The collection of “consumer personal data” is Big business. It is estimated to be more than a $200 billion industry. Over the past decade, companies have increasingly turned to the collection of consumer personal data to help them better understand and adapt to the habits, preferences, and needs of consumers, engage in targeted marketing, and gain insight into the broader marketplace—that is, to better compete. Some businesses have also quietly used the sale of their consumers’ personal data to third parties as an additional source of revenue.
Spurring this boom in personal data collection was the world’s acceleration into the Digital Age and consumers’ increasing adoption of e-commerce. Digital technology has made the collection of data not only easier and transformative for businesses, but also more opaque and worrisome for consumers. One author succinctly explained the ubiquity of data collection as “Swipe your MasterCard, and MasterCard has data on you. Place an order on the McDonald’s app, and McDonald’s has data on you. Stream on Disney+, and Disney has data on you.”
Around 2016, the risks associated with the massive collection of consumer data appeared to reach the mainstream, as reports of large-scale consumer-data breaches and other high-profile incidents of misuse (e.g., Cambridge Analytica’s harvesting of the personal data of Facebook users during the 2016 U.S. presidential elections) seemingly became more and more frequent. Consumers and government officials finally began to take notice of (or perhaps just fully appreciated) the magnitude of the industry surrounding the unfettered collection and monetization of consumer personal data. This late realization has resulted in various state, federal, and foreign governments playing catchup and adopting an ever-growing patchwork of data privacy laws and regulations, such as the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as recently amended by the California Privacy Rights Act (CPRA), Illinois’s Biometric Information Privacy Act (BIPA), and the Virginia Consumer Data Protection Act (VDCPA), all aimed at giving consumers more control over their data.
These data privacy laws and regulations also apply to franchisors and franchisees. Hence it is imperative that franchisors and franchisees be acutely aware of what, if any, consumer data they are collecting; how it is being collected, stored, and used; and the risks associated with such collection practices in terms of compliance with data privacy laws and meeting consumer expectations. Franchisors also must be mindful of the risks of vicarious liability for data breaches downstream and should carefully consider not only their respective security measures, but also those of their franchisees.
In Part II, this paper will identify and explain the common ways in which franchise and other businesses knowingly or unknowingly collect data from consumers. Part III will address the spate of recent jurisprudence involving challenges and investigations into the consumer data collection practices by both online and brick-and-mortar businesses under the new data privacy laws. Finally, Part IV will discuss strategies and best practices to minimize the risk to franchise businesses posed by the collection of consumer data.
II. Data Collection Practices Commonly Used by Franchise Businesses
“Consumer personal data” generally refers to nonpublic, personal identifying information (PII)—such as birth date, social security number, income level, purchase history, and biometric information—that permits the identity of an individual to whom the information applies to be reasonably discovered. As discussed below, businesses commonly collect consumer personal data by (1) direct solicitations; (2) tracking customers via electronic means; and/or (3) purchasing from third-party data collectors or brokers.
A. Direct Solicitations
Loyalty or rewards programs are one of the most common tools that franchise retailers and service providers use to collect first-party consumer personal data. Although they can be packaged and presented in a number of different ways, these programs all essentially operate in the same fashion. Businesses offer customers rewards, discounts, and other promotional deals on products or services that their customers are likely interested in buying, as an incentive for those customers to become or remain patrons, and/or increase their spending with the sponsoring business. In exchange, the customers—wittingly or unwittingly—agree to give the sponsoring business access to their personal data, such as name, birthday, driver’s license, email address, home address, social security number, location, and shopping history.
Take, for example, the Verizon Up rewards program, which was introduced in 2017. In that program, Verizon offers its subscribers certain device upgrades, gift cards, credits, and other promotional deals for presale tickets for concerts, sporting events, and movie premieres. To be eligible for the rewards program, customers initially had to enroll in Verizon Selects (a targeted advertising program) and agree that Verizon could access their web-browsing history, app usage, location data, and other information to create “specific insights” into the participating customers. The program
that began as an “opt-in” program (i.e., one where a consumer must take an affirmative step to agree to participate) was subsequently converted into an “opt-out” program.
