What security controls must a Carls Jr. franchisee maintain to protect Consumer Information?
Carls_Jr Franchise · 2025 FDDAnswer from 2025 FDD Document
Franchisee must maintain reasonable, appropriate, and effective security controls to preserve the security, integrity, availability, confidentiality, and resilience of Consumer Information. Franchisee must notify CJR immediately of any suspected data breach at or in connection with the Franchised Restaurant or the business operated at the Franchised Restaurant. Franchisee must fully cooperate with CJR and its counsel in determining the most effective way to meet CJR's standards and policies pertaining to Privacy Laws, including those governing notification of a data breach. Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Consumer Information in Franchisee's control or possession.
Without limiting the foregoing, Franchisee represents, warrants, and covenants that:
- (1) Franchisee will not "sell" or "share" (as defined under any Privacy Law) any Consumer Information or make Consumer Information available to any third party for valuable consideration;
- (2) Franchisee will retain, use, or disclose Consumer Information only for the specific business purposes specified in this Agreement, and not for any other commercial or noncommercial purpose;
- (3) Franchisee will not retain, use, or disclose Consumer Information outside of the direct business relationship between Franchisee and CJR;
Source: Item 22 — CONTRACTS (FDD pages 75–76)
What This Means (2025 FDD)
According to the 2025 Carls Jr. Franchise Disclosure Document, franchisees must maintain reasonable, appropriate, and effective security controls to preserve the security, integrity, availability, confidentiality, and resilience of Consumer Information. Consumer Information includes identifiers like names, addresses, phone numbers, usernames, birthdates, email addresses, sales, transaction, loyalty and payment history, and all other information about customers or prospective customers. Carls Jr. owns all Consumer Information and may use it as deemed appropriate, subject to applicable law.
Carls Jr. franchisees can only use Consumer Information to operate their franchised restaurant as permitted under the franchise agreement and the Operations Procedures Manual (OPM). This use is subject to any restrictions Carls Jr. imposes and must comply with all data privacy, security, and other applicable laws. Franchisees must also comply with all laws and regulations relating to data protection, privacy, and security, including data breach response requirements, as well as any data privacy and security policies, procedures, and other requirements that Carls Jr. may periodically establish.
Franchisees must immediately notify Carls Jr. of any suspected data breach at or in connection with their restaurant and fully cooperate with Carls Jr. and its counsel to determine the most effective way to meet Carls Jr.'s standards and policies pertaining to Privacy Laws, including those governing data breach notification. Franchisees are responsible for any financial losses or remedial actions resulting from a security breach or unauthorized access to Consumer Information under their control or possession.
Furthermore, franchisees represent, warrant, and covenant that they will not sell or share any Consumer Information or make it available to any third party for valuable consideration. They must retain, use, or disclose Consumer Information only for the specific business purposes outlined in the franchise agreement and not for any other commercial or noncommercial purpose, nor outside of the direct business relationship between the franchisee and Carls Jr.