What are the 'Privacy Requirements' that a Carvel franchisee must abide by?

According to Carvel's 2025 Franchise Disclosure Document, franchisees must adhere to specific 'Privacy Requirements.' These requirements include compliance with the Payment Card Industry Data Security Standards (PCI-DSS) as enacted by Card Associations, which may be modified over time. Franchisees must also comply with the Fair and Accurate Credit Transactions Act (FACTA).

Furthermore, Carvel franchisees must follow all other laws, standards, or their equivalents applicable to electronic payments, as published by payment card companies. These standards are applicable to electronic payments and may be updated periodically. Franchisees are also obligated to adhere to any privacy policies or data protection and breach response policies that Carvel may establish, including those related to data breach notification.

In practical terms, this means a Carvel franchisee must implement and maintain robust data security measures to protect customer information, especially concerning electronic payments. They need to stay updated with changes in PCI-DSS, FACTA, and other relevant laws and standards. Additionally, they must follow any specific data protection policies set by Carvel, ensuring they are prepared to respond appropriately in the event of a data breach. Failing to comply with these requirements could result in legal penalties, financial losses, and damage to the Carvel brand's reputation.

It is important for prospective Carvel franchisees to fully understand these Privacy Requirements and ensure they have the resources and expertise to comply with them. This may involve investing in secure payment systems, training staff on data protection practices, and developing a comprehensive data breach response plan.