In the current environment, it is tempting to let data privacy issues take a back seat to more urgent issues of health and safety. But businesses cannot afford to forget about data privacy compliance, especially in light of the upcoming July 1, 2020 enforcement date of the California Consumer Privacy Act (“CCPA”), which Attorney General Xavier Becerra has said will not be delayed due to COVID-19 issues. Businesses must continue to consider and address privacy compliance issues now and over the next few critical months.
In this article, we discuss how the CCPA impacts franchisee-franchisor relationships, franchise obligations under the CCPA, and potential consequences of non-compliance.
CCPA Penalties: Good News, Bad News, And Brand Reputation
The good news for franchisees and franchisors (and all businesses) is that only the Attorney General may bring a lawsuit against a business for most CCPA violations. The exception to this, of course, is that the CCPA provides a private right of action for consumers affected by a data breach. However, for most CCPA violations, there is no private cause of action and a consumer cannot commence a lawsuit against your company.
The bad news is that even under Attorney General actions, penalties of non-compliance with CCPA are steep. Intentional violations carry a $7500 price tag per violation and unintentional violations are subject to penalties of $2500 per violation. And those violations are calculated on a per consumer basis. When considered in perspective that California’s population exceeds 39 million, even unintentional violations can quickly add up to hundreds of millions of dollars in penalties. Both franchisees and franchisors (under the theory of vicarious liability) may be directly liable for these penalties.
In addition to monetary penalties, as more Americans become cognizant of and value their privacy, any lack of transparency or privacy violations can lead to bad PR, tarnishing the brand image and goodwill associated with the brand. The franchise system depends on a strong brand. Once the brand reputation takes a hit, it is hard to overcome the negative connotations without spending significant resources. Both the franchisor, who has developed the strength of the brand, and the franchisee who is operating under the name of the brand, have much to lose as customers will not distinguish between franchisor-franchisees when punishing a brand.
Thus, the cost-benefit analysis weighs in favor of taking the CCPA seriously and evaluating if compliance is required at the franchisor and franchisee level.
Evaluating Whether CCPA Compliance is Required
Many franchisees and franchisors may not think they are subject to the CCPA. Franchisors that have no presence and do no direct business in California may believe that they are exempt from complying with the CCPA. Alternatively, franchisees may believe that their franchisor’s compliance with privacy obligations is sufficient to render them compliant. While this may seem to make sense where personal information is generally collected through a corporate website or point of sale system operated by the franchisor, the information is processed by the franchisor and generally used by the franchisor, franchisees are not automatically absolved of having to comply with the CCPA by virtue of their franchise relationships. In fact, some franchisors in their privacy policies explicitly disclaim any liability arising from their franchisee’s collection and use of personal information.
In sum, both franchisors and franchisees must independently evaluate their collection and use of personal information, their corporate relationships, and branding to analyze CCPA compliance.
A franchisor or franchisee must independently comply with the CCPA if they are either: 1) a business as defined in the CCPA or 2) an “entity that controls or is controlled by a business” and “shares common branding with the business.”