Understanding an Online Privacy Notice on Food and Market Websites: What Data May Be Collected and What Choices Visitors Have

Why a privacy notice matters when you’re browsing food and market content

When you visit a website focused on dining ideas, market information, or food-related content, your attention is usually on practical questions: what to cook, where to eat, or how to plan a visit. At the same time, many websites collect and process information in the background so they can function properly, measure performance, and communicate with visitors.

An Online Privacy Notice is the document that lays out these practices in an organized way. It typically explains what personal data may be collected, how it may be used, who may receive it, and what rights or choices you may have depending on where you live. The notice summarized here applies to personal data collected on two related sites and also addresses a separate scenario: in-person Wi‑Fi access at a market location.

The goal of this guide is to translate the notice into plain language while staying aligned with what the notice itself states. It is not legal advice, but it can help you understand the kinds of information a food and market website may handle and what options the notice says are available to you.

Who is responsible for your data: understanding the “data controller”

A key concept in the notice is the “data controller,” meaning the organization responsible for processing personal information collected through the site. The notice emphasizes that the identity of the data controller depends on your location. It lists multiple entities that can act as controllers, tied to different territories.

The notice also highlights two situations that can change who controls your data:

• Third-party franchisees in some territories: In certain territories, third-party franchisees run the sites and are the data controllers. The notice says details are provided in a table at the end of the notice, and visitors should consult the relevant franchisee privacy notice(s) and contact the franchisee directly for more information.
• Third-party operators for some market locations: In some territories, one organization runs the site and is the controller for site-related processing, but a third party operates the market in that territory (described as an “Operator”). That Operator is described as the data controller for certain activities relating to the applicable market location. These parties are also listed in a table at the end of the notice, with guidance to consult their privacy notice(s) and contact them directly.

The notice also asks visitors to review the Conditions of Use, which govern visits to the site and are described as containing important limitations.

What you may provide directly: personal data submitted through forms

The notice states that personal data may be collected when you choose to provide it through the site. Examples of the types of information that may be collected include your first and last name, physical address, e-mail address, and telephone number. This is framed as information you provide when interacting with the site.

Not every page or form collects the same information. The notice says each form varies in what it requires and collects, and that an asterisk (*) typically indicates required fields. You may also choose to provide additional information in fields that are not required.

If you receive direct marketing communications and later decide you no longer want them, the notice provides two ways to stop them: using an unsubscribe link in the footer of every email, or emailing the privacy address listed in the notice.

What may be collected automatically: cookies, tokens, logs, and beacons

Beyond what you type into a form, the notice describes information that may be collected by automated means. It lists several technologies used for this purpose, including cookies, non-cookie-based tokens, web server logs, tracking pixels, and web beacons.

• Cookies: Cookies are described as files that websites send to your computer or other internet-connected device. They can uniquely identify your browser or store information or settings in your browser. The notice explains that your browser may tell you when you receive certain types of cookies and how to restrict or disable them. It also warns that without cookies you may not be able to use all features of the site, and may not be able to purchase products that rely on a “shopping cart.”
• Non-cookie-based tokens: These are described as encoded URL-based identifiers. The notice gives examples such as tracking e-mail click-through activity or providing time-sensitive password reset keys. It also states they can work even when cookies are disabled or when a session has not been initiated.
• Web server logs and interaction data: The notice says web servers may log information such as operating system type, browser type, domain and system settings, system language, and the country and time zone where your device is located. Logs may also record the referring page address, the IP address used to connect to the internet, and information about how you interact with the site (for example, which pages you visit).
• Web beacons: The notice describes web beacons as small files that link web pages to particular web servers and their cookies. It says these tags may be used to control which web servers collect information.

The notice also states that information from your browser—such as browsing history—may be collected and used together with data gathered from forms and emails to help understand and respond to your needs.

Anonymised data vs. personal data, and the role of “legitimate interest”

The notice draws a line between information that is completely anonymised and information that is personal data. Where information gathered is completely anonymised, the notice states it will not constitute personal data.

Where personal data is not anonymous, the notice describes the legal basis for certain processing activities as legitimate interest. It frames this as an interest in continually evaluating personal data while operating and improving the business, ensuring products and services are relevant to the market, and doing so in a way that is not overridden by your interests, rights, and freedoms. The notice also notes that some processing may be necessary to protect, exercise, or defend legal rights, or to comply with laws that apply.

Social media widgets: what they may collect

The notice states that the site includes social media functions such as widgets from Google, Twitter, and Facebook. According to the notice, these widgets may collect information about which pages you visit and the IP address of the device you use to connect to the internet. The widgets may also set a cookie to ensure the features function properly.

These social media functions may be hosted by a third party or hosted directly on the site. The notice says your interactions with these features are governed by the privacy policies of the companies that provide them, and it suggests reviewing those policies if you use the features.

