Collecting and Using Data Can Expose Franchisors and Franchisees to Potential Risk
The franchise industry in the U.S. grew to over 750,000 establishments in 2022. As a necessary part of operating a business in today’s digital age, franchisees and franchisors collect contact information, purchasing/browsing behaviors, location information, and other vital customer data to fuel advertising and growth activities for the franchise system.
However, collecting and using this data can expose franchisors and franchisees to potential risk, specifically in California, Colorado, Connecticut, Utah, and Virginia. Modeled after Europe’s General Data Protection Regulation (GDPR) and California’s original Consumer Privacy Act (CCPA), new data privacy statutes in these states place significant obligations on businesses that collect and use consumers’ personal information. Violators may face civil penalties or fines ranging from $2,500 to $20,000 per violation. California also provides a private right of action for individuals to sue for damages based on an alleged violation.
Compliance Protocols for Personal Information
Personal information is broadly defined to include names, contact information, location/device information, browsing history/cookies, behavioral advertising data, and other information that can be reasonably used to identify an individual.
Because franchisors and franchisees rely so heavily on customers’ personal data, it is critical to understand who is responsible for compliance and establish compliance protocols to minimize potential liability for both parties. Given the statutes’ broad reach to certain out-of-state companies, many franchisors may be required to comply in multiple states, even if it has no physical presence other than individual franchise locations. With similar legislation in process in other states, it is important for franchise systems to make changes to comply with these laws proactively.
Broad Statutory Reach
The Colorado, Connecticut, Utah, and Virginia statutes generally apply to businesses that:
- Conduct business, produce products, or provide services within the state that target the state’s residents, and
- Control or process data on 100,000 or more state residents or 25,000 or more state residents and derive a certain threshold of revenue from selling personal data.
Utah and California additionally apply to businesses with more than $25 million in gross total annual revenue. California additionally mandates compliance for personal data collected in the employment and business-to-business contexts. Businesses that have employees working in California (either onsite or remotely) or contracts with California businesses related to processing personal data, must comply regardless of the number of individuals affected.
Potential Impact to Franchise Systems
In a franchise system, most consumer data is typically collected by a tool or platform—such as a website or mobile application— that is controlled by the franchisor to ensure the customer has a uniform brand experience and to centralize data collection and sharing for efficiency. The franchisor then uses and shares the data with franchisees and others for the benefit of the entire franchise system. Franchisees are also often required by their franchisor to collect information for the franchisor’s use, in addition to data the franchisee collects on their own.
Data privacy violations can negatively impact the public perception of the entire brand, regardless of whether the responsible party was the franchisor or an individual franchisee.
Additionally, franchisors must balance their obligation to provide adequate support to franchisees with potential vicarious liability claims. Therefore, both have an interest in ensuring that the other is collecting and using data in a compliant manner.
Franchise Compliance Obligations
While varying from state to state, franchise systems must generally:
- Honor a consumer’s statutory rights to:
• Access their personal data collected.
• Obtain a portable copy of their personal data collected.
• Correct any inaccuracies with the personal data already collected.
• Delete their personal data from the business’s records.
• Opt-out of the sale/sharing of their personal data to third parties or use for targeted advertising via “Global Privacy Control” or similar browser settings.
This means establishing what is known as a Data Subject Access Request protocol that facilitates consumer requests consistent with their rights and ensures that the franchise system responds to those requests timely and in accordance with statutory requirements.
3. Provide opt-in consent before collecting “sensitive data” such as biometric and geolocation, race/origin, genetics, citizenship/immigration status, sexual orientation, mental or physical health, or religious beliefs, and data on children under the age of 13.
4. Maintain reasonable data security practices and policies to protect personal data that is collected and stored in-house.
5. Maintain contractual obligations with third parties by ensuring that all third-party contracts contain appropriate provisions for processing personal data.
Franchise systems should then review and update their website privacy policies and notices, internal IT policies and procedures, and contracts with third parties who collect and/or process data on the system’s behalf for compliance. Those with California employees should also include written disclosures to employees about how their personal data is handled.
Franchisors should carefully evaluate their Franchise Disclosure Documents and Franchise Agreements to ensure adequate disclosures and provisions around each party’s compliance obligations. Likewise, franchisees should not rely solely on the franchisor for compliance. They must educate themselves on the franchisor’s data practices and establish their own internal compliance processes based on the state(s) in which the franchisee collects personal information.
While there have already been many significant changes in data privacy regulations, many more are likely to come. With breaches becoming more common and cyber criminals becoming craftier, it is crucial for franchise systems to remain vigilant and ahead of the curve in their data collection practices.
About the Author
Ashley Weis is an associate with Eastman & Smith, Ltd. in Toledo, Ohio, practicing in franchise and business law, and former in-house counsel to a national franchisor.