What Franchisors Need to Know About the California Consumer Privacy Act Effective January 1st

California’s new data privacy law, the California Consumer Privacy Act (“CCPA”), took effect on January 1st and may require franchisors and franchisees to update or add new data privacy policies and systems to mitigate the significant risk of monetary damage imposed by the new law. Any franchisor operating or franchising (or planning to operate or franchise) in California should examine whether the CCPA may apply and, if so, take the appropriate steps to ensure compliance and minimize the risk of a data breach. The CCPA, which regulates the collection and sharing of data about California residents, applies to any franchisor doing business in California who satisfies any of the following thresholds: (i) annual gross revenues of $25 million or more; (ii) buys, receives, sells, or shares personal information of at least 50,000 California residents, households or devices annually; or (iii) derives a minimum of 50% of annual revenue from selling California residents’ personal information. These thresholds must be satisfied by a sole entity and the statute’s terms do not permit aggrieved consumers to combine franchisor and franchisee revenue to satisfy the threshold requirements. Franchisors should be cautioned, however, that aggressive consumers and their counsel may take advantage of certain vague definitional terms to push for a broader, but misguided, construction covering the entire franchise system.  

Franchisors covered by the CCPA should immediately take steps to ensure strong data security practices to minimize exposure to private causes of action under the CCPA, including class action lawsuits, resulting from a data breach. This is a sharp departure from prior regulations limiting data breach penalties to actions by the state attorney general, the Federal Trade Commission or other government regulators. Plaintiffs’ lawyers and their consumer clients who are victims of a data breach can now privately seek statutory damages ranging from $100 to $750 per violation or, actual damages, whichever is higher. Actual harm caused by a data breach does not need to be proven. If a franchise system suffers a data breach comprised of the personal data of thousands of California consumers, the damages in a class action lawsuit could be well into tens of millions of dollars. 

The enactment of the CCPA is an opportune time for franchise systems to ensure they are appropriately safeguarding consumer data. All franchisors should regularly analyze the type of consumer data collected by the franchisor, its franchisees and its vendors and work to minimize the data collected. Data security practices should be reviewed and incident response plans should be drafted or updated. Franchisors should also update their privacy policies and operations manuals to address the ownership and use of personal data.  Additional adjustments to compliance programs may be needed late in 2020 once the California Attorney General releases additional rules and regulations expected by July 1, 2020.