Pizza Hut, similarly, introduced its Hut Rewards® loyalty program in 2017, an “opt-in” program that offers customers the chance to earn points redeemable for free pizzas and other discounted items, early access to new products, and birthday rewards. Like the Verizon Up program, participants in the Hut Rewards program agree that Pizza Hut can collect an array of personal information about them, including personal profile, payment card information, location and movement data, address book information, and analytics data. Pizza Hut then uses that information to create a more detailed profile, and may share, sell, or disclose such personal data to third parties for marketing and analytics purposes. Many other well-known franchise brands, such as Subway, Marriott, and Burger King, have similarly structured rewards programs.
Consumer feedback, surveys, and interactive social media are other methods of direct solicitation that franchise retailers and service providers use to collect consumer personal data. Unlike the personal and engagement data collected through a loyalty or rewards program though, surveys and feedback responses and social media interactions provide qualitative or attitudinal data (i.e., consumers’ opinions, interests, preferences, likes or dislikes, etc.). This data can help businesses understand their customers’ motivations, needs, decision-making, and preferences. Combined with personal and engagement data, attitudinal data can provide a fuller customer profile.
B. Electronic Tracking
Marketing cookies can accumulate significant amounts of basic and engagement data—enough to identify an individual consumer. This circumstance recently led to concerns and push back on the widespread use of this form of tracking. Indeed, the passage of the GDPR and other data privacy laws have forced companies to clean up and modernize their websites to, inter alia: (1) solicit users’ consent before using any cookies other than strictly necessary cookies; (2) provide accurate and specific information—in plain language—about the data each cookie collects and its purpose; (3) allow users to access the website even if they refuse consent to use certain cookies; and (4) make it as easy for users to withdraw their consent as it was for them to give it in the first place. These compulsory changes have led companies to phase out and replace third-party cookies with their own first-party marketing cookies and other strategies to capture the same valuable data. The potential hazards of this new model are discussed later in Section III.
Mobile devices and mobile applications (apps) have become an inescapable part of consumers’ daily lives and present a potentially rich source of consumer personal data. Like online cookies, mobile devices and apps can collect basic consumer data and track website visits and search topics.
However, mobile devices and apps (and associated default permissions) can also collect data beyond the reach of online cookies, including tracking consumers’ exact physical locations, logging their phone calls, monitoring their app interactions or usage, and accessing their devices’ photos, contacts, and even strokes and taps on their keyboards.
The Verizon Selects program further illustrates how some companies use mobile tracking. As discussed earlier, Verizon originally required its subscribers to opt-in to Verizon Selects and agree to comprehensive data collection to participate in its rewards program. But, in January 2022, Verizon replaced and rebranded Verizon Selects as the “Custom Experience” and “Custom Experience Plus” programs. No longer tied to the rewards program, Verizon now automatically enrolls all of its wireless subscribers in the baseline Custom Experience program, which allows Verizon to collect
In June 2020, it was reported that coffeehouse and restaurant chain, Tim Hortons, had been tracking the movements of a significant number of Canadians through its mobile ordering app. The reporter discovered that the company had recorded his longitude and latitude coordinates more than 2,700 times in fewer than five months, even when the reporter was not using the app. Tim Hortons explained that users consented to this kind of tracking by giving the app access to the GPS on their phones. That disclosure led to a government investigation into the data collection practices of Tim Hortons and its parent company, as well as a Canadian class action lawsuit that is discussed later in Section III.
Apple, as part of the release of the iOS 14 iPhone operating system, presented its users with the option to control when apps, such as the Tim Hortons app, could detect their precise locations. Specifically, the iOS 14 update allowed app users to disable the location settings or limit those settings to be accessible only when using certain apps. The (perhaps intended) drawback to disabling the location settings though is that it can affect the functionality of certain apps, especially those that rely on geographic data for food or merchandise delivery. So while the utility of capturing location information data may be obvious, as a practical matter, the only companies that might ever be in a position to gather it are wireless providers and those businesses whose models require (or could benefit from) a mobile app.
Unlike mobile apps, point-of-sale (POS) systems are essential for all franchise businesses, helping them to accept customer payments and track sales. Modern POS systems are digital and, thus, have capabilities far beyond the simple cash register functions of the past. It is no surprise then that businesses and POS software providers can and often use the new digital systems to collect and store basic consumer personal data (e.g., name, location, email address, and payment information) and behavioral data (e.g., customer purchase habits and preferences), and create customer profiles. It should also be no surprise that the data collected by POS systems sometimes gets shared externally with third parties.
