Beyond the plate By Isaac Haizel

By Isaac Haizel

This article explores the hidden world of data collection that accompanies the seemingly simple act of ordering food online in Ghana. It delves into the types of personal information collected by popular food delivery apps, from names and addresses to payment details and location data.

Further, it discusses the connection between the data collected and broader privacy concerns, such as the potential for misuse, unauthorized sharing with third parties, and the risk of fraud.

Finally, the article proposed a way forward through public sensitization on user privacy, empowerment of data regulatory bodies, as well as the moral and ethical obligation of technology companies to prioritize the privacy of their users.

In the bustling streets of Accra, Kumasi, Takoradi and beyond, the sight of a delivery rider, clad in branded gear, has become as common as the trotro. The digital revolution has fundamentally altered how we access goods and services[1], and perhaps nowhere is this more evident than in the food industry.

Today, with a few taps on our smartphones, we can now summon a steaming plate of jollof rice from our favourite local eatery, delivered right to our doorstep. This convenience, however, comes at a cost[2]. A hidden cost that is often overlooked in the race for a quick meal, our personal data.

While this new reality is fascinating, it also comes across at times, as a concerning area of inquiry. The transaction between a food-loving Ghanaian and a delivery app is more than just a commercial exchange.

It is a digital handshake that transfers a wealth of information from the consumer to a technology company or a food vendor. This data trail, or “digital footprint,” is the unseen consequence[3] of our online food orders, and it is imperative that, as a society, we begin to understand its implications for our privacy and our fundamental rights.

The new convenience and a hidden cost

What exactly is being collected when we order that plate of jollof? The list is more extensive than most people realize. It begins with the obvious: your name, phone number, and delivery address.

But it quickly expands to include your payment information, the specific orders you place, the frequency of your orders, and even your location data at the moment you make the request. The app may also have access to your device’s unique identifier, your browsing habits on other sites, and, in some cases, your contacts list or microphone, depending on the permissions you grant.

This data is not just passively collected. It is meticulously analysed to create a detailed profile of your habits, preferences, and even your socioeconomic status. A company can infer a great deal about you from your food choices[4]. Do you order for one or for a family? Do you prefer local dishes or international cuisine? Are your orders consistent or sporadic? This information, when combined with your location data, paints a vivid picture of your daily life, from where you live and work to the places you frequent.

The collection of this data, while seemingly benign, raises a host of legal and ethical questions[5]. The first and most fundamental is that of informed consent. How many of us truly read and understand the lengthy privacy policies of these apps before we click “I agree”?

Are we genuinely aware of the extent to which our data is being collected, processed, and potentially shared with third parties? In most cases, the answer is a resounding “no.”[6]  The legal concept of “consent” requires a free, specific, and informed agreement[7]. In the context of online services, this consent is often a legal fiction, a box to be checked to gain access to a service, rather than a genuine meeting of the minds.

This brings us to the core of the problem. The data being collected is not merely for the purpose of delivering your meal. It is a valuable commodity[8] that is often monetized through targeted advertising[9], market research, or even sold to data brokers[10]. While these practices may be common in the global digital economy, they raise unique concerns within the Ghanaian context. The potential for this data to be used in ways that are detrimental to the consumer. That is, from discriminatory pricing[11] to a breach of personal security[12], is a clear and present danger.

The Legal Landscape and the Data Protection Act

Ghana has been a proactive leader in West Africa in establishing a legal framework for data protection. The Data Protection Act, 2012 (Act 843), and the establishment of the Data Protection Commission (DPC), represent a significant and commendable step towards safeguarding the privacy rights of Ghanaians. Act 843 provides a comprehensive set of principles governing the collection, use, and processing of personal data. These principles include accountability, data minimization, accuracy, and security safeguards.

However, the rapid pace of technological change often outstrips the law’s ability to keep up. While Act 843 provides the theoretical framework, the practical application and enforcement of these principles in the e-commerce sector present a unique set of challenges. How do we ensure that multinational tech companies operating in Ghana are fully compliant with our laws? The DPC, while a crucial institution, faces resource constraints[13] and the challenge of overseeing an ever-expanding digital ecosystem.

One of the key provisions of Act 843 is the requirement for data controllers, in this case, the food delivery companies, to register with the DPC. This registration provides an important layer of oversight and accountability.

However, the reality is that many companies may be non-compliant, or the public is simply unaware of who is registered and who is not. Furthermore, the Act requires data controllers to obtain the express consent of data subjects before processing their personal information. This legal standard is often sidestepped by the use of vague and broad terms of service agreements.

The Act also places a significant burden on data controllers to implement “appropriate security safeguards” to protect personal data from loss, unauthorized access, or misuse. This is where the unseen risks become particularly tangible.

A data breach at a food delivery company could expose sensitive information, including names, addresses, and credit card details, to malicious actors. In a country where digital fraud is a growing concern[14], such a breach could have severe financial and personal consequences for thousands of Ghanaians.

These legal questions are not merely about compliance with Act 843. They are about its sufficiency. Is the current legislation robust enough to handle the complex data-sharing agreements that are the lifeblood of the global tech industry? Are the fines and penalties sufficient to deter non-compliance? These are questions that require a serious and ongoing dialogue between legal experts, regulators, and the tech community.

The Path Forward: A Call for Digital Literacy and Corporate Responsibility

The solution to this complex problem is not to retreat from the digital age but to navigate it with a greater sense of awareness and caution. The responsibility for protecting our data lies not just with the government and the tech companies but also with us, the consumers[15].

