Franchise companies face a growing number of laws that impact day-to-day operations when it comes to customer data. The newest addition to that list comes from California. Available here is an E-Commerce & Privacy Group @lert, prepared by our colleagues in the firm’s E-Commerce & Privacy Group, which provides an excellent summary of California’s new law that goes into effect on July 1, 2004.

The new California law highlights the need for franchise systems to take the bull by the horns and develop and implement system-wide privacy and data policies. Franchise systems already face a number of other challenges that suggest the need for these policies, among them:

  • The Health Insurance Portability and Accountability Act of 1996 (known as HIPAA), which covers entities that furnish, or bill, or are paid for health-care services – including some employers who provide health insurance coverage, as well as providers of health-related services.
  • The FACT Act, which addresses collection and use of credit card information as well as social security numbers from customers.
  • The FCC’s regulations implementing the Telephone Consumer Protection Act of 1991, which address the transmission of unsolicited faxes.
  • The Telemarketing Sales Rule, which among other things established the national Do‑Not-Call-Registry, enforced by both the FTC and the FCC. (By the end of the registry’s first year, in June 2004, the FTC reported that over 62 million phone numbers were listed on the registry.)
  • The E.U. Data Protection Directive, which strictly limits the use and transmission of data outside the E.U., even data such as the work phone numbers of employees (or franchisees). Similar laws, of course, can be found in Canada and elsewhere in the world.
  • Britain’s new business-to-business do-not-call registry.
  • California’s law known as "SB 1386" – aimed at identity theft – relating to data security and the release (unintentional, inadvertent, or otherwise) of certain "sensitive" and unencrypted data gathered from customers either on line or off line (e.g., a restaurant that takes credit cards), such as customers’ names plus their credit card numbers, drivers’ license numbers, or social security numbers.
  • California’s new law – as described in the E-Commerce and Privacy @lert – which in effect will require many companies to create and conspicuously post privacy policies on their websites.

Because consumers typically view a franchise system as a single, integrated network, rather than separate legal entities including a franchisor and franchisees, a system-wide approach to data is often required as a practical matter. A system-wide approach, for example, would avert certain problems. One such problem may occur when a customer opts out of receiving e-mail from the franchisor but still gets e-mails from a franchisee. The difficulty arises not because there is a legal obligation for the franchisee not to send e-mails (that issue is still unsettled), but rather because the consumer may expect that his or her opt-out applies to the brand, not just to a specific legal entity. The same consideration holds true for other data issues, both on line and in the "real world."

Finally, as compelling as is the commercial risk of an irritated customer, more so may be the possibility that a franchise system’s reputation and good will could be harmed by a public allegation that a member of the system – be it a franchisor or a franchisee – failed to protect the privacy of its customers’ data.

This article is intended to provide information on recent legal developments. It should not be construed as legal advice or legal opinion on specific facts. Pursuant to applicable Rules of Professional Conduct, it may constitute advertising.