What are the specific requirements for a Circle K franchisee to comply with applicable law in connection with its collection, storage, disclosure and its use and Franchisor's use of such Customer Information?
Circle_K Franchise · 2025 FDDAnswer from 2025 FDD Document
(6) Franchisee will implement reasonable security procedures and practices appropriate to the Customer Information it collects, retains, uses or discloses, in order to protect it from unauthorized or illegal access, including following minimum requirements that may be set forth in the Business Systems Manuals;
(7) Franchisee will cooperate with Franchisor if Franchisor seeks to ensure that Franchisee has collected, retained, used, or disclosed Customer Information consistent with Privacy Laws and this Agreement, including but not limited to providing Franchisor with requested compliance documents, or allowing Franchisor to assess, audit, or test Franchisee's privacy and security controls at least annually;
(8) Franchisee will cooperate with Franchisor to stop or remediate any unauthorized use of Customer Information, including verifying that Franchisee no longer retains or processes any personal information that a consumer has asked Franchisee or Franchisor to delete under applicable Privacy Laws; and
(9) Franchisee will notify Franchisor immediately if Franchisee determines it cannot meet its obligations under Privacy Laws or this Agreement regarding its collection, retention, use, or disclosure of Customer Information.
(d) Franchisee certifies that it understands the restrictions in Paragraphs (1) (9) of section 9.6(c) and will comply with them.
Franchisee also acknowledges and agrees that Franchisor may modify these restrictions from time to time by written notice to Franchisee, by issuing updates to Franchisor's standards and policies pertaining to Privacy Laws, including by adding other similar restrictions that may be required under other state or federal Privacy Laws, and Franchisee agrees to comply with the same.
Franchisee also agrees to execute any addenda that Franchisor may determine are required to conform this Agreement to new or changed Privacy Laws.
To the extent that Franchisee engages a third party to collect, use, sell, share, store, disclose, analyze, delete, modify, or to otherwise perform any processing of Customer Information for the purpose of operating the Store (a "Subprocessor"), Franchisee will notify Franchisor of such engagement, which shall be governed by a written contract that includes the same restrictions as in Paragraphs (1) – (9) of section 9.6(c) and imposes reasonable confidentiality obligations and privacy and security controls on the Subprocessor.
Source: Item 22 — CONTRACTS (FDD page 100)
What This Means (2025 FDD)
According to Circle K's 2025 Franchise Disclosure Document, franchisees must comply with all applicable laws regarding the collection, storage, disclosure, and use of customer information. This includes adhering to all laws and regulations related to data protection, privacy, and security, including data breach response requirements. Circle K owns all customer information and may use it as it deems appropriate, including sharing it with its affiliates. Franchisees may only use customer information for operating the store as permitted by the franchise agreement and the Business Systems Manuals.
Circle K franchisees must implement reasonable security procedures to protect customer information from unauthorized access, following minimum requirements in the Business Systems Manuals. Franchisees must cooperate with Circle K to ensure compliance with privacy laws, including providing compliance documents and allowing audits of privacy and security controls at least annually. They must also cooperate to stop any unauthorized use of customer information, including deleting personal information upon request.
Furthermore, franchisees must notify Circle K immediately if they cannot meet their obligations under privacy laws or the franchise agreement regarding customer information. Franchisees certify that they understand and will comply with these restrictions, which Circle K may modify from time to time. If a franchisee engages a third party (a Subprocessor) to handle customer information, they must notify Circle K and ensure the Subprocessor adheres to the same restrictions and confidentiality obligations.
In practical terms, a Circle K franchisee must stay updated on all relevant data privacy laws and regulations, implement robust security measures, and train employees on proper data handling procedures. They must also be prepared to respond to data breaches and cooperate with Circle K in ensuring compliance. This places a significant responsibility on the franchisee to protect customer data and maintain the trust of their customers.