Data Privacy: Safety first in a time of increasing regulation

Operating a franchise brand in a privacy-first world is proving to be increasingly complex. Are you keeping up?

As franchise brands navigate potential privacy pitfalls amid new regulations, rising data security breaches, and growing distrust from tech-savvy consumers, the stakes to securely manage the data they collect and build trust with their customers have never been higher.

With no national data privacy law in place in the U.S., measures that limit the use of customer data continue to be patched together disparately state by state. Utah joins California, Virginia, and Colorado as the latest state to enact comprehensive consumer data protection laws, set to go into effect in 2023, with other states lining up to follow suit. Restrictions on international data further complicate compliance challenges.

It’s a busy time that will only get busier for franchise executives like Carissa De Santis, chief technology officer of Jamco Interests, as privacy laws continue to evolve. De Santis oversees enterprise-wide technology and digital efforts for the multi-concept group, whose brands include Friendly’s, Red Mango, Smoothie Factory, Souper Salad, Orange Leaf, and RedBrick Pizza.

“With all the constantly updated and new laws across the country, this is almost a full-time job,” says De Santis, who joined Jamco in December 2021. “You must staff internally or engage with a solid vendor partner to cover all the bases and manage state to state. This is not something you can tuck under the rug. It needs to be managed on an ongoing basis and be well-documented.”

With so many different state, national, and international regulations in place, privacy experts recommend building a data privacy and protection program around the commonalities of these regulations.

While there are nuances in every regulation—and a mind-numbing list of acronyms—the overall goal of most privacy laws is to provide consumers with broad protection and rights over the collection, use, processing, sharing, and sale of their personal information. Businesses that fail to comply face significant fines and penalties—as well as a public shaming and loss of business when there is a data breach.

Focus on the commonalities

Elizabeth Harding, a shareholder at Polsinelli and vice chair of the law firm’s technology transactions and data privacy practice, encourages franchise brands to understand their obligations to protect the data they’ve collected from their customers.

“It’s a progress, not perfection, situation,” she says. “Understand the key elements, hit those, and then chip away at the other areas.”

Depending on the size and international scope of your franchise, this might mean implementing a program that covers the most critical areas of the far-reaching European Union’s General Data Protection Regulation (GDPR ) and broadly complies with other regulations, such as the UK’s Privacy and Electronic Communications Regulations (PECR), significant for online and digital advertising purposes, notes Harding. 

U.S.-only franchise operators may want to establish a compliance checklist using California’s extensive consumer privacy laws—the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) to address a large part of the broader U.S. privacy compliance ecosystem.

“I look at the various privacy regulations as a bit like a Venn diagram, where the middle of that diagram includes the common compliance obligations that would form the key components of a compliance plan, with the ‘outlier’ items sitting outside of that middle area,” says Harding. 

Focusing on the common principles in the various laws instead of scrambling to keep up with the differences has been the favored approach at Fazoli’s, which has more than 215 restaurants in 28 states. 

“In an ideal world, the federal government would standardize regulations and avoid the patchwork of state laws that exists today and makes compliance significantly more challenging,” says Wayne Pederson, Fazoli’s vice president of information technology. “With our tech stack, we have made the decision to base our company policies on the most stringent laws in each of the states versus trying to maintain separate rules in each state.”

Practical advice

There is no one-size-fits-all solution to navigating data privacy through the intricate nature of a multi-layered franchise system. The scope of your business, IT infrastructure, marketing and data collections method, risk tolerance, and the structure of your relationship with your franchisees must all be considered when clearly defining compliance obligations, assessing exposure, and creating a privacy program to mitigate future risks. Every data privacy game plan starts with a digital audit. 

“I can’t stress enough the importance of data mapping to understand what data you have, where it is housed, what you do with it, and who has access to it,” says Harding. “Without this, it is really hard to meet the various other compliance obligations under these laws. Then hit the low-hanging fruit: privacy notices, incident response plans, and how to recognize and handle consumer requests.”

Franchise brands must provide clear and transparent notices of their privacy practices and plan for the worst, says De Santis, who previously led systemwide technology and digital efforts at Dickey’s Barbecue Pit and TGI Fridays. 

 “Ensure that your organization has a documented process for handling digital privacy and a response plan in the event of a breach,” she says. “This will allow you to respond quickly and begin the remediation process immediately should anything arise. It is unfortunate, but data breaches have become a common occurrence and, if it happens, you want to be prepared to respond.”

Jamco has had to review or amend “just about all the pieces of the game plan” as De Santis works to usher in an integrated, modern IT environment for Jamco’s portfolio of eight brands and more than 220 locations across the U.S. and internationally.

Along with new and revised internal, franchisee, and guest-facing processes and procedures, the company is implementing a franchise support and engagement platform to segment all the resources needed to ensure franchise partners have the information they need. Quarterly store visits and audits include checklist items on data privacy to confirm compliance, and additional language added to the franchise agreement. De Santis believes these key pieces will help ensure that the company provides the needed support as a franchisor and protects the brand on the liability front. 

