What is the Bath Tune Up franchisee's obligation to comply with Privacy Law?
Bath_Tune_Up Franchise · 2025 FDDAnswer from 2025 FDD Document
Franchisee shall be solely liable for any and all violations of Privacy Law that may arise from its failure to comply with this provision.
- (c) Privacy Information Requests.
To the extent Franchisor does not have the ability to address requests made under applicable Privacy Law by individuals that are the subject of any of the Privacy Information, Franchisee shall, upon Franchisor's request, provide reasonable assistance to Franchisor in responding to such requests.
- (d) Audits.
During the term of this Agreement, at Franchisor's request and subject to reasonable notice, Franchisee shall provide Franchisor with information sufficient to establish its compliance with the obligations set forth in this section 8.18 and the applicable Privacy Laws.
Privacy Information includes but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household: identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license or state identification card number, passport number, signature, physical characteristics or description, telephone number, insurance policy number, bank account number, credit card number, debit card number or any other financial information, medical information or health insurance information; characteristics of protected classifications under state or federal law; commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies; biometric information; Internet or other electronic network activity information including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement; geolocation data; audio or electronic information; professional or employment-related information; education information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 USC § 1232g; 34 CFR Part 99); and inferences drawn from any of the information identified in this subsection to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes. "Personal Information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records. "Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge. "Privacy Law" means any local, state or federal data privacy or data security law or regulation.
- (b) Use of Privacy Information.
In no circumstances shall Franchisee or Franchisor ever sell the Privacy Information.
Franchisee further agrees not to access, use or process the Privacy Information, except in the furtherance of its rights and obligations under this Agreement but at all times in compliance with Privacy Law.
Franchisee shall be solely liable for any and all violations of Privacy Law that may arise from its failure to comply with this provision.
Source: Item 22 — CONTRACTS (FDD page 52)
What This Means (2025 FDD)
According to Bath Tune Up's 2025 Franchise Disclosure Document, franchisees must adhere to all local, state, and federal data privacy and security laws, referred to as "Privacy Law." Franchisees are prohibited from selling Privacy Information under any circumstances. They are only allowed to access, use, or process this information to fulfill their obligations under the Franchise Agreement, and they must always comply with Privacy Law when doing so. The franchisee is solely responsible for any violations of Privacy Law resulting from their failure to comply with these provisions.
Bath Tune Up defines "Privacy Information" as any data that can identify, relate to, describe, or be linked to a specific consumer or household. This includes a wide range of identifiers such as names, addresses, online identifiers, contact information, financial details, medical information, and even inferences about a consumer's preferences or behavior. The definition specifically excludes publicly available information lawfully obtained from government records.
Bath Tune Up franchisees must provide reasonable assistance to the franchisor in responding to requests made under applicable Privacy Law if the franchisor is unable to address these requests directly. Franchisees must also provide information to Bath Tune Up, upon request and with reasonable notice, to establish their compliance with privacy obligations. This may involve audits conducted by the franchisor to ensure adherence to both the franchise agreement and relevant Privacy Laws.
In addition to Privacy Law compliance, Bath Tune Up franchisees must comply with the Payment Card Industry Data Security Standards (PCI DSS) and may be required to submit an annual PCI Attestation of Compliance. These measures highlight the importance of data protection and security within the Bath Tune Up franchise system, placing a significant responsibility on franchisees to safeguard consumer information and maintain compliance with evolving legal and industry standards.