Businesses operating in California—including franchisors and franchisees—need to be aware of a new data privacy law that took effect January 1, 2020, called the California Consumer Privacy Act (“CCPA”). This law provides consumers a right to legal actions for monetary damages, including class actions, for data breaches. Previously, the law only allowed legal action to be brought by government agencies or regulators, such as the state attorney general or the Federal Trade Commission.
The California Consumer Privacy Act
The CCPA restricts collection and sharing of data about California residents. This law applies to any for-profit business operating in California that:
- generates gross revenues of at least $25 million annually; or
- buys, receives, sells, or shares personal information of at least 50,000 California residents, households or devices (which connect via the Internet) annually; or
- derives a minimum of 50% of its annual revenue from selling California residents’ personal information.
Note that a business operating in California needs to only meet one of the above criteria to be subject to the CCPA.
“Sensitive personal information,” as well as a broader category of “personal information,” is covered by the CCPA. This scope includes data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Consumers have the right to know the personal data collected, to have data corrected or deleted, and to request that businesses cease selling or disclosing the data. Franchisors must provide a mechanism for consumers to exercise these rights, and franchisors must respond to consumer requests within 45 days under the CCPA.
CCPA and Franchising
It is unlikely that a franchisee operating in California alone would meet one of the criteria above and be subject to the CCPA. The legislation also does not expressly allow consumers to combine the revenue of a franchisor with its franchisees. The CCPA, however, applies to any entity that controls or is controlled by a covered business and shares common branding with that covered business. Since the definition of “control” or “controlled” includes the definition “the power to exercise a controlling influence over the management of” the business, aggressive consumers may try to exploit these vague definitional terms and aggregate franchise and franchisor revenues to try to satisfy the CCPA’s threshold revenue requirements.
Violations of the CCPA
The CCPA provides statutory damages ranging from $100 to $750 per data breach violation or actual damages, if higher. There is no burden a proof of actual harm caused by a data breach. For franchisees and franchisors who possess personal data for tens of thousands of California residents, statutory damages could easily exceed tens of millions of dollars.
Data Protection in Franchise Systems
Franchisors and franchisees should review their data privacy policies and systems to ensure compliance with the new law. The CCPA creates a strong incentive for franchisors and franchisees alike to safeguard consumer data. Any franchisor operating in California or planning to expand into California must minimize the risk of a data breach. Franchisors must understand the nature of the consumer data collected and possessed throughout the entire franchise system. To minimize the extent of possible damages from a data breach, franchisors must ensure that the only data collected by franchisees and vendors is data which supports an identified business purpose. Capabilities essential for data security must be established and kept current. Such capabilities include incident response plans, privacy policies, and operations manuals.
The law will continue to evolve during 2020 based on the scheduled issuance of additional rules by the California Attorney General in July 2020. Franchisors should plan and budget resources to review and update data security capabilities to ensure compliance with current law under the CCPA.