Firstly, a major public education campaign on digital privacy is long overdue. We need to move beyond the technical jargon and explain, in plain language, what our digital footprint is and why it matters. This education should start in our schools, where we can teach the next generation how to be responsible digital citizens. For adults, community workshops, media campaigns, and public service announcements can help raise awareness about the importance of reading privacy policies, using strong passwords, and being mindful of the permissions we grant to apps.

Secondly, regulatory bodies like the Data Protection Commission must be empowered with the resources and authority to enforce the law effectively. This includes conducting regular audits of e-commerce platforms, imposing meaningful penalties for non-compliance, and working with international partners to hold global tech companies accountable.

Finally, and perhaps most importantly, the tech companies themselves have a moral and ethical obligation to prioritize the privacy of their users[16]. This means moving away from the “collect everything” model and embracing a “data minimization” approach, where they only collect the information that is strictly necessary for their services. It means providing clear, concise, and understandable privacy policies. And it means investing in state-of-the-art security systems to protect the data entrusted to them.

Conclusion

The era of online food delivery has brought us convenience, but it has also brought us to a crossroads. The choice before us is clear. Do we continue to sacrifice our privacy for a quick meal, or do we demand a digital ecosystem that respects and protects our fundamental rights? The unseen data trail of our jollof rice orders is more than just a footnote. It is a powerful reminder that in the digital age, our privacy is not an abstract concept, but rather the very currency of our freedom[17].

It is high time we began to treat it as such. Our collective response to this challenge requires a multi-faceted approach, including greater digital literacy among the public, to become active guardians of their own data; Empowerment of regulatory bodies, like the Data Protection Commission, to effectively enforce the laws and hold technology companies accountable; and a moral and ethical obligation on technology and for that matter food vending and delivery companies to move beyond a “collect everything” mentality and embrace a model of data minimization and corporate responsibility. In a world where every tap and click leaves a trace, our personal data serves as the very essence of our digital identity.

End Notes

[1] Maheswari, K. I., & Gorda, A. A. N. O. S. (2019). Consumer behavior in the era of industrial revolution 4. 0. Russian Journal of Agricultural and Socio-Economic Sciences, 94(10), 152–157. https://doi.org/10.18551/rjoas.2019-10.20

[2] Whittaker, Z. (2019, September 26). DoorDash confirms data breach affected 4.9 million customers, workers and merchants. TechCrunch. https://techcrunch.com/2019/09/26/doordash-data-breach/

[3] Stanley, N. O., Jay. (2021, July 27). Diners beware: That meal may cost you your privacy and security | aclu. American Civil Liberties Union. https://www.aclu.org/news/privacy-technology/diners-beware-that-meal-may-cost-you-your-privacy-and-security

[4] Narang, U., & Luco, F. (2025). Privacy and prediction: How useful are geo- tracking data for predicting consumer visits? https://doi.org/10.21203/rs.3.rs-6226750/v1

[5] Wang, J. L., & Loui, M. C. (2009). Privacy and ethical issues in location-based tracking systems. 2009 IEEE International Symposium on Technology and Society, 1–4. https://doi.org/10.1109/ISTAS.2009.5155910

[6] Golbeck, J., & Mauriello, M. (2016). User perception of facebook app data access: A comparison of methods and privacy concerns. Future Internet, 8(2), 9. https://doi.org/10.3390/fi8020009

[7] Solove, D. J. (2023). Murky consent: An approach to the fictions of consent in privacy law. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4333743

[8] The world’s most valuable resource is no longer oil, but data. (n.d.). The Economist. Retrieved August 27, 2025, from https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data

[9] Olivo, L. (2020, September 30). What is data monetization and how does it use personal data? | humanID. https://human-id.org/blog/what-is-data-monetization/

[10] Faryad, A. (2024, November 10). 25 companies selling your personal data. Under30CEO. https://www.under30ceo.com/25-companies-selling-your-personal-data/

[11] Ma, A. (2025, August 10). Businesses can use your online data to overcharge you. What can customers do? NPR. https://www.npr.org/2025/08/10/nx-s1-5494712/businesses-can-use-your-online-data-to-overcharge-you-what-can-customers-do

[12] Kaplan, C. (2023, March 22). Sensitive data compromised in breach for 1 million customers using food delivery service. HALOCK. https://www.halock.com/sensitive-data-compromised-in-breach-for-1-million-customers-using-food-delivery-service/

[13] Adjei, D. N. (2025). An Article on Ghana’s Data Protection Act.  https://www.researchgate.net/publication/390362369_An_Article_on_Ghana’s_Data_Protection_Act

[14] Cyber fraud on the rampage. (n.d.). West Africa RTC. Retrieved August 27, 2025, from https://westafrica.ilea.state.gov/cyber-fraud-b4a0b

[15] Who’s most responsible for your data privacy protection? Government? Companies? You? (2025, August 27). TechCrunch. https://techcrunch.com/sponsor/nortonlifelock/whos-most-responsible-for-your-data-privacy-protection-government-companies-you/

[16] Privacy laws & ethical tech practices: A modern business imperative. (2024, January 31). https://www.neumetric.com/privacy-laws-ethical-tech-practices/

[17] McFarland, M. (2012, June 1). Why we care about privacy. Santa Clara University. https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/why-we-care-about-privacy/

The post Beyond the plate By Isaac Haizel appeared first on The Business & Financial Times.

Read Full Story