What industry standards must a Belocal franchisee comply with concerning privacy and data protection?

According to Belocal's 2025 Franchise Disclosure Document, franchisees must adhere to prevailing industry standards concerning privacy, data protection, confidentiality, and information security. This includes compliance with the Payment Card Industry Data Security Standard (PCI-DSS) of the PCI Security Standards Council. Franchisees must also follow any mandatory Data Protection and Security Policies established by Belocal, as well as all applicable international, federal, state, and local laws, rules, and regulations related to the privacy, confidentiality, security, management, disclosure, reporting, and use of Personal Information, collectively referred to as "Privacy Laws."

Belocal franchisees are responsible for obtaining necessary consent for collecting, using, storing, processing, and sharing Personal Information, as required by Privacy Laws and Data Protection and Security Policies. They must retain copies of these consents and share them with Belocal as instructed. Franchisees must also comply with Data Protection and Security Policies and Privacy Laws regarding individuals exercising their rights under these laws. If someone contacts a franchisee to exercise their rights related to Personal Information, the franchisee must comply with the request according to the franchise agreement, Data Protection and Security Policies, the Franchise Brand Standards Manual, Privacy Laws, and any instructions from Belocal.

Furthermore, Belocal franchisees must only collect, use, store, process, or share Personal Information if permitted by the franchise agreement, Data Protection and Security Policies, the Franchise Brand Standards Manual, Privacy Laws, and with written approval from Belocal, if applicable. This information can only be used for operating the Franchised Business. Franchisees are prohibited from selling Personal Information or re-identifying any de-identified Personal Information. If a franchisee uses a vendor that handles Personal Information, they must ensure the vendor is contractually bound to the data protection obligations required by Belocal. Franchisees are also responsible for adhering to laws pertaining to emails, such as the CAN-SPAM Act of 2003, and laws regarding automatic dialing systems, SMS text messages, and artificial or prerecorded voice messages, including the Telephone Consumer Protection Act of 1991 (TCPA).

In the event of a security breach, Belocal franchisees must immediately notify Belocal and cooperate in investigating and resolving the issue. Public disclosure of any unauthorized access or breach is prohibited unless Belocal authorizes it in writing. Franchisees are also responsible for reimbursing Belocal for all reasonable Notification and Remediation Related Costs resulting from any Security Breach caused directly or indirectly by the franchisee, its Principals, or its Independent Staff. This includes costs related to notifications, communications, call center establishment, consultants, legal and accounting fees, and credit reporting services. Franchisees must also indemnify Belocal against any losses, expenses, judgments, claims, attorney fees, and damages arising from a Security Breach or violation of any Privacy Law, Data Protection and Security Policies, consumer protection-related law or regulation, email marketing and other marketing laws and regulations, and the PCI-DSS.