What specific laws and policies are Belocal franchisees required to adhere to regarding consumer protection and data security?

.

• (3) Privacy Laws. Franchisee represents, warrants, and covenants that it shall comply with (i) all applicable prevailing industry standards concerning privacy, data protection, confidentiality and

information security, including, without limitation, the then-current Payment Card Industry Data Security Standard of the PCI Security Standards Council ("PCI-DSS"); (ii) those mandatory Data Protection and Security Policies, if any; and (iii) all applicable international, federal, state, and local laws, rules, and regulations, as the same may be amended or supplemented from time to time, pertaining in any way to the privacy, confidentiality, security, management, disclosure, reporting, and any other obligations related to the possession or use of Personal Information (collectively, "Privacy Laws").

• (4) Marketing; Consumer Protection. Franchisee shall be solely responsible for compliance with all laws pertaining to emails, including, but not limited to, the U.S. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ("CAN-SPAM Act of 2003"), and to use of automatic dialing systems, SMS text messages, and artificial or prerecorded voice messages, including but not limited to the Telephone Consumer Protection Act of 1991 ("TCPA"), as amended from time to time. Franchisee must comply with other applicable consumer protection laws and regulations.
• (5) Security Breach. Franchisee shall cooperate with Franchisor in any audit or inspection that Franchisor may conduct from time to time relating to Franchisee's processing of Personal Information. In addition, if Franchisee becomes aware of any actual or suspected unauthorized access, processing, loss, use, disclosure, alteration, destruction, transfer, or other compromise or acquisition of or access to any Personal Information, whether such information is stored in paper or electronic form, or information that might reasonably expose Franchisor to any harm or prejudice of any type or actual or suspected intrusion by an unauthorized third party into Franchisee's or Franchisor's computers, networks, servers, IT resources, or paper files ("Security Breach"), Franchisee shall immediately notify the Franchisor via telephone of such matter and shall thereafter cooperate with Franchisor to investigate and remedy such matter. Except to the extent required by applicable law, no public disclosure of any instance of such unauthorized access or breach shall be made by Franchisee unless Franchisor has authorized the provision of notice and the form of such notice in writing. Franchisee shall reimburse Franchisor for all reasonable Notification and Remediation Related Costs (as defined below) incurred by Franchisor arising out of or in connection with any such Security Breach that is directly or indirectly caused by Franchisee, its Principals, and its Independent Staff. "Notification and Remediation Related Costs" shall mean Franchisor's internal and external costs associated with addressing and responding to any Security Breach, including but not limited to: (i) preparation and mailing or other transmission of legally required notifications to affected individuals, regulators, and attorneys general; (ii) preparation and mailing or other transmission of such other communications to customers, agents, or others as Franchisor deems reasonably appropriate; (iii) establishment of a call center or other communications procedures in response to such Security Breach (e.g., customer service FAQs, talking points, and training); (iv) engagement of information technology consultants, public relations, and other similar crisis management services; (v) payment of legal and accounting fees and expenses associated with Franchisor's investigation of and response to such Security Breach; and (vi) payment of costs for commercially reasonable credit reporting services that are associated with legally required notifications or are advisable under the circumstances. Franchisee Indemnifying Parties agree to hold harmless, defend and indemnify Indemnitees from and against any and all losses, expenses, judgments, claims, attorney fees and damages arising out of or in connection with any claim or cause of action in which Indemnitees shall be a named defendant and which arises, directly or indirectly, out of the operation of, or in connection with a Security Breach or Franchisee Indemnifying Parties' violation of any Privacy Law, Data Protection and Security Policies, consumer protection-related law or regulation, email marketing and other marketing laws and regulations, and the PCI-DSS.
• (6) Personal Information Consent and Requests. Franchisee is responsible for obtaining any required consent to the collection, use, storage, processing, and sharing of Personal Information from all parties from which it is required to obtain consent under the Privacy Laws or Data Protection and Security Policies. Franchisee shall retain copies of all such consents and store them and share them with Franchisor in the manner Franchisor requires. Franchisee shall fully comply with Data

Protection and Security Policies and Privacy Laws as they relate to any person's exercise of his or her rights under the Privacy Laws.

Source: Item 22 — CONTRACTS (FDD page 71)