What are the potential consequences for a Circle K franchisee who fails to comply with Privacy Laws?
Circle_K Franchise · 2025 FDDAnswer from 2025 FDD Document
Franchisee must fully cooperate with Franchisor and its counsel in determining the most effective way to meet Franchisor's standards and policies pertaining to Privacy Laws within the bounds of applicable law.
Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Customer Information in Franchisee's control or possession.
- (c) If any federal or state Privacy Law, including the California Consumer Privacy Act, as revised by the California Consumer Privacy Rights Act , Cal.
Civ.
Code § 1798.100, et seq. (collectively, "CCPA") and any related regulations, applies to the operation of the Store, whenever and to the extent Franchisee operates as a "Service Provider" or "Contractor" under the CCPA, a data processor, or in a similar capacity under any federal or state Privacy Law, Franchisee represents and warrants that:
(1) Except for the purpose of operating the Store and in accordance with the Business Systems Manuals, Franchisee will not retain, use, combine or disclose any Customer Information;
(2) Franchisee will not sell, share, make available or otherwise disclose any Customer Information to any third party for valuable consideration or for the purpose of performing cross-context behavioral advertising;
(3) Franchisee will not retain, use, or disclose Customer Information outside of the direct business relationship between Franchisee and Franchisor;
(4) Franchisee will delete any Customer Information upon Franchisor's request unless Franchisee can prove that such request is subject to an exception under applicable law;
(5) If Franchisee receives a Customer Information data request (e.g. a request to delete Customer Information) directly from a consumer (e.g., a California resident under the CCPA or CPRA, or a resident of another jurisdiction under other applicable Privacy Law), Franchisee shall inform Franchisor of that request within one business day and cooperate with Franchisor to ensure that the consumer receives an appropriate and timely acknowledgement and response;
(6) Franchisee will implement reasonable security procedures and practices appropriate to the Customer Information it collects, retains, uses or discloses, in order to protect it from unauthorized or illegal access, including following minimum requirements that may be set forth in the Business Systems Manuals;
Source: Item 22 — CONTRACTS (FDD page 100)
What This Means (2025 FDD)
According to Circle K's 2025 Franchise Disclosure Document, a franchisee is responsible for any financial losses or remedial actions resulting from a security breach or unauthorized access to customer information under their control. This means if a Circle K franchisee's store experiences a data breach due to non-compliance with privacy laws, they will be held financially accountable for any resulting damages or required corrective measures.
Furthermore, the Circle K franchisee must cooperate fully with Circle K and its legal counsel to determine the most effective way to meet Circle K's standards and policies regarding privacy laws. This includes implementing reasonable security procedures to protect customer information from unauthorized access, cooperating with Circle K in ensuring compliance with privacy laws, and notifying Circle K immediately if they cannot meet their obligations under privacy laws. The franchisee must also ensure that any third-party subprocessor they engage to handle customer information adheres to the same privacy restrictions and confidentiality obligations.
Failure to comply with these privacy obligations could lead to various repercussions, including financial losses, the need for remedial actions, and potential damage to the reputation and goodwill associated with the Circle K brand. The franchisee's responsibility extends to ensuring compliance with all applicable data protection, privacy, and security laws related to the EPOS system and other technologies used in the store's operation. Circle K also retains the right to modify privacy restrictions and require franchisees to execute addenda to conform to new or changed privacy laws.