Is the Bath Tune Up franchisee required to comply with both state and federal Privacy Laws?
Bath_Tune_Up Franchise · 2025 FDDAnswer from 2025 FDD Document
Privacy Information includes but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household: identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license or state identification card number, passport number, signature, physical characteristics or description, telephone number, insurance policy number, bank account number, credit card number, debit card number or any other financial information, medical information or health insurance information; characteristics of protected classifications under state or federal law; commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies; biometric information; Internet or other electronic network activity information including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement; geolocation data; audio or electronic information; professional or employment-related information; education information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 USC § 1232g; 34 CFR Part 99); and inferences drawn from any of the information identified in this subsection to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes. "Personal Information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records. "Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge. "Privacy Law" means any local, state or federal data privacy or data security law or regulation.
- (b) Use of Privacy Information.
In no circumstances shall Franchisee or Franchisor ever sell the Privacy Information.
Franchisee further agrees not to access, use or process the Privacy Information, except in the furtherance of its rights and obligations under this Agreement but at all times in compliance with Privacy Law.
Franchisee shall be solely liable for any and all violations of Privacy Law that may arise from its failure to comply with this provision.
Source: Item 22 — CONTRACTS (FDD page 52)
What This Means (2025 FDD)
According to Bath Tune Up's 2025 Franchise Disclosure Document, franchisees must comply with all local, state, and federal data privacy and security laws and regulations. The FDD defines "Privacy Law" as any local, state, or federal data privacy or data security law or regulation. This means a Bath Tune Up franchisee is responsible for understanding and adhering to all applicable privacy laws at every level of government.
The FDD specifies that franchisees cannot sell Privacy Information under any circumstances. Furthermore, franchisees are prohibited from accessing, using, or processing Privacy Information except when it is necessary to fulfill their obligations under the Franchise Agreement, and even then, it must be done in compliance with Privacy Law. The agreement makes it clear that the franchisee will be held solely liable for any violations of Privacy Law that occur due to their failure to comply with these provisions.
"Privacy Information" is defined broadly in the FDD to include any data that can identify, relate to, describe, or be linked to a particular consumer or household. This includes obvious identifiers like names, addresses, and social security numbers, but also extends to online identifiers, purchasing histories, biometric information, geolocation data, and even inferences drawn about a consumer's preferences or behavior. The definition explicitly excludes publicly available information lawfully made available from government records, but clarifies that biometric information collected without a consumer's knowledge does not qualify as "publicly available."
Given the breadth of the definition of Privacy Information and the strict requirements for compliance, prospective Bath Tune Up franchisees should carefully review all applicable privacy laws and consult with legal counsel to ensure they fully understand their obligations. They should also implement appropriate data security measures to protect Privacy Information from unauthorized access or disclosure, as they will be held liable for any violations.