Finally, biometric data collection has become an increasingly common part of many companies’ employee management and security protocols, due to the advancements in camera and audio scanner technologies and the uniqueness of “biometric identifiers,” which are more reliable than, for example, passwords or PINs. Businesses have begun to adapt biometric technology to electronically track consumers, and create personalized online and in-store shopping experiences for them.
C. Purchasing From Third-Party Data Brokers
Data collectors or brokers build comprehensive consumer data pools by collecting and/or purchasing consumer information from various sources, both online and offline, including public records, cookies and other electronic tracking, social media, loyalty programs, and retailers, and then sorting that data into various categories and consumer profiles (e.g., sports-interested, fashion-interested, males 25–54) using complex algorithms. Businesses can then buy access to these consumer profiles and aggregated data to help with targeted marketing to their own customers and new customers.
III. “Collector Beware”—Recent Lawsuits Challenging Consumer Personal Data Collection Practices
As noted earlier, there has been a clear push during the past six years to regulate the data collection industry more tightly and to give consumers more notice and control over how their personal data is collected, stored, and used. At least nineteen states to date have introduced and/or passed comprehensive consumer data privacy legislation, each with differing levels of consumer rights and business obligations. And nearly half of those state laws provide consumers with a private cause of action of some form to seek civil damages against businesses.
For example, the CPRA requires affected businesses to disclose to consumers whether those businesses are collecting personal information (including, for example, Social Security numbers, credit card numbers, email addresses, and passwords), the type of information collected, and to provide consumers from whom they collect information the right to refuse the sale of their personal information. The VDCPA similarly requires Virginia businesses to afford consumers the right to access their personal data, the right to demand that businesses delete their personal data, and the right to opt-out of the sale of their personal data. The Illinois BIPA, requires businesses to inform consumers that they are collecting biometric information, the specific purpose for and the expected duration of the collection and storage of such information, and to obtain their consumers’ informed written consent to such collection.
The spotlight on consumer personal data collection practices in light of data breaches, as well as the consuming public’s desire to (re)gain more control over their data and the introduction of laws to better protect data privacy, has predictably resulted in the growing number of class action lawsuits and government investigations seeking to test the viability and application of state and federal privacy laws to various data collection practices. Several recent cases/investigations illustrate the foregoing trend.
In July 2020, a putative class action lawsuit was brought against Sephora USA, Inc. (Sephora) and The Retail Equation, Inc. (TRE) for violation of, inter alia, California’s right to privacy and unfair competition law and the Fair Credit Reporting Act (FCRA), based on Sephora’s collection and unauthorized sharing of consumer personal data with TRE. The plaintiff alleged that TRE processes the shared data to generate a consumer report and “risk score” for each of Sephora’s consumers—those scores are then used to advise Sephora if an attempted product return or exchange may be fraudulent or abusive, in which case Sephora denies the return or exchange, even if valid under the store’s return policy. The suit was later expanded to name The Gap, Inc. and several other retailers as additional defendants, and assert a claim for violation of the CCPA for the failure of the retail defendants to disclose the data collection practice and use reasonable means to protect the
shared data. This case currently remains pending as to the plaintiffs’ claims for invasion of privacy and unlawful business practices under California law.
The Illinois Supreme Court recently issued two notable decisions related to the scope of BIPA. In Tims v. Black Horse Carriers, Inc., the court held that claims alleging violations of BIPA are subject to Illinois’s five-year catchall statute of limitations, rather than the one-year statute of limitations applicable to actions for publication of matter violating the right of privacy, because having two limitations period for different subsections of section 15 of the Act “would create an unclear, inconvenient, inconsistent and potentially unworkable regime” and shortening the time for lawsuits would thwart the Illinois legislature’s intent to manage the risks to the public surrounding disclosure of highly sensitive biometric information. Then, just over two weeks later, the court held in Cothron v. White Castle System, Inc., that a claim accrues each time that a business scans or transmits a person’s biometric identifier or information without first providing notice and receiving consent under the plain language of sections 15(b) and (d) of BIPA. While these cases involved the privacy rights of employees, there is no reason to believe that courts will treat consumer claims differently. Thus, these decisions are relevant to and will have far-reaching impacts for privacy consumer class actions.
