear to be collecting less data and sharing it with fewer third parties, but still serving their basic function of allowing people to order drinks,” he says. “This begs the question why the others can't do the same.”
- 🌡️ Sign-up to WIRED's climate briefing: Get Chasing Zero
- What does it mean to be Facebook Famous?
- Help, the pandemic has made me an introvert!
- Why hardly anyone buys Google’s Pixel phones
- How Apple's iOS 14.5 update screwed Facebook
- Lewis Hamilton opens up about activism and life beyond F1
- 🔊 Subscribe to the WIRED Podcast. New episodes every Friday
This article was originally published by WIRED UK