Data from third parties: what the notice says may happen

Where permitted by law, the notice states personal data may be acquired from third parties. Examples listed include personal data shared between affiliated entities and business partners, publicly available profile information on third-party social media sites (such as preferences and interests), and marketing lists acquired from third-party marketing agencies.

The notice also adds that personal data may be collected in other contexts and that you will be notified at the time if that occurs.

In-person Wi‑Fi at a market location: email collection and marketing messages

The notice includes a specific example related to an in-person visit. When you log on to Wi‑Fi at a market location, you may be asked to provide your email address to access the service. The notice states that this email address may be used to send details of events and information that may be of interest to you.

It also indicates that this may be done with your consent or based on legitimate interest where allowed under applicable laws.

How personal data may be used: practical purposes listed in the notice

The notice describes multiple purposes for using personal data. It also notes that the website/app uses one or more Google services and may gather and store information including, but not limited to, visit or usage behavior. The notice says visitors may be able to grant or deny consent to Google and its third-party tags for specified purposes.

Examples of how personal data may be used include:

• Responding to inquiries: contacting you about your request, asking a question, and providing announcements about products and future events.
• Surveys and service improvement: conducting surveys and contacting you for other reasons related to offering and improving services.
• Processing purchases: processing purchases made on the site, where collection is described as necessary to enter into a contract.
• Fraud prevention and compliance: protecting against and preventing fraud, claims, and other liabilities, and complying with or enforcing legal requirements, industry standards, and policies and terms.
• Customization and site enhancement: customizing and enhancing visits, facilitating site use, collecting statistics about visits, and understanding browsing behavior.
• Technical operations: diagnosing technical and service problems, administering the site, and identifying visitors to the site.
• Clickstream analysis: using clickstream data to understand time spent on pages, navigation patterns, and how the site may be tailored to visitor needs.

Analytics and advertising tools: Google Analytics and opt-out options

The notice states that third-party web analytics services are used, including Google Analytics. It explains that service providers administering these services may use cookies and web beacons to analyze how users use the site. The information collected (including IP address) is available to those service providers, which use it to evaluate site usage.

The notice includes an opt-out link for Google Analytics. It also references an industry opt-out page for controlling the collection and use of web viewing data for interest-based advertising and other applicable uses by some or all participating companies. For more detail on cookies used and how to control cookie settings on the site, the notice points readers to a Cookie Policy.

LiveRamp: hashed email sharing and an advertising identifier

The notice describes a scenario involving LiveRamp. When you use the website and enter your email address (for example, to log in or sign up for a newsletter), the notice states that information collected from you—such as your email (in hashed, pseudonymous form), IP address, or information about your browser or operating system—may be shared with LiveRamp and its group companies. It adds that certain parties may act as “joint controllers” as applicable under the GDPR.

According to the notice, LiveRamp uses this information to create an online identification code that may be stored in a first-party cookie for use in online, in-app, and cross-channel advertising. The notice states this code may be shared with advertising companies to enable interest-based and targeted advertising.

The notice also states that the code does not contain directly identifiable personal data and will not be used by LiveRamp to re-identify you. It references LiveRamp’s privacy policy and provides an opt-out link.

An optional ad-free, tracking-free subscription: how contentpass is described

The notice describes an optional service called contentpass that provides ad-free and tracking-free access to the website. It states that the service is provided by Content Pass GmbH, and that if you subscribe, your contract is directly with contentpass.

To show the contentpass option when you visit the site, the notice states that contentpass is asked to process your IP address at the start of your visit. It specifies that this is the only information shared with contentpass for that purpose, and that the site remains responsible for this IP address processing.

If you sign up, contentpass is described as the data controller for all data needed to register, manage, and deliver the subscription, with a reference to contentpass’s privacy policy for details. The notice states that the legal basis for processing the IP address in this context is legitimate interest in offering an ad-free and tracking-free version of the site and helping meet a legal obligation to obtain valid consent where required.

When personal data may be shared: recipients and business scenarios

The notice states that personal data is not sold or otherwise disclosed except as described. It then outlines the categories of recipients and circumstances in which sharing may occur:

• Group companies: personal data may be shared with other companies in the same group, with a table listing details including countries.
• Service providers: personal data may be shared with service providers performing services on behalf of the site, such as payment service providers, analytics providers, hosting providers, and advisers. The notice states service providers are bound by legally binding agreements requiring them to use or disclose personal data only as necessary to perform services or comply with legal requirements.
• Legal and safety reasons: personal data may be disclosed if required or permitted by law or legal process (including court orders or law enforcement requests), when disclosure is believed necessary to prevent physical harm or financial loss, in connection with investigations of suspected or actual fraud or illegal activity, and in connection with the sale or transfer of all or part of the business or assets (including reorganization, dissolution, or liquidation).

International transfers: what the notice says about cross-border data flows

The notice states that personal data may be transferred to recipients in countries other than the country where it was originally collected, and that those countries may not have the same data protection laws. When transfers occur (including to the U.S.), the notice states the data will be protected as described in the notice.

