factual

What is the Circle K franchisee's responsibility regarding financial losses incurred as a result of unauthorized access to Customer Information?

Circle_K Franchise · 2025 FDD

Answer from 2025 FDD Document

of any suspected data breach at or in connection with the Store. Franchisee must fully cooperate with Franchisor and its counsel in determining the most effective way to meet Franchisor's standards and policies pertaining to Privacy Laws within the bounds of applicable law. Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Customer Information in Franchisee's control or possession.

  • (c) If any federal or state Privacy Law, including the California Consumer Privacy Act, as revised by the California Consumer Privacy Rights Act , Cal. Civ. Code § 1798.100, et seq. (collectively, "CCPA") and any related regulations, applies to the operation of the Store, whenever and to the extent Franchisee operates as a "Service Provider" or "Contractor" under the CCPA, a data processor, or in a similar capacity under any federal or state Privacy Law, Franchisee represents and warrants that:

    • (1) Except for the purpose of operating the Store and in accordance with the Business Systems Manuals, Franchisee will not retain, use, combine or disclose any Customer Information;

  • (2) Franchisee will not sell, share, make available or otherwise disclose any Customer Information to any third party for valuable consideration or for the purpose of performing cross-context behavioral advertising;

  • (3) Franchisee will not retain, use, or disclose Customer Information outside of the direct business relationship between Franchisee and Franchisor;

  • (4) Franchisee will delete any Customer Information upon Franchisor's request unless Franchisee can prove that such request is subject to an exception under applicable law;

  • (5) If Franchisee receives a Customer Information data request (e.g. a request to delete Customer Information) directly from a consumer (e.g., a California resident under the CCPA or CPRA, or a resident of another jurisdiction under other applicable Privacy Law), Franchisee shall inform Franchisor of that request within one business day and cooperate with Franchisor to ensure that the consumer receives an appropriate and timely acknowledgement and response;

  • (6) Franchisee will implement reasonable security procedures and practices appropriate to the Customer Information it collects, retains, uses or discloses, in order to protect it from unauthorized or illegal access, including following minimum requirements that may be set forth in the Business Systems Manuals;

Source: Item 22 — CONTRACTS (FDD page 100)

What This Means (2025 FDD)

According to Circle K's 2025 Franchise Disclosure Document, the franchisee is responsible for any financial losses or remedial actions required due to a security breach or unauthorized access to customer information if that information was in the franchisee's control or possession. This means that if a Circle K franchisee's systems are compromised and customer data is exposed, leading to financial damages or the need for corrective measures, the franchisee will bear the costs. This responsibility underscores the importance of franchisees implementing robust security measures to protect customer data.

Furthermore, the Circle K franchisee must cooperate with Circle K and its legal counsel to determine the most effective way to adhere to Circle K's standards and policies regarding privacy laws. This collaboration ensures that the franchisee remains compliant with applicable laws while also aligning with Circle K's broader data protection strategy. The franchisee is also obligated to implement reasonable security procedures to protect customer information from unauthorized access, potentially including following minimum requirements outlined in Circle K's Business Systems Manuals.

In addition to general data protection responsibilities, if any federal or state privacy law applies to the operation of the Circle K store, the franchisee must adhere to specific stipulations. These include not retaining, using, combining, or disclosing any customer information except for operating the store according to Circle K's Business Systems Manuals. The franchisee also cannot sell, share, or disclose customer information to third parties for valuable consideration or cross-context behavioral advertising. These restrictions are designed to protect customer privacy and prevent misuse of data.

Moreover, the Circle K franchisee must delete any customer information upon Circle K's request, unless an exception applies under applicable law. If a customer directly requests data deletion or access, the franchisee must inform Circle K within one business day and cooperate to ensure a timely response. These requirements highlight the franchisee's role in maintaining data integrity and complying with customer requests under privacy laws, reinforcing the need for vigilance and adherence to Circle K's data protection protocols.

Disclaimer: This information is extracted from the 2025 Franchise Disclosure Document and is provided for research purposes only. It does not constitute legal or financial advice. Consult with a franchise attorney before making any investment decisions.
All Circle_K 2025 FAQs Ask FDD Ninja