The CCPA may require franchisors to add new policies, systems, and processes to comply with the new law. Here’s what you need to know
How much do you know about the personal data you collect on your franchisees, customers, and employees? What security systems and processes do you use to protect against data breaches? If you do not know the answers to these questions, you better pay closer attention to what data you collect and how it is used in your franchise.
You probably just got used to the European data privacy law known as the General Data Protection Regulation (GDPR) and thought your data privacy concerns were limited to European customers. Sorry, but enhanced data privacy rights have crossed the pond and are now extended to California residents.
The groundbreaking California Consumer Privacy Act (CCPA) – effective January 1, 2020 – may require franchisors, franchisees, and their service providers to add new policies, systems, and processes to comply with the new law.
GDPR and CCPA do not care where your corporate office is located. They apply to and cover the individual, and are based on the state or country where the individual resides when the personal data is collected. Failure to comply with the new CCPA could expose you to significant monetary damages. No longer are your risks limited to a potential enforcement action by a state attorney general’s office, the Federal Trade Commission (FTC), or other government regulator. Now you can face a multi-million dollar class-action lawsuit based upon the CCPA private right of action.
Does the CCPA apply to your franchise?
Franchisors that access personal information from their franchisees’ point of sale systems must consider how the CCPA regulates the relationship between the franchisor and their franchisee’s customers.
The CCPA applies to any business that collects personal information from California residents and has at least one of the following:
• Annual gross revenues of $25 million or more
• Buys, receives, sells, or shares the personal information of at least 50,000 California residents, households, or devices annually
• Derives a minimum of 50 per cent of its annual revenue from selling California residents’ personal information The broad definition of a covered entity in the CCPA may be used to cover an entire franchise system, if either the franchisor or franchisee meets the definition of a “business”.
New private right of action
While much attention has been given to the new rights afforded to California consumers, to have more access and control over use of their personal data, the greatest risk to a business is the new private right of action — with substantial statutory damages — for data breaches.
Consumers can now sue a company when their “non-encrypted or non- redacted personal information… is subject to unauthorized access and ex-filtration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
Plaintiffs’ lawyers and their consumer clients who are the victims of a data breach can now seek statutory damages of between $100 and $750 per consumer per incident, actual damages, and injunctive relief. There is no need to demonstrate actual harm to the consumer.
If a large number of records holding personal information are breached, the potential financial exposure will be enormous. For example, a breach involving 50,000 residents could result in a $37.5m claim.
The CCPA private right of action is fortunately limited (as of now) to data breaches. Any other noncompliance with the CCPA may subject a business to enforcement actions by the California Attorney General with civil penalties of up to $7,500 per violation.
5 things to consider:
1. Data mapping
Under the CCPA, consumers will have the right to request that you disclose what personal information you collect and for what purposes, and (with some exceptions) request that you delete any such personal information.
Perform data mapping as necessary to inventory the personal information collected on California residents, households, and devices. For what purposes is such data collected, who is it shared with, and where is it stored. Now is a good opportunity to minimize the personal data you collect. You cannot lose what you do not have.
2. Evaluate business processes
New business processes and system changes may be necessary to respond to and handle data access and deletion requests from California residents as well as any requests to opt-out of data monetization. You must be prepared to disclose and deliver the required information to a consumer making such request free of charge within 45 days of receiving a verifiable request.
3. Update privacy policies
Privacy policies and notices may need updates with new disclosures regarding consumer rights to data access and deletion. Consumers must be notified of and be able to opt-out of the sale of their personal information, including use of a ‘DO NOT SELL’ choice on your organization’s website. Privacy notices must indicate the categories of personal information collected and the purposes for which they are used.
4. Data security
The CCPA private right of action should elevate security as a major concern since businesses are required to protect personal data with “reasonable security procedures and practices”. The creation of written information security programs and incident response plans and teams, as necessary to handle unauthorized access and potential data breach notification requirements, are now more critical than ever before. California has suggested the Center for Internet Security (CIS) as one data security standard to follow.
5. Vendor management
Review contracts with vendors who process or handle customer data or personal information to assure they are complying with the CCPA and other data privacy laws, and – if necessary – provide an addendum to cover privacy and security issues.
THE AUTHOR
Michael Cohen is a principal and privacy officer at the Gray Plant Mooty law firm
