Who is responsible for financial losses resulting from a data breach at a Circle K franchise?
Circle_K Franchise · 2025 FDDAnswer from 2025 FDD Document
Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Customer Information in Franchisee's control or possession.
- (c) If any federal or state Privacy Law, including the California Consumer Privacy Act, as revised by the California Consumer Privacy Rights Act , Cal.
Civ.
Code § 1798.100, et seq. (collectively, "CCPA") and any related regulations, applies to the operation of the Store, whenever and to the extent Franchisee operates as a "Service Provider" or "Contractor" under the CCPA, a data processor, or in a similar capacity under any federal or state Privacy Law, Franchisee represents and warrants that:
(1) Except for the purpose of operating the Store and in accordance with the Business Systems Manuals, Franchisee will not retain, use, combine or disclose any Customer Information;
(2) Franchisee will not sell, share, make available or otherwise disclose any Customer Information to any third party for valuable consideration or for the purpose of performing cross-context behavioral advertising;
(3) Franchisee will not retain, use, or disclose Customer Information outside of the direct business relationship between Franchisee and Franchisor;
(4) Franchisee will delete any Customer Information upon Franchisor's request unless Franchisee can prove that such request is subject to an exception under applicable law;
(5) If Franchisee receives a Customer Information data request (e.g. a request to delete Customer Information) directly from a consumer (e.g., a California resident under the CCPA or CPRA, or a resident of another jurisdiction under other applicable Privacy Law), Franchisee shall inform Franchisor of that request within one business day and cooperate with Franchisor to ensure that the consumer receives an appropriate and timely acknowledgement and response;
(6) Franchisee will implement reasonable security procedures and practices appropriate to the Customer Information it collects, retains, uses or discloses, in order to protect it from unauthorized or illegal access, including following minimum requirements that may be set forth in the Business Systems Manuals;
Source: Item 22 — CONTRACTS (FDD page 100)
What This Means (2025 FDD)
According to Circle K's 2025 Franchise Disclosure Document, the franchisee is responsible for financial losses resulting from a data breach. Specifically, the franchisee is responsible for any financial losses they incur or remedial actions they must take if there is a security breach or unauthorized access to customer information that is under the franchisee's control or possession. This includes adhering to privacy laws and implementing reasonable security measures to protect customer information.
This means that if a Circle K franchise experiences a data breach, the franchisee will be held accountable for any resulting financial damages. These damages could include the cost of notifying affected customers, legal fees, fines, and other expenses related to addressing the breach. The franchisee is also responsible for taking corrective actions to prevent future breaches, which could involve upgrading security systems or implementing new data protection protocols.
It is also the franchisee's responsibility to comply with all applicable laws related to the EPOS system or other technology used in the operation of their Circle K store. This includes data protection, privacy, and security laws, as well as compliance with Payment Card Industry (PCI) and Europay, MasterCard and Visa (EMV) standards. The franchisee must also cooperate with Circle K and its counsel to ensure they meet the franchisor's standards and policies regarding privacy laws.
This allocation of responsibility highlights the importance of data security for Circle K franchisees. Franchisees must invest in robust security measures and stay informed about evolving data protection laws to mitigate the risk of breaches and the associated financial consequences. Prospective franchisees should carefully consider these responsibilities and the potential costs associated with data security when evaluating a Circle K franchise opportunity.