Who is responsible for financial losses resulting from a security breach involving Customer Information at a Circle K franchise?
Circle_K Franchise · 2025 FDDAnswer from 2025 FDD Document
of any suspected data breach at or in connection with the Store. Franchisee must fully cooperate with Franchisor and its counsel in determining the most effective way to meet Franchisor's standards and policies pertaining to Privacy Laws within the bounds of applicable law. Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Customer Information in Franchisee's control or possession.
(c) If any federal or state Privacy Law, including the California Consumer Privacy Act, as revised by the California Consumer Privacy Rights Act , Cal. Civ. Code § 1798.100, et seq. (collectively, "CCPA") and any related regulations, applies to the operation of the Store, whenever and to the extent Franchisee operates as a "Service Provider" or "Contractor" under the CCPA, a data processor, or in a similar capacity under any federal or state Privacy Law, Franchisee represents and warrants that:
- (1) Except for the purpose of operating the Store and in accordance with the Business Systems Manuals, Franchisee will not retain, use, combine or disclose any Customer Information;
(2) Franchisee will not sell, share, make available or otherwise disclose any Customer Information to any third party for valuable consideration or for the purpose of performing cross-context behavioral advertising;
(3) Franchisee will not retain, use, or disclose Customer Information outside of the direct business relationship between Franchisee and Franchisor;
(4) Franchisee will delete any Customer Information upon Franchisor's request unless Franchisee can prove that such request is subject to an exception under applicable law;
(5) If Franchisee receives a Customer Information data request (e.g. a request to delete Customer Information) directly from a consumer (e.g., a California resident under the CCPA or CPRA, or a resident of another jurisdiction under other applicable Privacy Law), Franchisee shall inform Franchisor of that request within one business day and cooperate with Franchisor to ensure that the consumer receives an appropriate and timely acknowledgement and response;
(6) Franchisee will implement reasonable security procedures and practices appropriate to the Customer Information it collects, retains, uses or discloses, in order to protect it from unauthorized or illegal access, including following minimum requirements that may be set forth in the Business Systems Manuals;
Source: Item 22 — CONTRACTS (FDD page 100)
What This Means (2025 FDD)
According to Circle K's 2025 Franchise Disclosure Document, the franchisee is responsible for financial losses resulting from a security breach or unauthorized access to customer information if that information was in the franchisee's control or possession. This means that if a Circle K franchisee experiences a data breach where customer data is compromised due to the franchisee's security failings, the franchisee will bear the financial burden of the resulting losses and any required remedial actions.
This responsibility extends to compliance with privacy laws. The Circle K franchisee must cooperate with Circle K to meet the franchisor's standards and policies related to privacy laws. The franchisee also acts as a service provider or contractor under the California Consumer Privacy Act (CCPA) and similar laws, and they must adhere to specific rules regarding customer information. These rules include restrictions on retaining, using, combining, disclosing, selling, or sharing customer information, as well as requirements to delete data upon request and to inform Circle K of any customer data requests.
To protect customer information, Circle K franchisees must implement reasonable security procedures and practices. These measures should be appropriate to the type of customer information collected, retained, used, or disclosed. The security measures must protect the data from unauthorized or illegal access, and franchisees must follow any minimum security requirements outlined in the Circle K Business Systems Manuals. This places a significant responsibility on franchisees to invest in and maintain robust data security systems and practices to safeguard customer information and avoid potential financial losses.