Must a Carls Jr. franchisee cooperate with CJR regarding data breach standards and policies?
Carls_Jr Franchise · 2025 FDDAnswer from 2025 FDD Document
Franchisee may only use Consumer Information for the purpose of operating the Franchised Restaurant to the extent permitted under this Agreement, including the OPM, during the term hereof and subject to such restrictions as CJR may from time to time impose and in compliance with all data privacy, security and other applicable laws. Without limiting the foregoing, Franchisee agrees to comply with applicable law in connection with Franchisee's collection, processing, storage and use of such Consumer Information, including, if required under applicable law, obtaining consents from individuals for CJR's and its affiliates' use of the Consumer Information. Franchisee must comply with all laws and regulations relating to data protection, privacy and security, including data breach response requirements ("Privacy Law(s)"), as well as data privacy and security policies, procedures and other requirements CJR may periodically establish. Franchisee must maintain reasonable, appropriate, and effective security controls to preserve the security, integrity, availability, confidentiality, and resilience of Consumer Information. Franchisee must notify CJR immediately of any suspected data breach at or in connection with the Franchised Restaurant or the business operated at the Franchised Restaurant. Franchisee must fully cooperate with CJR and its counsel in determining the most effective way to meet CJR's standards and policies pertaining to Privacy Laws, including those governing notification of a data breach. Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Consumer Information in Franchisee's control or possession.
Source: Item 22 — CONTRACTS (FDD pages 75–76)
What This Means (2025 FDD)
According to the 2025 Carls Jr. Franchise Disclosure Document, a franchisee must fully cooperate with CJR (Carls Jr.) and its counsel to meet CJR's standards and policies regarding Privacy Laws, including those governing data breach notification. This cooperation is essential in determining the most effective way to adhere to these standards. The franchisee is also responsible for any financial losses incurred or remedial actions required due to a security breach or unauthorized access to Consumer Information under their control.
Carls Jr. franchisees must comply with all laws and regulations related to data protection, privacy, and security, including data breach response requirements, as well as any data privacy and security policies, procedures, and other requirements that CJR may periodically establish. Franchisees are obligated to maintain reasonable, appropriate, and effective security controls to preserve the security, integrity, availability, confidentiality, and resilience of Consumer Information.
Furthermore, franchisees must immediately notify CJR of any suspected data breach at or in connection with the Franchised Restaurant or the business operated there. This immediate notification allows CJR to take swift action and provide guidance to mitigate the impact of the breach. Franchisees are also required to utilize administrative, physical, and technical safeguards designed to protect systems and data from unauthorized access, disclosure, acquisition, destruction, use, or modification, consistent with industry standards and best practices. They must also adhere to any applicable law relating to data security. In the event of a suspected or actual data breach, the franchisee must notify CJR within 24 hours and provide timely updates and information when requested.
These requirements ensure that Carls Jr. franchisees are proactive in protecting consumer data and responsive in the event of a data breach, aligning with industry standards and legal obligations. This protects both the franchisee and the brand from potential legal and financial repercussions related to data breaches.