In the current environment, it is tempting to let data privacy issues take a back seat to more urgent issues of health and safety. But businesses cannot afford to forget about data privacy compliance, especially in light of the upcoming July 1, 2020 enforcement date of the California Consumer Privacy Act (“CCPA”), which Attorney General Xavier Becerra has said will not be delayed due to COVID-19 issues. Businesses must continue to consider and address privacy compliance issues now and over the next few critical months.
In this article, we discuss how the CCPA impacts franchisee-franchisor relationships, franchise obligations under the CCPA, and potential consequences of non-compliance.
The good news for franchisees and franchisors (and all businesses) is that only the Attorney General may bring a lawsuit against a business for most CCPA violations. The exception to this, of course, is that the CCPA provides a private right of action for consumers affected by a data breach. However, for most CCPA violations, there is no private cause of action and a consumer cannot commence a lawsuit against your company.
The bad news is that even under Attorney General actions, penalties of non-compliance with CCPA are steep. Intentional violations carry a $7500 price tag per violation and unintentional violations are subject to penalties of $2500 per violation. And those violations are calculated on a per consumer basis. When considered in perspective that California’s population exceeds 39 million, even unintentional violations can quickly add up to hundreds of millions of dollars in penalties. Both franchisees and franchisors (under the theory of vicarious liability) may be directly liable for these penalties.
In addition to monetary penalties, as more Americans become cognizant of and value their privacy, any lack of transparency or privacy violations can lead to bad PR, tarnishing the brand image and goodwill associated with the brand. The franchise system depends on a strong brand. Once the brand reputation takes a hit, it is hard to overcome the negative connotations without spending significant resources. Both the franchisor, who has developed the strength of the brand, and the franchisee who is operating under the name of the brand, have much to lose as customers will not distinguish between franchisor-franchisees when punishing a brand.
Thus, the cost-benefit analysis weighs in favor of taking the CCPA seriously and evaluating if compliance is required at the franchisor and franchisee level.
Many franchisees and franchisors may not think they are subject to the CCPA. Franchisors that have no presence and do no direct business in California may believe that they are exempt from complying with the CCPA. Alternatively, franchisees may believe that their franchisor’s compliance with privacy obligations is sufficient to render them compliant. While this may seem to make sense where personal information is generally collected through a corporate website or point of sale system operated by the franchisor, the information is processed by the franchisor and generally used by the franchisor, franchisees are not automatically absolved of having to comply with the CCPA by virtue of their franchise relationships. In fact, some franchisors in their privacy policies explicitly disclaim any liability arising from their franchisee’s collection and use of personal information.
In sum, both franchisors and franchisees must independently evaluate their collection and use of personal information, their corporate relationships, and branding to analyze CCPA compliance.
A franchisor or franchisee must independently comply with the CCPA if they are either: 1) a business as defined in the CCPA or 2) an “entity that controls or is controlled by a business” and “shares common branding with the business.”
A “business” under the CCPA is defined as any legal entity, operated for profit, that (1) collects the personal information of consumers and determines the purposes and means of processing the consumer information, (2) does business in CA, and (3) meets any of the following thresholds: a) has annual gross revenues exceeding twenty-five million ($25,000,000); b) buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or c) derives 50% or more of its annual revenues from selling consumers’ information.
If a franchisor/franchisee does not independently meet the definition of a business, the inquiry then shifts to whether it is an “entity that controls or is controlled by a business” and “shares common branding with the business.” To make this determination, a franchisee should consider: 1) the franchisor’s status as a business, 2) the franchisor’s control over the franchisee, and 3) shared common branding. Similarly, a franchisor should consider: 1) its franchisees’ status as a business, 2) its control over its franchisees, and 3) shared common branding with its franchisees.
Unless your franchise is part of an extremely limited business model, most franchisors will likely meet the twenty-five million revenue threshold and satisfy the above definition of a “business” under CCPA if they are doing any business in California and collecting any personal information of consumers. If the franchisor is a business, the franchisee should next inquire regarding the remaining two factors of control and branding for a franchisee.
While many franchisors who are not directly subject to the CCPA may not need to worry about their franchisees hitting the $25 million revenue trigger for CCPA compliance, it is possible that franchisees may, through website visits or other means, collect information from over 50,000 California consumers, households, or devices per year. If a franchisee is a “business” under the CCPA due to its collection of information in this regard, the franchisor must then look to control and branding to determine its own potential compliance obligations.