In June 2022, the Office of the Privacy Commissioner of Canada (OPC) released findings from a joint investigation that had been launched by Canadian federal and provincial privacy authorities into the data collection practices of the Canadian operator and franchisor of Tim Hortons, The TDL Group Corp., and its parent company Restaurant Brands International, Inc. (RBI), through the Tim Hortons mobile app discussed above. The investigation found that Tim Hortons, with the assistance of a U.S.-based third party service provider, violated users’ privacy by tracking and collecting their
location data to conduct analytics on user trends, rather than for the stated purpose of delivering targeted advertising and better promoting its coffee and associated products. The investigation further found that Tim Hortons failed to properly disclose the scope of the data being collected to app users, actively mislead app users as to the app’s actual operation, and failed to ensure robust protections were in place to protect users’ personal information. Tim Hortons agreed to permanently cease collecting location data, delete previously collected data, and establish a privacy management program with respect to its apps. Tim Hortons also agreed to a settlement with consumers that drew both praise and heavy criticism from the public at large. An email sent to Tim Hortons’ app users recently advised those users that they would receive two credits/offers—one free hot beverage, and one free baked good. The offer was open only to eligible members of the class, with the credit deposited into their accounts on the Tim Hortons app.
In November 2022, the U.S. District Court for the Northern District of Texas preliminarily approved a $2.35 million settlement to a class of plaintiffs who used the POS systems at Dickey’s Barbecue Restaurants in Texas between April 23, 2019, and October 19, 2020.73 Dickey’s Barbecue Pit, based in Dallas, Texas, has over 450 locations in the United States. During the relevant time period, the plaintiffs alleged that unauthorized actors gained access to the Dickey’s POS system and obtained customer credit and debit card information, expiration dates, and cardholder names for hundreds of thousands of Dickey’s consumers, information that was then advertised for sale on the Dark Web. The plaintiffs asserted claims for negligence, breach of an implied contract, and violation of the CCPA, and sought class certification for a nationwide class as well as California and Florida subclasses. Although it did not reach the merits of the claims, the court found that the putative class members sufficiently alleged Article III standing on the basis of the breach of an implied contract. The court held a final fairness hearing in June 2023 and approved the settlement after determining that the settlement was fair, reasonable, and adequate.
On January 26, 2023, the OPC issued its findings from a recent investigation into the data collection practices of Home Depot of Canada Inc., which the OPC found to have violated Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA requires consumers’ knowledge and consent for the collection, use, and disclosure of personal information, except when appropriate. The OPC found that Home Depot shared consumers’ personal information, without their knowledge or consent, with Meta, which owns and operates Facebook, when customers
elected to receive an e-receipt. The OPC further found that Meta used the data to verify if a customer had a Facebook account, compare costumers’ in-store purchases to Home Depot’s Facebook advertisements, and for its own business purposes unrelated to Home Depot. The OPC rejected Home Depot’s contention that it relied on implied consent, and the disclosures in its privacy statement and Facebook’s privacy statement, to justify the practice. Home Depot agreed to cease disclosing consumers’ personal information and to implement measures to obtain express, informed, opt-in consent to share data with Meta.
Finally, on January 27, 2023, the Office of the California Attorney General announced that it had begun a broad investigation into thousands of businesses with mobile apps that fail to comply with the CCPA. The investigation will focus on “popular apps in the retail, travel, and food service industries” that reportedly fail to comply with consumers’ (or their authorized agents’) opt-out requests and/or offer a mechanism for consumers to stop the sale of their personal data. This new mobile apps investigation follows a 2022 investigative sweep by the California Attorney General of businesses
operating loyalty programs in California that failed to comply with the CCPA, and signals a potential trend of annual compliance investigations.
The bottom line for franchise businesses that collect and store consumer personal data is that they are increasingly vulnerable, across jurisdictions in the United States and Canada, to lawsuits and regulatory investigations if they fail to monitor and bring their collection practices into compliance with the data privacy laws that govern the jurisdiction(s) in which the businesses operate.
