This article was originally published in the American Bar Association's The Franchise Lawyer, Spring 2019 edition.
According to Henry David Thoreau, “[a] foolish consistency is the hobgoblin of little minds.” Henry would have relished recent attempts by U.S. state legislatures to import the concepts of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) into state privacy laws. The most consistent aspect of this effort to date has been the inconsistency—and occasional incoherency—of the resulting state proposals. California, nonetheless, has charged ahead with a sweeping new privacy law that imposes onerous new rules on almost any type of business that handles consumer information.
Some of the stated goals of the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 – 1798.199 (“CCPA”) appear consistent with GDPR; but the CCPA’s implementation is far less flexible, and its scope far broader. Unfortunately, franchises and business-licensing arrangements are on the losing end of this paradigm shift, due to the CCPA’s unique approach to imposing privacy responsibilities on businesses that license brands or service marks.
The Original: GDPR
The GDPR was promulgated in May 2016 and became fully enforceable in May 2018. The GDPR places restrictions on the processing of “Personal Data” relating to EU residents and endows EU residents with certain rights related to their personal data. Personal data is broadly defined as “any information relating to an identified or identifiable natural person,” including a name, location data, or an online identifier. GDPR places obligations on businesses that handle the personal data of EU residents regardless of the location of the business. Thus many U.S.–based businesses that may transact with EU residents—such as restaurants, hotels, and others in hospitality services—may be subject to the GDPR even if they have no operations based in the EU.
An entity subject to the GDPR can only process data related to EU residents if one of the lawful bases set forth in the regulation applies. Further restrictions apply to the entity’s ability to transfer data outside the EU. Under the GDPR, European residents have the right to receive notice regarding the processing of their data, to access information that has been collected about them and correct any inaccuracies, and to restrict further processing or request erasure of data.
Privacy: California Style
The CCPA was enacted amidst a whirlwind of political maneuvering in the summer of 2018. In an attempt to head off a consumer privacy ballot initiative, the California legislature quickly passed a patched-together statute that applies to any for-profit entity doing business in California that collects or uses personal information about California residents (including employees). Like GDPR, the CCPA applies to a host of businesses that have not been subject to specific privacy requirements in the past. Any entity doing business in California and that has $25 million in total annual revenue is subject to the CCPA. Even businesses that do not meet that revenue threshold and have a relatively small California presence may be subject to the statute.
For example, a franchisee that annually receives the personal information of 50,000 or more California residents/employees, households or devices is subject to the CCPA. Most consumer businesses with an online presence will meet this threshold. This is due, in part, to the fact that the CCPA applies to a much broader data set than GDPR or any U.S. privacy law to date. The CCPA’s definition of “personal information” includes any information that “is capable of being associated with . . . a particular consumer or household.” This definition sweeps in nearly any type of information that might be collected online—including IP addresses and information collected passively through cookies and web beacons. Even information collected by a business solely for internal use is subject to the CCPA—including any data related to a California resident employee. The CCPA’s focus on collection of device identifiers also broadens its reach exponentially. Businesses that use apps or partner with app-based delivery or booking services must consider the information gleaned through those channels as though each device is a unique individual – even though a single individual may possess several devices.
Guilt by Brand Association
But the CCPA does not stop with the business that collects or receives consumer information; it requires all entities that use a common brand or service mark and that control, or are controlled by, a business, to comply with the statute as well. The statute defines “control” in terms of ownership, the ability to select directors, or “the power to exercise a controlling influence over the management of a company.” There is no specific guidance, however, on what it means to exercise controlling influence over management in this context. Thus, there is no clear answer as to whether the mere award of a franchise by a California franchisor makes a franchisee operating outside of California subject to CCPA.
Another California privacy law, the California Financial Information Privacy Act, Cal. Fin. Code §§ 4050-4060 (“FIPA”), defines control as the power to exercise “a controlling influence over the management or policies of a company.” FIPA § 4052(g). That same regulation explicitly provides that franchisors are deemed affiliates—i.e., in control—of franchisees. FIPA § 4052 (d). Unlike the FIPA, the CCPA does not refer explicitly to franchise parties. The CCPA explicitly refers to the FIPA—information protected by the FIPA is exempt from the CCPA’s requirements. This leaves an important question unanswered: does the FIPA’s explicit reference to franchisors as affiliated by control with franchisees also mean that franchisors control franchisees for purposes of the CCPA, which does not mention franchise parties?
