N.Y. Law Mandating That Delivery Services Share More Customer Data with Restaurants Violates First Amendment

From today's opinion by Judge Analisa Torres (S.D.N.Y.) in Doordash, Inc. v. City of New York:

When a diner orders food from a restaurant using the online platform of a third-party food delivery service …, the restaurant generally receives only the individual's first name, the first initial of her surname, and the order's contents—the minimum information required to fulfill the order. In August 2021, in an effort to support local restaurants that use Delivery Services, … the City of New York … enacted … [t]he Customer Data Law[, which] requires that Delivery Services provide restaurants with a diner's full name, email address, phone number, delivery address, and order contents.

The court concludes that the Customer Data Law compels commercial speech by Delivery Services, and must therefore be judged under the First Amendment intermediate scrutiny applicable to commercial speech regulations (at least ones not aimed at misleading statements):

The government can freely regulate commercial speech that concerns unlawful activity or is misleading. But where, as here, the information does not fall into those two categories, courts apply a balancing test to determine whether a commercial- speech regulation passes intermediate scrutiny. Courts inquire into (1) "whether the asserted governmental interest is substantial," (2) "whether the regulation directly advances the governmental interest asserted," and (3) "whether [the regulation] is not more extensive than is necessary to serve that interest." …

To evaluate whether an interest is substantial, the Court must "evaluate the City's asserted goal in enacting the regulation." "When the [g]overnment defends a regulation on speech as a means to redress past harms or prevent anticipated harms, it must do more than simply posit the existence of the disease sought to be cured." Intermediate scrutiny requires that the state "demonstrate that the harms it recites are real."

Next, the City must demonstrate that "the speech restriction directly and materially advances the asserted governmental interest" and "will in fact alleviate [the harms identified by the City] to a material degree." "[T]he regulation may not be sustained if it provides only ineffective or remote support for the government's purpose."

"The last step of the … test complements the [prior] step, asking whether the speech restriction is not more extensive than necessary to serve the interests that support it." The fit need not be "perfect, but reasonable; that represents not necessarily the single best disposition but one whose scope is in proportion to the interest served." …

The City argues that it has a substantial interest in protecting the restaurant industry—"a critical sector of the New York City economy"—from the "exploitive practices" of Delivery Services. The Customer Data Law seeks to "strike the right balance and equity between those that hold the information and those that supply the goods and services."

Courts have held that "promoting a major industry that contributes to the economic vitality of the [locality] is a substantial government interest." Society has an "interest in maintaining the small businesses necessary for functioning neighborhoods." And, "the Government's interest in eliminating restraints on fair competition is always substantial." But, the City cannot simply "posit the existence of the disease sought to be cured"; it must demonstrate that the harms exist, that the regulation posed addresses those harms, and that the regulation is tailored to those harms.

The City identifies three allegedly "exploitive" practices. First, Delivery Services "limit the ability of restaurants to retain data on their own customers," which hampers restaurants' ability to "reach out to their loyal customers" and "assess menu items' popularity." Second, Delivery Services may use a restaurant's customer data to promote competitor restaurants that pay the services higher fees, or to establish virtual restaurants that sell meals solely on the platform. Third, Delivery Services "list[] false information about a restaurant (for example, listing it as closed), in order to direct traffic to a restaurant paying higher commissions and fees."

The Court shall begin with the latter two practices identified by the City. Although the City has explained why these practices harm restaurants and has established a substantial interest in regulating them, it has not provided evidence that the Customer Data Law will in fact affect the objectionable practices. The City states, "[I]t is undisputed that the [Customer Data] Law does not restrict Plaintiffs' use of customer data (such as using the data to provide delivery or marketing services)." Therefore, Plaintiffs may continue to use customer data to promote competitors. And, the Customer Data Law does not aim at false or misleading statements made by Plaintiffs, even though Central Hudson permits such regulation of commercial speech. The only effect that the Customer Data Law could have on these two practices is to make it more desirable for restaurants, now equipped with data that they could use to target customers, to leave Plaintiffs' platforms. But, even that has a "remote" connection to these practices, because restaurants can leave Plaintiffs' platforms now, and Plaintiffs could continue these practices with whatever restaurants choose not to leave the platforms….

The July 29 Report states that restaurants could use customer data to "offer promo codes, discounts, and new menu items" and "assess the popularity of menu items." But, Plaintiffs currently provide marketing tools—with solicited listings, promotions, and other forms of advertising—that permit restaurants to reach out to the customers who place orders through their platforms. Plaintiffs also provide data analytics that permit restaurants to understand the performance of menu items.

The City's July 29 Report also claims that Plaintiffs' restrictions on data leave restaurants with no records regarding repeat customers. But, the City has failed to show the effect of this practice on the strength of the restaurant industry. According to the City, the practice affects restaurants because "80% of [them] are small and employ less than 20 employees," and they "continue to weather the effects of the COVID-19 pandemic." The City does not explain why the size of the restaurants and the fact that they remain affected by COVID-19 make it more likely that withholding customer data will harm the restaurant industry as a whole. The City does not dispute that Plaintiffs provide restaurants with access to customers and orders that they may not otherwise have. Certain of Plaintiffs' advertising tools permit outreach to individual customers that have previously interacted with the restaurants. And, Plaintiffs—through their Storefront, Webshop, and Grubhub Direct products—provide restaurants with back-end support for building their own websites and owning their customer data. Accordingly, the City's claim that the Delivery Services' practice of withholding data is exploitative is "too speculative to qualify as a substantial state interest." The City may prefer that restaurants have access to customer data, but a mere preference for one industry over another is not a substantial state interest….

Even if the Court were to find that the City has a substantial interest in ensuring that restaurants obtain data about customers who order food, it has not demonstrated that the Customer Data Law is appropriately tailored to this goal…. [T]he Second Circuit has required that the government offer some empirical evidence that there is a "fit" between a speech restriction and the "degree of the harm" it aims to redress. The Customer Data Law mandates that Plaintiffs hand over specific customer data within their possession. Less restrictive alternatives to promote the same goal include requiring Plaintiffs to offer an opt-in program for customers to send their data to restaurants, providing financial incentives to encourage Delivery Services to provide certain customer data to restaurants, and subsidizing the development of online ordering platforms for individual restaurants.

{The City could also enact more targeted regulations to address more specific goals. For example, if the City wanted to ensure that restaurants had a record of repeat customers, the City could seek to regulate how Plaintiffs' platforms integrate external customer loyalty programs. If the City were concerned about the fees that Plaintiffs were charging for advertising on their platforms, it could seek to regulate such fees. And, if the City were concerned about Delivery Services misleading restaurants about who owned the customer data, it could seek to regulate that specific practice.}

The City has not demonstrated that an incentive-based program or more fine-tuned regulation would be ineffective, and compelling Delivery Services to disclose customer data is incommensurate with the identified harm. Because the Customer Data Law regulates commercial speech but fails intermediate scrutiny, it violates the First Amendment….