By: Jeffrey M. Dennis

Data privacy, sometime referred to as the protection of personal information, has developed into one of the most significant challenges facing the franchise industry.  As the number of franchises in the United States continues to increase, franchisees and franchisors are becoming more reliant on customer information to grow and maintain their loyal customer bases.  However, while the need for personal data has grown in the franchise space, a new focus has been placed on the protection of personal information, as well as the rights of individual consumers with respect to how their information is collected and used.  This collision of opposite forces requires the franchise industry to focus on privacy and data security.

Why Should Franchises Care?

Based on the sheer amount of personal information gathered by franchisees and franchisors – such as contact information, payment card records, geolocation information, purchasing tendencies, etc. – the franchise industry has an obligation to both protect this information, as well as provide certain levels of control to individual consumers from whom this information is gathered.

In the United States, five different states – California, Colorado, Connecticut, Utah and Virginia – all have comprehensive privacy laws which are either active, or becoming active, in 2023.  This group will soon be joined by Iowa, which recently passed its own privacy protection laws.  Each of these states place similar, albeit nuanced, requirements on companies of a certain size, or companies which collect a particular amount of consumer information, with respect to consumer privacy protection.

Therefore, any franchise of a given size doing business with residents in any of these states (note that a physical presence of a business is not required in these states) must be aware of the state privacy laws, whether the franchise is subject to the law, and what must be done to comply with these evolving rules and regulations.  Failure to comply with privacy laws may subject a franchisee or franchisor to significant fines and penalties, as well as potential regulatory or legal action.

The California Example

The State of California has been particularly active in leading the nation’s drive towards consumer protection, and this rings true with respect to the protection of personal information.  The amended California Consumer Privacy Act (CCPA), sometimes referred to as the California Privacy Rights Act (CPRA) or Proposition 24, took effect on January 1, 2023 – and introduced new consumer rights, while significantly increasing compliance pressures on companies who do business in California.

The CCPA provides consumers with numerous rights, including the Right to Access, Right to Deletion, Right to Correction, Right to Opt of the Sale or Sharing of Personal information and the Right to Limit the Use and Disclosure of Sensitive Personal Information, as well as others.

For franchises subject to the CCPA, several new burdens have been created under the revised law, including the following:

1. Annual cybersecurity audits
2. Regular risk assessments
3. New contractual language requirements for service providers and contractors
4. Requirements to recognize Global Privacy Controls (GPC)
5. Data minimization

Also troubling is the creation of the California Privacy Protection Agency (the Agency), which has the authority under the CCPA to set wide-ranging regulations under the law, is responsible for education, but most importantly, has shared enforcement authority with the California Attorney General’s office.  In other words, the Agency has a single focus – protecting the privacy rights of California residents.  It is expected that enforcement will become more aggressive, especially in light of the recent Sephora enforcement action, which was brought by the California Attorney General.

If you are a for-profit business that owns property in, has employees in or sells goods or services to California and you have an annual revenue in excess of $25 million, you collect personal information of more than 100,000 California residents, or you derive at least 50% of your annual revenue from the sale of personal information – you will be subject to the amended CCPA.  As such, your company’s privacy obligations are dramatically increasing.

For those who fully-complied with the original CCPA, further work is now required to reach the new levels of compliance requirements.  For those who did not fully-comply with the CCPA, the time is now for crossing the finish line (or starting your compliance journey).

Several factors weigh heavily in favor of compliance:

1. Civil penalties can be assessed up to $7,500 per each intentional violation.  As Sephora knows, these penalties can escalate quickly – Sephora was hit with a $1.2 million fine, in addition to other penalties;
2. Although only the Agency and the California Attorney General can assess these penalties, a private right of action still exists for consumers (or employees) whose data is breached; and
3. Importantly, the 30-day right to cure that existed under the original CCPA is gone – therefore, you will not be given an opportunity to correct your program if it is not in compliance.

Questions to Ask

When faced with privacy regulatory requirements in California, or the other states mentioned above, any franchisee and franchisor must ask a series to questions to determine (1) whether compliance is required, and if so (2) how can the business reach acceptable levels of compliance.

Several questions to ask internally include the following:

1. Do we collect, use, store or share personal information of customers who reside in one of the states with privacy laws?
2. How much personal consumer information is gathered or stored over the course of a year?
3. What type of personal information are we gathering?
4. Do we have a current Privacy Policy in place, which meets the strict transparency requirements of these privacy laws?
5. To which third parties do we share or sell consumer information, and for what purpose?
6. How is personal data protected in our IT system, and where does it reside?
7. Are we prepared to respond to a consumer response in a timely fashion?
8. Have we trained our employees on proper collection, use, storage and protection of personal information?
9. What type of annual audits or assessments are performed on our technical systems?
10. Do we have cyber liability insurance to protect us in the event of a data breach?
11. Have we developed an Incident Response Plan and Business Continuity Plan to define our response to a cyber incident?

Although this list of questions is not comprehensive, an internal dialogue should occur at the highest levels of leadership to ensure that compliance with privacy laws is a top concern.

Actions to Take

A wide variety of actions are required to become fully-compliant with the ever-expanding realm of privacy laws in the United States.  A partial list of these follows:

1. Update your Privacy Policy;
2. Generate required employee disclosures (since some states provide employees with consumer rights);
3. Revise ancillary privacy forms that must accompany your Privacy Policy;
4. Ensure that the required notice and opt-out links are posted on your homepage and that the links activate the necessary processes;
5. Create new contract forms for service providers and contractors;
6. Recognize Global Privacy Controls;
7. Map your data (while not specifically required, this will allow you to property respond to consumer requests);
8. Establish or update your internal workflow for responding to consumer requests; and
9. Train your employees.

Although this is not a comprehensive list, accomplishing these tasks will bring your company much closer to privacy law compliance in the United States.  Also, in your franchise does business internationally, be aware that additional, jurisdiction-specific privacy laws may apply around the world as well.

The franchise industry faces significant risk as it relates to consumer personal information, and the protection thereof.  As the number of privacy laws continues to increase, the burden on franchisees and franchisors will continue to grow.  Rather than waiting for disaster to strike, franchises should proactively focus on developing, or enhancing, their privacy programs.