“As the franchisor, we have a certain responsibility to educate and support our franchise community when it comes to topics like data privacy,” says De Santis. “Our franchise partners look to us to help provide guidelines, direction, best practices, and standards around the ever-changing data privacy regulations.”

Get your tech up to speed

Fazoli’s has implemented a mixture of policies and procedures over the past few years to streamline the company’s privacy compliance efforts. For example, facial recognition has been disabled on kiosks at every location, even though most states allow facial recognition without disclosure. Each restaurant in Fazoli’s system uses the same secure, “zero-trust” managed network, which allows the network administrator to modify or program any system changes when new rules or regulations arise. 

The brand’s software providers separate franchise and company data. Pederson says Fazoli’s leverages a network of third-party providers for everything from the back of the house to loyalty, and relies on those vendors to keep data segmented and secured appropriately.

“Having solid policies in place as to who can access, when they can access, and if data can be exported from systems is one of our day-to-day best practices,” says Pederson. “Limiting the overall access limits our potential exposure. In terms of a breach response, there must be a policy in place, a plan in place, and ideally a company on retainer to respond to the breach.”

Franchisors are grappling with a deluge of data that makes it tougher to track and protect. Adopting a “less is more” approach to using only the data required to support your company’s recruitment, marketing, and product development goals can help brands and franchisees gain more control and protection of their incoming data.

The silver lining

With more privacy changes in play, including the demise of third-party cookies and increased scrutiny over other digital tracking methods, the overall data privacy picture will continue to evolve—and so will the opportunities for data-driven franchise brands to develop a competitive edge by building a permission-based relationship with their increasingly privacy-savvy customers.

Studies show that when a customer clearly understands how their data is being used and has a voice in it, they are more likely to share their personal information. 

Investing in the right technologies and secure infrastructure is vital to delivering on the promise of this new data relationship. But a “strong trust-based relationship with customers may be the key to a sustainable, effective data strategy,” according to a McKinsey & Company report.

De Santis also envisions bigger-picture opportunities by aligning all players involved in customer data. “With all the various ordering platforms and third-party vendors, it is seldom the case that your individual organization houses the sole responsibility for all your customer data,” she says.

“The agreements include all sorts of legal language around data and policies, but what would really make a difference in our space would be having the operators and vendors aligned and using the same best practices and policies when it comes to the collective customer privacy data” she says. “An approach such as this would make data privacy even more transparent to the customers with an understanding that their data is safe.”

5 Ways To Protect Your Customer Data

With a flurry of data privacy regulations set to take effect in 2023 and more changes on the way, now is the time to make data protection a top priority.

There’s no simple way to guarantee compliance across the board, but franchise brands must keep up with the various laws and adapt as technology changes, says Amanda Witt, a partner at Atlanta-based Kilpatrick Townsend & Stockton.

Witt, who co-leads both the firm’s Cybersecurity, Privacy and Data Governance practice and the Technology, Privacy & Cybersecurity practice at the firm, outlines the following steps to help franchisors build a strategic privacy program to protect their brand and maintain consumer trust.

1) Take stock of your business. Evaluate your online and brick-and-mortar operations and data flows to determine the types of data you collect and what you do with it. The path to privacy usually begins with the well-meaning but mistaken statement, “We don’t collect consumer information,” says Witt. If you store, process, or transmit credit card information or ask customers to enter their name, address, or birthday, you are collecting personal information that is likely subject to one or more of your state’s privacy, biometric, or consumer protection laws. Credit card information must also comply with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards that have existed since 2004, to help ensure businesses securely store and transmit the payment card information of their customers.

2) Develop clear written consumer and breach notification policies and procedures. Most state privacy laws and the GDPR require businesses to have systems in place to respond to any consumer request to delete or de-identify their private or personal data. Invest in software or other technology that enables your brand to locate and recognize the data and take the steps required by law to store, delete or de-identify the information. 

3) Set up internal policies that enable compliance. Franchisees and their employees must know what they can and cannot do with customer information. Since most state privacy laws require consumers to opt in or out, employee training is a critical component of data privacy compliance. While franchisors may not want to provide the training directly for fear of joint employer liability, brands, at a minimum, should mandate that franchisees and their employees seek such training.

4) Maintain your technology and security systems. Franchise businesses must do more than just purchase and install technology and security systems to protect consumer data. These systems must be maintained and updated. Security and incident response plans, system backup protocols, and disaster recovery plans are standard and likely necessary to have in place to avoid liability or at least minimize risk and liability exposure. 

5) Update your franchise agreements and operations manual. If you haven’t already done so, your franchise agreement and operations manual should be updated to account for compliance with the various state privacy, biometric, and consumer response laws. Franchisors must decide their role in overseeing and enforcing franchisee compliance and may still be held liable for privacy breaches their franchisees commit. Formal privacy and data security policies that provide recommendations but otherwise expressly state the franchisor is “not responsible for the franchisee’s compliance” may minimize exposure. Investing in cybersecurity insurance and requiring franchisees to do the same is another way to reduce risk.