What are the specific requirements for a Circle K franchisee to obtain appropriate Customer consent to ensure Franchisee and Franchisor may process Customer Information as outlined in this Agreement?
Circle_K Franchise · 2025 FDDAnswer from 2025 FDD Document
(6) Franchisee will implement reasonable security procedures and practices appropriate to the Customer Information it collects, retains, uses or discloses, in order to protect it from unauthorized or illegal access, including following minimum requirements that may be set forth in the Business Systems Manuals;
(7) Franchisee will cooperate with Franchisor if Franchisor seeks to ensure that Franchisee has collected, retained, used, or disclosed Customer Information consistent with Privacy Laws and this Agreement, including but not limited to providing Franchisor with requested compliance documents, or allowing Franchisor to assess, audit, or test Franchisee's privacy and security controls at least annually;
(8) Franchisee will cooperate with Franchisor to stop or remediate any unauthorized use of Customer Information, including verifying that Franchisee no longer retains or processes any personal information that a consumer has asked Franchisee or Franchisor to delete under applicable Privacy Laws; and
(9) Franchisee will notify Franchisor immediately if Franchisee determines it cannot meet its obligations under Privacy Laws or this Agreement regarding its collection, retention, use, or disclosure of Customer Information.
(d) Franchisee certifies that it understands the restrictions in Paragraphs (1) (9) of section 9.6(c) and will comply with them.
Franchisee also acknowledges and agrees that Franchisor may modify these restrictions from time to time by written notice to Franchisee, by issuing updates to Franchisor's standards and policies pertaining to Privacy Laws, including by adding other similar restrictions that may be required under other state or federal Privacy Laws, and Franchisee agrees to comply with the same.
Franchisee also agrees to execute any addenda that Franchisor may determine are required to conform this Agreement to new or changed Privacy Laws.
To the extent that Franchisee engages a third party to collect, use, sell, share, store, disclose, analyze, delete, modify, or to otherwise perform any processing of Customer Information for the purpose of operating the Store (a "Subprocessor"), Franchisee will notify Franchisor of such engagement, which shall be governed by a written contract that includes the same restrictions as in Paragraphs (1) – (9) of section 9.6(c) and imposes reasonable confidentiality obligations and privacy and security controls on the Subprocessor.
Source: Item 22 — CONTRACTS (FDD page 100)
What This Means (2025 FDD)
According to the 2025 Circle K FDD, while it doesn't explicitly detail the methods for obtaining customer consent, it outlines several obligations for franchisees regarding customer information and privacy. Circle K owns all Customer Information and can use it as deemed appropriate, in accordance with applicable law. This includes disclosing it to vendors.
Circle K franchisees must implement reasonable security procedures and practices to protect customer information from unauthorized access, adhering to minimum requirements in the Business Systems Manuals. Franchisees must cooperate with Circle K to ensure customer information is collected, retained, used, or disclosed in line with privacy laws and the franchise agreement. This includes providing compliance documents and allowing Circle K to audit privacy and security controls at least annually.
Furthermore, franchisees are required to cooperate with Circle K to stop any unauthorized use of customer information, including verifying that personal information is deleted upon request. Franchisees must immediately notify Circle K if they cannot meet their obligations under privacy laws or the agreement regarding customer information. Franchisees also agree to execute any addenda required to conform the agreement to new or changed privacy laws.
If a franchisee uses a third party (Subprocessor) to handle customer information, they must notify Circle K, and the arrangement must be governed by a written contract with the same restrictions as outlined in the agreement. This contract should also impose confidentiality obligations and privacy and security controls on the Subprocessor. These restrictions may be modified by Circle K with written notice to the franchisee, including updates to standards and policies pertaining to privacy laws.