For individuals located in the EEA or Switzerland, the notice states that applicable legal requirements for adequate protection for transfers outside the EEA and Switzerland will be followed. It also notes that you may request a copy of the safeguards in place by contacting the organization as described in the “How To Contact Us” section.

How long information may be kept: retention in general terms

The notice explains that retention depends on the purpose for which personal data was collected. In general, it states personal data is kept as long as necessary to fulfill the purposes for which it was collected, then deleted unless there is a legal requirement to retain it or it must be retained to comply with legal obligations (including tax and accounting purposes). It also states that, subject to applicable legal requirements, personal data is typically retained according to the practices described in the notice.

Rights and choices can vary by location

The notice makes clear that your rights and options can vary depending on where you are located. It includes several region-specific sections that outline additional rights and processes.

EEA and Switzerland: rights and complaints

If you are located in the EEA or Switzerland, the notice states you may have rights in relation to personal data held about you. It indicates you can contact the organization by email or as described in the “How to Contact Us” section to exercise those rights. It also states you have the right to lodge a complaint with the data protection supervisory authority in your country.

California: CCPA disclosures, deletion requests, and “Do Not Sell”

The notice includes a dedicated section for California residents under the California Consumer Privacy Act (CCPA). It states that the CCPA provides additional rights to know, delete, and opt out, and requires businesses to provide notices and means to exercise those rights.

It lists categories of personal information collected in the past 12 months as described by the CCPA and explains that information may be obtained directly from you (for example, from forms you complete or products and services you purchase) or indirectly (for example, by observing actions on the website). It also states that personal information may be disclosed to certain third parties for a business purpose, with contracts requiring confidentiality and limiting use to performing the contract.

The notice states it does not generally sell personal information as the term is traditionally understood. However, it adds that to the extent advertising technology activities (including programmatic advertising) are considered a sale under the CCPA, categories of personal information may have been sold in the preceding 12 months to business partners such as programmatic advertisers and data aggregators. It states an option appears when you click “Do Not Sell My Information,” which restricts data from being sold. It also states the personal information of minors known to be under 16 is not sold without affirmative authorization.

For California residents, the notice describes the right to request deletion and the right to know certain information about data practices in the preceding 12 months. To exercise these rights, the notice provides a request link and an email address, and it explains that you must specify which right you are exercising and provide proof of California residency and identity.

The notice outlines identity verification steps, response timelines (endeavoring to respond within 45 days, with a possible extension), and circumstances under which requests may be denied. It also states that certain sensitive information will not be disclosed even if collected, including Social Security number, driver’s license number, certain financial account numbers, and account passwords or security questions and answers.

The notice also describes the right to opt out of the sale of personal information and indicates requests can be made via “Do Not Sell My Information” or by email. It notes requests may be submitted through a designated agent with appropriate documentation. Finally, it states visitors will not be discriminated against for exercising CCPA rights, while also noting that certain financial incentives (such as discounts or deals for newsletter sign-up) may be offered under the CCPA with terms and opt-in consent, which can be revoked.

California’s “Shine the Light” law is also addressed, describing a process for requesting details about certain information sharing for direct marketing purposes, including what to include in the request and where to send it.

Nevada: an opt-out right for certain sales of personal data

The notice states that Nevada residents have the right to opt out of the sale of certain personal data to third parties who intend to license or sell that personal data. It provides instructions to exercise this right by email with a specific subject line and required identifying details.

Updates and how to contact the organization

The notice states it may be updated periodically and without prior notice to reflect changes in personal data practices or relevant laws. Updated versions will be posted, and the notice indicates it will show when it was most recently updated.

For questions, comments, or requests related to how personal data is collected, used, or disclosed—or to update information or preferences—the notice provides contact options by email and postal mail addresses for customer care and data protection officer contacts. It also notes that for European citizens, an appointed nominated representative for EU personal data can be contacted via the same privacy email address.

Key takeaways for everyday visitors

• Expect a mix of information you provide (such as contact details) and information collected automatically (such as IP address, device details, and browsing interactions) to be processed to run and improve the site.
• If you connect to on-site Wi‑Fi, you may be asked for an email address, and it may be used to send event details and other information of interest, depending on consent or legitimate interest where allowed.
• Advertising and analytics tools may be used, including Google Analytics, and the notice provides opt-out resources and points to cookie controls.
• If you want fewer ads and less tracking, an optional subscription service is described as providing ad-free and tracking-free access, with specific data-handling roles explained.
• Your rights and options can vary by location, with specific sections addressing EEA/Switzerland rights and California and Nevada privacy rights.

For visitors who mainly come for recipes, market updates, or dining inspiration, privacy notices can feel distant from the experience. But they are also the clearest place to learn what information may be collected, how it may be used, and what controls the website says it offers—especially when features like shopping carts, newsletters, social widgets, analytics, and on-site Wi‑Fi are part of the broader food and market ecosystem.