What are the specific requirements for a Circle K franchisee to comply with all laws and regulations relating to data protection, privacy and security, including data breach response requirements ('Privacy Laws'), as well as data privacy and security policies, procedures and other requirements Franchisor may periodically establish?
Circle_K Franchise · 2025 FDDAnswer from 2025 FDD Document
; (ii) who has purchased or purchases products or services at the Store; or (iii) whom Franchisee has solicited to purchase any products or services at the Store. Franchisor may use the Customer Information as it deems appropriate, including sharing it with its Affiliates.
(b) Without limiting the foregoing, Franchisee agrees to comply with applicable law in connection with its collection, storage, disclosure and its use and Franchisor's use of such Customer Information, including complying with all laws and regulations relating to data protection, privacy and security, including data breach response requirements ("Privacy Laws"), as well as data privacy and security policies, procedures and other requirements Franchisor may periodically establish. Some laws require Franchisee to obtain consent to collect, store, disclose, and use (collectively "process") personal information. Franchisee is responsible for obtaining appropriate Customer consent to ensure Franchisee and Franchisor may process Customer Information as outlined in this Agreement. Franchisee must notify Franchisor immediately of any suspected data breach at or in connection with the Store. Franchisee must fully cooperate with Franchisor and its counsel in determining the most effective way to meet Franchisor's standards and policies pertaining to Privacy Laws within the bounds of applicable law. Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Customer Information in Franchisee's control or possession.
(c) If any federal or state Privacy Law, including the California Consumer Privacy Act, as revised by the California Consumer Privacy Rights Act , Cal. Civ. Code § 1798.100, et seq. (collectively, "CCPA") and any related regulations, applies to the operation of the Store, whenever and to the extent Franchisee operates as a "Service Provider" or "Contractor" under the CCPA, a data processor, or in a similar capacity under any federal or state Privacy Law, Franchisee represents and warrants that:
- (1) Except for the purpose of operating the Store and in accordance with the Business Systems Manuals, Franchisee will not retain, use, combine or disclose any Customer Information;
(2) Franchisee will not sell, share, make available or otherwise disclose any Customer Information to any third party for valuable consideration or for the purpose of performing cross-context behavioral advertising;
(3) Franchisee will not retain, use, or disclose Customer Information outside of the direct business relationship between Franchisee and Franchisor;
(4) Franchisee will delete any Customer Information upon Franchisor's request unless Franchisee can prove that such request is subject to an exception under applicable law;
(5) If Franchisee receives a Customer Information data request (e.g.
Source: Item 22 — CONTRACTS (FDD page 100)
What This Means (2025 FDD)
According to Circle K's 2025 Franchise Disclosure Document, franchisees must comply with all laws and regulations regarding data protection, privacy, and security, including data breach response requirements, referred to as "Privacy Laws." Franchisees must also adhere to Circle K's data privacy and security policies, procedures, and any other requirements that Circle K may establish periodically. Franchisees are responsible for obtaining appropriate customer consent to ensure that both the franchisee and Circle K can process customer information as outlined in the franchise agreement. Franchisees must immediately notify Circle K of any suspected data breach at or connected to their store. They must also fully cooperate with Circle K and its counsel to determine the most effective way to meet Circle K's standards and policies related to Privacy Laws, within the bounds of applicable law.
Circle K franchisees must implement reasonable security procedures and practices to protect customer information from unauthorized or illegal access. This includes following minimum requirements detailed in the Business Systems Manuals. Franchisees must cooperate with Circle K to ensure that customer information is collected, retained, used, or disclosed in accordance with Privacy Laws and the franchise agreement. This cooperation includes providing requested compliance documents and allowing Circle K to assess, audit, or test the franchisee's privacy and security controls at least annually.
Furthermore, Circle K franchisees are required to cooperate with Circle K to stop or remediate any unauthorized use of customer information. This includes verifying that the franchisee no longer retains or processes any personal information that a consumer has requested to be deleted under applicable Privacy Laws. Franchisees must immediately notify Circle K if they determine they cannot meet their obligations under Privacy Laws or the franchise agreement regarding the collection, retention, use, or disclosure of customer information. Franchisees are also responsible for any financial losses or remedial actions resulting from a security breach or unauthorized access to customer information under their control.
If a Circle K franchisee engages a third party (a Subprocessor) to handle customer information, they must notify Circle K of this engagement. This relationship must be governed by a written contract that includes the same restrictions as outlined in the franchise agreement and imposes reasonable confidentiality obligations and privacy and security controls on the Subprocessor. Franchisees must also comply with specific restrictions if any federal or state Privacy Law, including the California Consumer Privacy Act (CCPA), applies to the store's operation, particularly when operating as a "Service Provider" or "Contractor" under the CCPA. These restrictions include not retaining, using, combining, or disclosing any Customer Information except for operating the store and in accordance with the Business Systems Manuals.