By introducing the California Consumer Privacy Act, California continues its pattern of enacting legislation that has the potential to impact the franchise industry in a significant way. The CCPA applies to any company that “does business” in California (which is a broad category) and that meets the criteria explained below. If your franchise company is based in California, or (potentially) even if you have any franchisees in California, you need to be prepared to comply with this new law.
What does it mean to “do business” in California?
Because any California resident is protected by the CCPA, doing business in California does not require a company to have an office or a business operation in California. If a California resident visits your store or website and information is collected, you might be required to comply with the CCPA.
What does the CCPA do?
The CCPA grants California residents new rights relating to access to, opting-out of the collection of, deletion of, and sharing of personal information collected by businesses about them.
What is personal information?
Personal information is defined broadly to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes items such as names, IP addresses, geolocation data, biometric information, and email addresses.
Who does the CCPA apply to?
The CCPA applies to businesses that “do business” in the State of California, where the business meets one or more of the following criteria:
- Has gross annual revenues in excess of $25 million*;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
*Keep in mind that it’s not clear whether the State of California would try to aggregate all the franchisees plus the franchisor in calculating this $25 million figure, or aggregate the franchisor and its affiliate entities. For example, if your annual revenues were $15 million, and the revenues of all of your franchisees together was another $15 million, would the CCPA apply to you and each of your franchisees? There is no guidance yet on how this figure will be calculated.
What are the new requirements?
A businesses subject to the CCPA must:
- Maintain a privacy policy that is in compliance with the California Online Privacy Protection Policy and is updated to comply with the CCPA.
- Provide notice to consumers at or before data collection.
- Create procedures to respond to requests from consumers to opt-out of collection, and to know of and delete personal information.
- Respond to requests from consumers to opt-out of collection, and to know of and delete personal information.
- Include a “Do Not Sell My Info” link on any website or mobile app.
- Verify the identity of consumers who make requests to know of and to delete personal information, whether or not the consumer maintains a password-protected account with the business.
- Disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how it calculates the value of the personal information. A business must also explain how the incentive is permitted under the CCPA.
- Maintain records of requests and how the business responded for 24 months.
How is a franchisor or franchisee affected?
The CCPA defines a business as “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders….” A business is further defined as one such legal entity that utilizes “common branding”, which means a shared name, servicemark, or trademark. Franchisors and franchisees could be subjected to the CCPA if any personal information is collected from a California resident (either as a prospective franchisee of the franchisor or as a customer/client of the franchisor or a franchisee) and does not comply with the requirements of the CCPA.
What are the consequences for noncompliance?
As currently written, the CCPA subjects businesses to fines up to $2,500 for each violation and up to $7,500 for each intentional violation, if a business fails to cure an alleged violation within 30 days of notice of noncompliance from the California Attorney General. Also, if unencrypted personal information is acquired by others and the business failed to have a reasonable security program, the business may be directly liable for the costs after a 30-day cure period.
When does the CCPA take effect?
The CCPA took effect on January 1, 2020 and final rules were approved on August 14, 2020.
Please let us know if you have any questions and how we can help. Click here to contact us.