IV. Strategies for Avoiding the Typical Risks and Pitfalls of Consumer Personal Data Collection Practices
“‘The collection and use of consumer data has become so integral to business operations that it is hard to imagine companies will pull back unless forced to do so . . . .’” Consumers remain willing to share personal data with companies, so long as the collected data is limited and necessary for the specific interaction, and they trust the companies to handle their data and protect their privacy. There are a number of key strategies franchisees and franchisors can and should immediately do to navigate the risks and pitfalls of consumer personal data collection.
First, franchisors and franchisees should each conduct a full assessment of their data collection requirements and/or practices—that is, confirm the type of consumer personal data they do and do not collect, and why, where, and how that data is being collected, stored, and used. Business leaders cannot develop data-driven marketing strategies or manage corporate risks until they understand what data their companies are actually collecting and why. Indeed, consumer-personal-data collection is particularly risky in the franchise model, because it can involve multiple collection points as well as custodians in the process. For instance, poor handling and/or unsafe collection practices at the franchisee level can expose the franchisor to liability upstream, just as poor website and corporate security measures at the franchisor level can expose franchisees to liability downstream. Hence franchise businesses should take steps to put an immediate end to the collection
of data that they do not need, and to expunge data already collected but not being used (and that will likely not be used in the future), to mitigate the attendant legal risks of collecting and storing such data, making sure, of course, to comply with any state laws or regulations that apply to data retention and disposal.
Second, after determining what data is being collected and will continue to be collected, franchisors and franchisees should each conduct an assessment of their data management operations. In that regard, leaders need to ask: (1) what security protocols are in place relating to the storage and sharing of collected data; (2) who has access to each category of collected data (including any persons outside the organization), and is such access necessary?; and, (3) is the existing infrastructure sufficient to protect the collected data?
Third, franchisors and franchisees should review and determine if their privacy policies are up-to-date and provide clear notice of what and how data is being collected, stored, and used (including if it is shared) and the company’s retention policies. As part of the foregoing, franchise entities should ensure they are obtaining informed, written consent from consumers with respect to the data collection practices. Notice and consent is key in virtually all new or pending data privacy legislation. Each of the cases and investigations discussed earlier in Section III likely could have been avoided with more adequate disclosures and obtaining informed consent from consumers. For example, in the case of Home Depot, a simple “opt-in” provision that explained what data the company collected and how and with whom such data would be shared, collection would have been more compelling than its reliance on “implied consent” from consumers who did not read the buried-in-paper terms printed in the company’s online privacy policies. Similarly, with better and clearer disclosures to consumers about the data that it collected, Tim Hortons and its parent could likely have avoided the OPC investigation and negative publicity arising from its collection practices, and the outcome of having to permanently stop tracking customers’ locations. In fact, surveys have shown that consumers want more transparency, and would be more willing to share their data if they knew exactly how it would be used and by whom.
Fourth, franchisors and franchisees should implement into the agreements between them the mandatory upstream and downstream reporting provisions for data breaches or other data security incidents (e.g., establishing the required timeframe and manner in which the notice must be provided), and mandatory cooperation and breach response provisions regarding, among other things, who controls the response to the breach, and who controls the narrative as to public disclosure.
Fifth, franchisors and franchisees should review their insurance coverage to determine if they have protection for cyber-related and data privacy risks, including data breaches and other data security incidents. Along those lines, franchisors and franchisees should discuss to what extent the other can and should be included as an additional named insured under the relevant policy. Insurance coverage is always a last resort, however, and should never be used as a substitute for sound and reasonable data collection, storage, and retention practices.
There is no question that the ability to collect consumer personal data to better understand customer behavior has immense value to businesses. But, again, there is a clear push toward regulating consumer personal-data-collection practices, and giving consumers more legal recourse against businesses that engage in such practices without providing full disclosures of same. So it is essential—from both a legal risk perspective and a business opportunity perspective—that franchisors and franchisees take steps now to carefully review their data collection practices and policies, tailor those practices and policies (as necessary) to conform with their actual business needs and the applicable laws of the jurisdiction(s) in which they operate, and to ensure their consumers are fully informed of their collection practices and have consented to (or have the ability to opt-out of) these practices.
©2023. Published in the Franchise Law Journal, Vol. 42, No. 4, Fall 2023, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.