If the CCPA is interpreted consistent with the FIPA, then entities that license brands could be deemed to control their licensees. Under this construct, a franchisor with no other ties to California would be required to comply with the CCPA solely because one or more of its franchisees is required to comply. Likewise, franchisees outside of California would be required to comply with the statute if their same-brand franchisor is subject to the statute, regardless of the franchisees’ location or the absence of nexus to California. Such an interpretation would not extend the statute’s requirements from one franchisee to another franchisee of the same brand, however, because neither the FIPA nor the CCPA impute compliance obligations to entities under common control. As such, a franchisee that is required to comply with CCPA does not extend its CCPA compliance obligations to other franchisees of the same brand, since peer organizations do not control, and are not controlled by, each other.
This outcome may be what the California legislature intended, regardless of the CCPA’s relationship to the FIPA. The intent of these same brand and controlling influence provisions of the CCPA appears to be to provide a seamless experience for consumers who wish to exercise their CCPA rights and may not understand if it is a franchisor or franchisee that is handling their data. Arguably, the California legislature’s failure to make the “controlling” status of franchisors and franchisees explicit—as the FIPA does—may signify that “having a controlling influence over the management” of a franchisee should be decided on a case-by case basis.
This interpretation would leave franchisors and brand licensors guessing as to how much control is enough to guarantee that the public will recognize a licensee’s business as an authorized source of the specific goods and services that the licensor permits to be associated with its brand, as required under federal law, and yet not so much as to impute the CCPA’s costly compliance obligations to all same-brand franchisees, including those that may have negligible amounts of actual data related to California residents.
Either way, the CCPA’s yoking together of licensors and licensees of a common brand will impale brand licensors on the horns of a dilemma. The specter of joint liability for franchisee data practices will force franchisors to promulgate compliance guidance for franchisees; but will such guidance be used to prove the very type of “controlling influence” that creates the liability? And why should entities that do no more than license a brand from a California-based licensor be saddled with out-sized compliance obligations to the detriment of their own business operations? Divorcing data compliance obligations from the actual context in which the data is collected and used is an anathema to both privacy and franchise principles. As a result, the CCPA sets a trap for franchisors and franchisees—of which both may be unaware, and have no contractual ability to influence, the data practices of each other.
If the CCPA applies to your business, it will impose significant compliance burdens. The CCPA requires businesses, upon receipt of a verifiable request, to provide the specific personal information the business has collected about the requestor over the previous 12 months. Compiling all data “capable of being associated with” a California resident or household—encompassing both online and offline sources—poses operational challenges, particularly in the case of unstructured data stores. The “verified request” requirement also presents unique challenges. Most businesses that engage with consumers do not have the ability to verify that a request relating to a previous transaction actually is from the consumer that conducted that transaction, and not an imposter.
California residents also have the right to request deletion of personal information collected from them, subject to broad exceptions, and may opt out of the sale of personal information to third parties. This opt-out right, however, does not restrict the business’ own—or its service providers’—collection and use of personal information.
Taking the Rewards Out of Rewards Programs
The impact of some of the CCPA’s provisions may prove particularly onerous for consumer loyalty programs and other data-for-service offerings, including some ad-supported services. The statute prohibits businesses from using discounts, or offering differing quality of goods or services, to discriminate against a consumer based upon the exercise of rights under the CCPA—unless the price difference is “reasonably related to the value provided to the consumer by the consumer’s data.” As a result, loyalty program discounts that rely on the exchange of personal information between businesses must be able to calculate the value a consumer receives from participation in the program relative to the value of that consumer’s data, and must obtain the consumer’s express opt-in to the data sharing. The appropriate criteria for determining these “values” is unclear. Accordingly, the status of popular multi-channel loyalty and rewards programs is uncertain under the new law.
Private Cause of Action
While the majority of the CCPA provisions can be interpreted and enforced only by the California Attorney General, the statute provides consumers with a private right of action for unauthorized access to unencrypted personal information. The statute only requires a showing that the breach resulted from the business’s failure to maintain reasonable security practices and procedures. The CCPA does not explain what “reasonable” practices and procedures are, however. Litigants do not need to show actual damages or specific harm to recover statutory damages up to $750 per consumer/per incident. This provision is widely viewed as an open invitation for class action suits in the wake of any data breach.
