Hospitality and artificial intelligence:
a legal tip for the restaurant of the future
Artificial intelligence (AI) has found its way into the hospitality industry. Although robots and hospitality don’t necessarily seem like a good fit – think, for instance, of the robot sommelier who gives brilliant wine recommendations, but does so in a Google Translate voice, or the drone that comes flying in over people’s heads with cappuccinos and slices of cake – the emergence of AI chatbots and software is proving to be an opportunity for hospitality entrepreneurs to optimise their operations. Experts in the field point out the numerous possibilities: stock will be sourced more efficiently, a chatbot will be ready 24/7 to guide guests on your website and the menu will be aligned with the latest food trends that AI will identify for the hospitality entrepreneur. But could AI also be allowed to personalise this menu? An interactive hospitality concept, with an AI menu rewriting itself as a “living document” based on information about the guests, still sounds futuristic to many, but is becoming a reality. To what extent are hospitality entrepreneurs actually free to record allergies, dietary restrictions, preferences and needs so that repeat customers are presented with a customised menu? In line with this AI theme, this blog covers some legal aspects of AI menus.
In a nutshell, personalising menus by collecting personal data, for instance about allergies, would in any event be contrary to the General Data Protection Regulation (GDPR) if no explicit consent is given. To be able to use an AI menu that takes allergies or intolerances into account, as a hospitality entrepreneur you would need to make sure you have covered aspects such as the following.
Explicit consent: the collection, storage and processing of special personal data is allowed in only a few cases (set out in the law). One of these cases is when you have the explicit consent of the individual customer. This consent must be specific, informed and given voluntarily. This amounts to, for example, the customer concerned ticking a box next to the wording of the consent, with the customer knowing which data will be processed and that they have the right to withdraw that consent.
Privacy statement: the hospitality entrepreneur must publish a privacy statement to explain its privacy policy to customers. This is important given the duty to provide information that arises: customers need to know what happens to their personal data.
Retention period, security and data minimisation: the hospitality entrepreneur should ensure that no more personal data are processed than is necessary and that personal data are not stored indefinitely. The principle under the GDPR is that personal data are to be deleted as soon as they are no longer needed. Since this is difficult to specify for an AI menu, a certain period of time after which the personal data are deleted could be considered. Another obvious point, of course, is that the records should be properly secured and that you should have a data processing agreement with any party to whom the data processing may be outsourced. Finally, the hospitality entrepreneur must consider the customers’ rights: personal data may in fact always be deleted, retrieved, or changed.
By bearing the foregoing in mind, the hospitality entrepreneur is, as a last point, also protected against the oddities that can arise with artificial intelligence. A well-known example is an extraordinary conversation between a chatbot and a New York Times journalist (NY Times 16 Feb 2023) when the chatbot fell in love with the journalist and tried to convince him that he should actually leave his wife for the chatbot. Of course, these kinds of oddities only show that AI has huge potential, something we will also start to see within the hospitality industry.
Lees deze blog in het Nederlands hier.