“Control” or “controlled” under the CCPA means, “ownership of, the power to vote, more than 50% of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of directors, or individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company.”
Certain aspects of the definition of “control” are relatively clear to evaluate. For example, ownership is apparent based on whether a franchisor jointly owns a franchise with a franchisee. Similarly, whether or not the franchisor has the power to vote can be determined from corporate legal documents.
There is more uncertainty regarding the phrase “the power to exercise a controlling influence over the management.” As written i.e. – the power to exercise – could mean that a franchisor does not have to actually exercise any controlling influence over management, it must only be vested with the power to exercise such influence. There is much ambiguity as to what “controlling influence over the management” means.
Generally, franchisors exert considerable control over their franchisees. For example, standard franchise agreements include provisions defining the franchisee’s sale territory and location, services offered by the franchisee, required training for franchisee employees, strict quality control requirements over the products and services offered by the franchisee, design and décor, and limitations on use of franchisor branding and intellectual property. Franchise agreements often include non-compete clauses restricting the franchisee from competing with the franchisor’s business. Therefore, one can argue that a franchisor has broad control over the management of a franchise and CCPA compliance is warranted by any franchisee under the control of a franchisor that is a business. The practical consequences of such an interpretation of “control” is that any franchise, regardless of its location and size, if collecting California consumer data, is required to comply with the CCPA. So a hotel-franchisee of an international hotel chain in New York City, NY must comply with the CCPA regardless of the number of Californians visiting the franchisee hotel.
On the other hand, one can argue that the franchisor’s control is only exerted initially when the franchise is set up and wanes over time to quality control only. The location, territory, products, and services offered are all one-time decisions. The franchisee maintains control over day-to-day activities such as installing equipment, hiring and managing employees, determining wages, all of which the franchisor has no control over. Thus, there is no ongoing “controlling influence” on the franchisee operations and no CCPA compliance is warranted. The concern over this interpretation of “control” is that a franchisee may never have to comply with the CCPA. This would render the language in the statute pertaining to entities that control or are controlled by a business and share common must comply with the CCPA superfluous. It would also contradict the general spirit of the CCPA that aims to provide transparency and clarity in the collection and use of personal information of California consumers. For example consider a burger franchise in Roseville, CA that collects personal information of CA residents and shares it with the franchisor corporation. The franchisor then uses this information to engage in targeted advertising, sells this information to third parties, and shares the data with its affiliates and partners, etc. The CA consumer in Roseville had no notice or transparency when visiting the franchise about how his/her personal information would be used, sold, or shared by the franchisor. This is exactly the situation the CCPA seeks to remedy.
The CCPA is unchartered territory so ultimately what constitutes “control,” what actions can be categorized as “controlling influence,” and what is “management” are questions that will be resolved by forthcoming enforcement actions. Each franchise circumstance is different and, for now, franchisors and franchisees should evaluate their data collection and use policies and assess “controlling influence” exerted by franchisors over franchisees while making a good faith determination of whether or not to comply with CCPA.
Common branding means a “shared name, servicemark, or trademark.” The essence of a franchisor-franchisee relationship is to enable the franchisee to use the franchisor’s trademark, name, processes, and know-how. The franchisee seeks to benefit from the franchisor’s brand recognition and reputation in the market. As a result, franchisees will almost always share the name and mark of the franchisor and satisfy the common branding requirement.
Because the CCPA applies to companies that control or are controlled by a business AND share common branding with a business if these two elements are met, and either the franchisor or the franchisee is deemed a “business,” both entities are likely subject to CCPA.
The decision of whether or not a given franchisor or franchisee must comply with CCPA and how it can achieve this goal should be evaluated on a case-by-case basis. Depending on the situation, resourceful legal solutions may be successful in navigating CCPA compliances in light of the complexities of franchise relationships. For example, in unique situations, it may be possible for a franchisee to enter into a “service provider” agreement with the franchisor thereby shifting the CCPA obligations on the franchisor. Alternatively, franchisors and franchisees may be able to change their corporate relationships, operations or management functions to avoid getting pulled into CCPA liability when they would not otherwise be covered by the CCPA.
If you are a franchisor, franchisee, parent, subsidiary or other business and are evaluating whether or not you should comply with CCPA or how to comply, contact our Cybersecurity and Data Privacy Attorneys Scott Hall and Foram Dave to determine further obligations. You can also review additional CCPA articles and resources in our CCPA Resource Center.