California passed a landmark privacy law, the CCPA, that took effect in 2020. Among other things, it explicitly applies to companies that meet certain size thresholds and that collect or process the personal information of California residents. The CCPA also provided that certain jointly-controlled companies that share common branding could be required to comply with the CCPA.
Starting 1/1/2023, the CCPA will undergo significant updates (collectively, “CPRA”). Although the CPRA will make certain compliance obligations more onerous, it has created some breathing room regarding which businesses it covers. Franchisors especially may wish to review their franchisee relationships to see if they meet any of the various tests to be considered regulated “businesses” for California privacy purposes. If they could be considered “businesses,” they may have privacy obligations to consumers and other individuals. Non-compliance can create significant financial exposure.
WHAT IS A REGULATED BUSINESS?
There are three tests under the CCPA that could qualify franchisors and/or their franchisees as a regulated business subject to California’s privacy laws:
- The entity makes more than $25 million annually in revenue (not just revenue attributable to California); or
- The entity collects or processes personal information from more than 100,000 consumers or households annually; or
- An entity is under the “control” (see more below) of a regulated business; and the two entities share common branding “such that the average consumer would understand” that they are commonly owned; and the regulated business shares personal information about consumers with the other entity.
These conditions are obviously very fact-sensitive and may require discussion with your legal advisor. So far the California Attorney General has not provided specific guidance on how these conditions relate to the franchisor/franchisee relationship. For example, it is not clear whether the revenues (or number of consumers) of all franchisees and a franchisor would be considered jointly in determining whether any of the entities is a covered “business.” In addition, the definition of “control” is potentially broad enough to cover franchisors unwittingly: it defines common control by ownership, voting power, or “the power to exercise a controlling influence over the management of a company.” That last condition is new to the CPRA and is potentially very broad.
The upshot of these factual questions is that whether a franchise system or a franchisor qualifies as a “business” will be determined by the specific facts of the franchisor/franchisee relationship, the revenues, the number of affected consumers, and the data practices in question. Any franchisor that shares consumer data with franchisees, and any franchisor whose system-wide revenues or data collection exceed the above thresholds, should be especially attentive to its data practices if it does business in California.
COMPLIANCE REQUIREMENTS; PENALTIES FOR NONCOMPLIANCE
Any “business” that is subject to the CCPA/CPRA must do all the following, among other things:
- Provide explicit privacy notices to California residents that break down the company’s collection and use of personal information and explain how the company shares that data with any third parties;
- Be clear about how long the company retains personal data;
- Offer consumers the right to access their data;
- Offer consumers the right to opt out of certain processing of their data; and
- Not discriminate against consumers who exercise their rights in California.
Being able to comply with all those requirements means having a good internal command of what data the company collects, how it uses it and shares it, and how the company’s systems store and retain it. Furthermore, the non-discrimination provision can have implications for loyalty programs and other similar programs that are not structured to comply with the new laws.
Violations of the law can result in regulatory investigation and significant fines ($2500-7500 per incident); data breaches can result in lawsuits filed directly by the consumer. At least four other states are enacting similar privacy laws in 2023, as well, and each of those will carry similar obligations and penalties.
One final note: although the CCPA applied primarily to consumer data, the CPRA will also cover employee, contractor, and B2B contact data. This means that covered businesses should plan to review HR systems (payroll, benefits, time-keeping, fleet management, and other) and the company’s email, word processing, and other information management systems to determine whether there is any employee data that could be subject to similar compliance obligations.