The Expanding Privacy Franchise
Multiple states across the country have jumped into the privacy legislation arena with gusto. Washington state has proposed a law modeled more closely on GDPR than California’s CCPA, and without the problematic provisions related to shared service marks and rewards programs. Other states, however, including Hawaii, New York, North Dakota, New Mexico, Maryland, Oregon and Massachusetts, are considering laws similar to the CCPA. New Hampshire’s version even goes so far as to impose criminal penalties for violations. This flurry of activity at the state level also has prompted loud calls for the U.S. Congress to enact a federal privacy law that would pre-empt the states and ensure a level playing field. To date, however, the only agreement to emerge from Washington D.C. is consensus that any effort to pass a federal bill that satisfies both businesses and privacy advocates will face an uphill battle.
Tips for Building Your Privacy Compliance Resilience
As long as consumers continue to value innovation and convenience, business need for data-driven technology will continue to expand. Likewise, legislatures and regulators will strive to keep pace with new technologies and dynamic threats to data. Your privacy program, however, need not remain in constant flux. Here are some strategic steps your business can implement now to stay in step with the new privacy “normal”:
- 1. Know what you have.
The path to privacy missteps often begins with a well-meaning but mistaken statement that “we don’t really collect any consumer information.” The CCPA imposes the broadest definition of personal information in any privacy law to date. Businesses should carefully examine all types of information collected—online and offline—to determine if it is “capable of being associated” with an individual or household. For example, a device identifier or a merchant-generated customer identification tag may not be readily linked to a consumer, but both are capable of being associated with an individual, and thus are protected Personal Information under the CCPA.
- 2. Know what you do.
Achieving compliance with GDPR and the CCPA begins by creating an accurate record of how and where your organization processes (i.e., collects, uses, discloses, stores, de-identifies, and destroys) the personal information it receives. Simply put, it is not possible to create the accurate disclosures required by CCPA and other proposed statutes, find personal information within your systems to delete it in response to a consumer’s exercise of their deletion right, or know what personal information is subject to consumers’ opt-out rights without an accurate conceptual map of how and where consumer data is collected, used, stored, and disclosed in your organization.
- 3. Develop robust consumer response protocols.
The CCPA and GDPR (as well as most of the myriad proposed laws being discussed) require organizations to give consumers a copy of their personal information, and delete personal information within their systems associated with the consumer, upon the consumer’s verified request. The CCPA’s deletion requirement is subject to multiple broad exceptions, but the concept that consumers should be able to “be forgotten” has taken hold in the U.S. privacy debate. A strategic privacy compliance approach will include careful analysis of what information must be maintained, and for what legitimate business reason, in the face of a consumer request to delete. In addition, businesses should establish search and identification methods that will allow them to collate information collected across channels and securely present that information upon request.
- 4. Know who does what.
The CCPA allows consumers to prevent a business from disclosing any of their personal information to any third party from which the business receives monetary or other consideration, regardless of whether the personal information was obtained with consent, unless an exception applies. Once a consumer opts-out in this way, businesses are prohibited from soliciting that consumer to opt back in for 12 months. This provision highlights the particular challenges for franchise or licensing arrangements if the CCPA is interpreted to yoke franchisee and franchisors together. An opt-out, access, or deletion request received by franchisee would be imputed to the franchisor, and vice versa.
- 5. Fully document and test your data security.
With the specter of class action now looming over every kind of data breach, it is critical that businesses be able to demonstrate affirmatively their implementation of “reasonable information security” programs. At a minimum, businesses should review and update their written information security plan, enterprise incident response plan, and business continuity and disaster recovery plan. Regular risk assessments with remediation plans, and table top exercises involving senior leadership, will be key to demonstrate reasonable security in defense of litigation or enforcement actions.
A Final Note
The most important thing any business can do to develop a strategic privacy compliance posture is: START NOW. GDPR and the CCPA are the beginning, not the end, of the legislative drive toward consumer privacy “control.” The new normal is here now, and the CCPA’s January 2020 compliance date is only months away. Smart businesses should begin developing their compliance programs without delay.