On June 28, 2018, California’s Governor Brown signed the California Consumer Privacy Act of 2018 (now known as the CCPA) into law. The CCPA grants “consumers” new rights with respect to the use and collection of their personal information.[i] The bill goes into effect on January 1, 2020. It rewrites the rules of the road for the operations of many businesses that have any California employees, customers, or operations. Risks of non-compliance include liability for statutory damages, actual damages, punitive damages or enforcement actions brought by the California State Attorney General. The California plaintiffs’ bar is gearing up to bring lawsuits for noncompliance.
All franchisors, including out of state franchisors that do not have significant California operations, need to consider their compliance plan. Under the CCPA, “consumers” will have the “right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer,” “the right to request deletion of personal information [collected by the business]” and a private right of action in connection with data breaches.[ii] The CCPA broadly defines “consumer” as any “natural person who is a California resident. . . .” Cal. Civ. Code § 1798.140(g). This means that the law will not just apply to customers, but to all individuals in California who provide “personal information” to a business covered by the act, including employees or potential customers. Businesses are covered by the act if they meet any of the following conditions: (1) Has annual gross revenues in excess of $25,000,000; (2) Derives 50 percent or more of its annual revenues from selling consumers’ personal information; or (3) “[A]lone or in combination” annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices. Code. § 1798.140(c)(1). Although the 50,000 transaction threshold seems high, the reality is that any franchised brand with a website may be a covered business under the CCPA if, in the aggregate, it buys, sells, receives or shares 50,000 pieces of “personal information,” as that phrase is used by the act. Significantly for the franchise industry, the CCPA also contains a provision saying that an entity is covered if it “control[s] or [is] controlled” by a covered business and has “common branding” with that business. Cal. Civ. Code. § 1798.140(c)(2). The definition of “control” is vague and includes the phrase “a controlling influence over the management of a company” opening the door to a potential—but misguided—argument that the CCPA is meant to cover an entire franchise system if either the franchisor or franchisee meets the definition of a “business.”
Like the definition of “consumer,” the phrase “personal information” is expansive. The CCPA says “personal information” is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o). The law gives an extensive, and non-exclusive, list of examples such as: IP addresses, email addresses, account names, social security numbers, driver license number, bank account numbers, credit card numbers, records of personal property, biometric information, browsing history, search history, geolocation data, professional or employment-related information.
The extent of the impact of the act has yet to be measured, but there is no doubt that it imposes dramatic changes on numerous aspects of franchise relations, operations and practices. For example, the CCPA will regulate the relationships between many franchisors and some large franchisees and their California employees. For many franchisors that demand access to information in their franchisees’ point of sale systems, the CCPA will regulate the relationship between the franchisor and their franchisee’s customers. The CCPA will regulate nearly any franchisor that obtains information from a principal of a franchisee in California. Data breaches for franchised units in California are likely to lead to litigation exposure to the franchisor.
Franchised businesses—big and small, inside and outside of California—must immediately begin to assess their compliance with the act. Just to determine coverage of the act, they will need to measure the amount and types of personal information used, collected, bought or sold in their franchise system; how such data is collected, processed, transmitted, and stored; what it is used for; and with whom the data is shared (and for what purpose). They will also have to determine if they are “selling” data under the CCPA in light of the law’s statement that “making available” personal information for non-monetary “consideration” is considered a sale. Cal. Civ. Code § 1798.140(t). Then, if it is determined that the act applies, the business will have to decide how it will ensure that its customers, employees and potential customers will be given the rights guaranteed by the CCPA. While the law does not go into effect until 2020, time is short and preparations must begin now if they have not already started.
David Harford, an associate in the Santa Monica office of Bryan Cave Leighton Paisner LLP, contributed to this post.
[i] https://www.oag.ca.gov/privacy/ccpa
[ii] Legislative Counsel Digest, available at: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375