I first heard the buzz about a “customer service” saga I’ll call The Steakhouse and Mr S (goodness knows everyone concerned has had enough publicity) from one of the frequent participants of the Tuesday evening #custserv chat on Twitter, suggesting that we discuss the episode. We didn’t, the main reason being that there already was a topic selected. As the week went on, I started seeing more and more about the episode, and I haven’t stopped thinking about it. But probably not in the way you’re guessing.
“The Steakhouse must have a great CRM system!” I saw on blogs and in tweets more than once. And what stopped me in my tracks was the notion that restaurants are using customer relationship management (CRM) systems to track transactions in a central way. Now, I’m a fairly savvy guy and I’m all for good CRM, and I understand that we give something up to get something back. When I get my little bar code scanned at the local supermarket, I know that what I buy, how often, where, and how much is all being tracked. In return for providing this information, I get some money off my purchase, and I get coupons that can be used on the items I actually buy. I understand the quid pro quo. Likewise any other loyalty programs I belong to.
But here’s where things get interesting: Nowhere in the many aspects of the saga of The Steakhouse and Mr S (that I’ve seen) has there been any indication that Mr S carries any kind of loyalty card, or is the member of some club. Nowhere on The Steakhouse website is there any mention of such a program or card. So, if The Steakhouse had enough information to track Mr S as a frequent customer, where did they get it? And, more importantly, what, exactly, do they do with it?
Let’s back up a bit: When I chose to get a loyalty card from the supermarket, I had a form to fill out. I knew what information I was giving. And on that form was a privacy statement, letting me know what the supermarket chain was stating they would and would not do with that information (albeit as we know from too many breaches of customer data, what’s stated is not always the case). If there’s no “loyalty card” for The Steakhouse, where did the information come from—right down to his Twitter handle? Let’s think.
- Directly from Mr S – Well, yes. That’s exactly where they got it. Even if this was not a “stunt,” chances are Mr S gave his favorite restaurant his personal information. If not, that leaves the question at hand unanswered. But where did the rest of the restaurants in the chain get it? Did Mr S know they would?
- From Mr S’s phone number – Really? How? Does the phone number for which I’m sometimes (not always) asked when I make a reservation trigger a process that gives a restaurant chain permission to look me up (“Google” me?) and store information about me? And I still find this an unsatisfactory explanation. Usually I’m asked for a name (“Roy”) and a phone number. Unless your magic CRM allows you to do reverse lookup on mobile numbers and associate them with Twitter handles, this does not wash.
- From the unthinkable - Would a restaurant grab personal information from my credit card? (I’m trying very hard not to think about that one.)
OK, so let’s take it for granted that restaurants, at least the chains, are using—or starting to use—some kind of central CRM, and that they are gathering information from somewhere, somehow.
- Was I notified that information was being collected?
- Was I notified what information was being collected?
- Was I notified how it was being collected?
- Do I have any idea how the information is being used?
- Do I know who is responsible for maintaining the security of my PII (personally identifiable information)? Do they adhere to NIST guidance?
Honestly, I don’t even know the names of the parent companies that own some of the restaurants I go to, so I would not know who to contact to find out what PII they store and how. Nor do I have the kind of time it would take to chase down that information.
When we sign up for services, there is either a printed notice or a link to a privacy policy that states the answers to these questions. I’ve yet to be asked to read and accept the privacy statement at any restaurant I’ve ever been to, unless I was joining some kind of program (which I have not, in the case of restaurants).
I’ll be going to a couple of restaurants this coming week during some travel. Maybe I’ll use a pseudonym when I call, and then pay in cash. Don't meet me at the airport, thanks.
What’s your reaction?
Give it some thought.