Under the Carls Jr. franchise agreement, who owns the Consumer Information?
Carls_Jr Franchise · 2025 FDDAnswer from 2025 FDD Document
CJR owns all Consumer Information and may use the Consumer Information as it deems appropriate (subject to applicable law), including disclosing it to vendors or sharing it with its affiliates for cross-marketing or other purposes. Franchisee may only use Consumer Information for the purpose of operating the Franchised Restaurant to the extent permitted under this Agreement, including the OPM, during the term hereof and subject to such restrictions as CJR may from time to time impose and in compliance with all data privacy, security and other applicable laws. Without limiting the foregoing, Franchisee agrees to comply with applicable law in connection with Franchisee's collection, processing, storage and use of such Consumer Information, including, if required under applicable law, obtaining consents from individuals for CJR's and its affiliates' use of the Consumer Information. Franchisee must comply with all laws and regulations relating to data protection, privacy and security, including data breach response requirements ("Privacy Law(s)"), as well as data privacy and security policies, procedures and other requirements CJR may periodically establish. Franchisee must maintain reasonable, appropriate, and effective security controls to preserve the security, integrity, availability, confidentiality, and resilience of Consumer Information. Franchisee must notify CJR immediately of any suspected data breach at or in connection with the Franchised Restaurant or the business operated at the Franchised Restaurant. Franchisee must fully cooperate with CJR and its counsel in determining the most effective way to meet CJR's standards and policies pertaining to Privacy Laws, including those governing notification of a data breach. Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Consumer Information in Franchisee's control or possession.
Without limiting the foregoing, Franchisee represents, warrants, and covenants that:
- (1) Franchisee will not "sell" or "share" (as defined under any Privacy Law) any Consumer Information or make Consumer Information available to any third party for valuable consideration;
- (2) Franchisee will retain, use, or disclose Consumer Information only for the specific business purposes specified in this Agreement, and not for any other commercial or noncommercial purpose;
- (3) Franchisee will not retain, use, or disclose Consumer Information outside of the direct business relationship between Franchisee and CJR;
Source: Item 22 — CONTRACTS (FDD pages 75–76)
What This Means (2025 FDD)
According to the 2025 Carls Jr. Franchise Disclosure Document, CJR owns all Consumer Information. This includes any identifiers such as names, addresses, phone numbers, usernames, birthdates, and email addresses, as well as sales, transaction, loyalty, and payment history, and all other information about or related to any customer or prospective customer. This also includes any information deemed "personal information" or "personal data" under applicable law. CJR has the right to use this information as it sees fit, which includes sharing it with its affiliates.
While Carls Jr. owns the Consumer Information, the franchisee is permitted to use it for operating the Franchised Restaurant to the extent allowed under the franchise agreement, including the OPM (presumably the Operations Procedures Manual), during the term of the agreement. However, this use is subject to restrictions imposed by CJR and must comply with all data privacy, security, and other applicable laws. The franchisee must also comply with all laws and regulations relating to data protection, privacy, and security, including data breach response requirements, as well as any data privacy and security policies established by CJR.
The franchisee is responsible for maintaining reasonable security controls to protect Consumer Information and must immediately notify CJR of any suspected data breach. Furthermore, the franchisee is responsible for any financial losses or remedial actions resulting from a security breach or unauthorized access to Consumer Information under their control. The franchisee cannot sell or share Consumer Information with third parties for valuable consideration and must only use it for the specific business purposes outlined in the agreement.