What is the Circle K franchisee's responsibility regarding the security of Customer Information in their possession?
Circle_K Franchise · 2025 FDDAnswer from 2025 FDD Document
Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Customer Information in Franchisee's control or possession.
- (c) If any federal or state Privacy Law, including the California Consumer Privacy Act, as revised by the California Consumer Privacy Rights Act , Cal.
Civ.
Code § 1798.100, et seq. (collectively, "CCPA") and any related regulations, applies to the operation of the Store, whenever and to the extent Franchisee operates as a "Service Provider" or "Contractor" under the CCPA, a data processor, or in a similar capacity under any federal or state Privacy Law, Franchisee represents and warrants that:
(1) Except for the purpose of operating the Store and in accordance with the Business Systems Manuals, Franchisee will not retain, use, combine or disclose any Customer Information;
(2) Franchisee will not sell, share, make available or otherwise disclose any Customer Information to any third party for valuable consideration or for the purpose of performing cross-context behavioral advertising;
(3) Franchisee will not retain, use, or disclose Customer Information outside of the direct business relationship between Franchisee and Franchisor;
(4) Franchisee will delete any Customer Information upon Franchisor's request unless Franchisee can prove that such request is subject to an exception under applicable law;
(5) If Franchisee receives a Customer Information data request (e.g. a request to delete Customer Information) directly from a consumer (e.g., a California resident under the CCPA or CPRA, or a resident of another jurisdiction under other applicable Privacy Law), Franchisee shall inform Franchisor of that request within one business day and cooperate with Franchisor to ensure that the consumer receives an appropriate and timely acknowledgement and response;
(6) Franchisee will implement reasonable security procedures and practices appropriate to the Customer Information it collects, retains, uses or discloses, in order to protect it from unauthorized or illegal access, including following minimum requirements that may be set forth in the Business Systems Manuals;
Source: Item 22 — CONTRACTS (FDD page 100)
What This Means (2025 FDD)
According to Circle K's 2025 Franchise Disclosure Document, franchisees bear significant responsibility for the security and handling of customer information. Circle K owns all customer information and may use it as deemed appropriate. However, franchisees must comply with all applicable laws regarding data protection, privacy, and security, including data breach response requirements. This includes obtaining appropriate customer consent to ensure that both the franchisee and Circle K can process customer information as outlined in the franchise agreement. Franchisees are also obligated to notify Circle K immediately of any suspected data breach at their store.
Circle K franchisees are responsible for any financial losses or remedial actions resulting from security breaches or unauthorized access to customer information under their control. Franchisees must cooperate with Circle K in determining the most effective ways to meet the company's standards and policies related to privacy laws. If any federal or state privacy law applies, the franchisee must adhere to specific restrictions, such as only using customer information for operating the store, not selling or sharing it with third parties for advertising, and deleting customer information upon Circle K's request unless an exception applies under the law.
To protect customer information from unauthorized access, Circle K franchisees must implement reasonable security procedures and practices, potentially including following minimum requirements set forth in the Business Systems Manuals. Franchisees must also cooperate with Circle K to ensure compliance with privacy laws, providing requested documents and allowing audits of their privacy and security controls. Additionally, franchisees must work with Circle K to stop or remediate any unauthorized use of customer information, including verifying the deletion of personal information upon request. Franchisees are required to notify Circle K immediately if they cannot meet their obligations under privacy laws or the franchise agreement regarding customer information.