Naming and shaming no shows is a no-no

I know a couple who run a restaurant. And I know how the problem of no-shows can cause great economic damage to restaurants. Failing to show up, or to cancel in advance, is, moreover, incredibly rude. But the response, which I only became aware of today, of naming and shaming the no-show customers on twitter is a risky and probably unlawful one for restaurateurs to take.

In the instance I saw this morning a London restaurant had apparently searched for the twitter account of a person who they thought had failed to show, and had openly tweeted their displeasure. He, however, had email proof that he had cancelled in advance. The restaurant investigated, accepted this, and apologised (and the customer accepted, so I’m not going to name either of the parties).

However, the restaurant was processing the personal data of the customer when it took his booking, and their use of that data would be limited to what the customer was told at the time, or what he might reasonably expect. So, unless they had a very odd privacy notice, their permitted processing purposes would not have extended to the naming and shaming of him for failing to turn up. Thus, it would seem to be a breach of at least the both the first and the second data protection principle. Moreover, the rather cavalier approach to customer data wouldn’t make one confident about other aspects of data protection compliance.

I really do sympathise with restaurateurs: one of the alternative approaches to no-shows and late cancellers is punitive cancellation fees but that also has its drawbacks and detractors. However, there are not many areas of commerce where companies would be able to get away with such apparently unfair and unlawful processing of their customer’s personal data: announcing that someone has failed to attend at a certain restaurant potentially indicates quite a bit about the person’s tastes, means and location. It’s a risky thing for a restaurateur to do, especially when, as with the restaurant I saw tweeting earlier today, they haven’t registered their processing with the Information Commissioner’s Office (which, I would emphasise, is a criminal offence).



Leave a comment

Filed under Data Protection, Information Commissioner, privacy notice, social media

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s