What data security, protection, and privacy laws, rules, and regulations must an Aplus franchisee comply with?
Aplus Franchise · 2024 FDDAnswer from 2024 FDD Document
Franchisee must comply with all applicable federal, state and local laws, rules, and regulations regarding data security, protection, and privacy, including, without limitation and if applicable, the California Consumer Privacy Act ("CCPA"), Cal. Civ. Code § 1798.100, et seq. Franchisee must comply with any privacy policies, data protection polices, and breach response policies that Franchisor periodically may establish. Franchisee must notify Franchisor immediately regarding any actual or suspected data
breach at or in connection with the Franchised Business. Further, whenever and to the extent Franchisee operates as a "Service Provider" under the CCPA or in a similar capacity under any other applicable federal, state, or local privacy law, Franchisee represents, warrants, and covenants that:
- 13.23.1 Franchisee will not sell, make available or otherwise disclose any customer's "Personal Information" (as defined in the CCPA) to any third party for valuable consideration;
- 13.23.2 Franchisee will retain, use, or disclose Personal Information only for the specific purpose of performing the services specified in this Agreement, and not any commercial or noncommercial purpose other than providing the services specified in this Agreement;
- 13.23.3 Franchisee will not retain, use, or disclose Personal Information outside of the direct business relationship between Franchisee and Franchisor;
- 13.23.4 Franchisee will delete any Personal Information upon Franchisor's request unless Franchisee can prove that such request is subject to an exception under applicable law; and
- 13.23.5 Franchisee certifies that it understands and will fully comply with the restrictions of this Section. Franchisee also acknowledges and agrees that Franchisor may modify the restrictions by written notice to Franchisee, including adding other similar privacy restrictions that may be required under other federal, state, or local privacy laws.
13.24. Customer Complaints
Source: Item 23 — RECEIPT (FDD pages 68–302)
What This Means (2024 FDD)
According to Aplus's 2024 Franchise Disclosure Document, franchisees must adhere to all applicable federal, state, and local laws, rules, and regulations concerning data security, protection, and privacy. This includes, but is not limited to, the California Consumer Privacy Act (CCPA). Aplus franchisees must also comply with any privacy policies, data protection policies, and breach response policies that Aplus may periodically establish.
Aplus franchisees are obligated to immediately notify Aplus of any actual or suspected data breaches connected to the franchised business. Furthermore, if a franchisee operates as a "Service Provider" under the CCPA or a similar capacity under other privacy laws, they must not sell or disclose any customer's "Personal Information" to third parties for valuable consideration. They can only retain, use, or disclose Personal Information to perform the services specified in the Franchise Agreement and within the direct business relationship between the franchisee and Aplus.
Additionally, franchisees must delete any Personal Information upon Aplus's request, unless an exception applies under applicable law. Franchisees also acknowledge that Aplus may modify these restrictions with written notice, including adding other privacy restrictions required by federal, state, or local privacy laws. Franchisees must also ensure their computer systems comply with all applicable laws, regulations, and industry standards related to privacy, data security, and the processing and protection of confidential personal information, including the Payment Card Industry Data Security Standards.