In 2018, California passed the nation’s first state comprehensive consumer privacy law, the California Consumer Privacy Act (CCPA). Since then, 19 states have followed suit. The laws vary by state, creating a complex landscape for companies that do business in multiple states. At their core, however, the laws follow similar frameworks, granting rights to consumers with respect to their personal data and creating a number of compliance obligations for covered businesses related to transparency, vendor contracting, governance and accountability.

The laws contain differing applicability thresholds and triggers. Most of the laws’ obligations apply to “controllers” (entities that determine why and how personal data is processed) as opposed to “processors” (entities that process personal data solely on a controller’s behalf). 

What the laws do not do, however, is set forth a clear framework for how franchise-based businesses should address compliance. Below are some practical considerations for franchise-based businesses to consider with respect to the panoply of state consumer privacy laws.

Do the State Privacy Laws Apply to Franchisees?

Most of the state consumer privacy laws apply at an “entity” level. An entity generally is not subject to these laws solely by virtue of its affiliation with a covered business. Thus, a franchisee would not become subject to a law solely because its franchisor is subject to the law; rather, as a distinct legal entity the franchisee needs to determine whether it independently meets each state law’s applicability thresholds.

The one exception is the CCPA. The CCPA applies to a for-profit entity that (1) does business in California, (2) collects California residents’ personal data, (3) acts as a controller when processing such data, and (4) satisfies certain thresholds (e.g., having annual gross revenues in excess of $26,625,000). To the extent a business meets these thresholds, we refer to them as a “primary business.”

The CCPA also defines “business” to include what we call “secondary businesses,” which is an entity (1) that “controls” or is “controlled” by a primary business, (2) that shares “common branding” (i.e., a shared name, servicemark or trademark) with the primary business, and (3) with whom the primary business shares consumers’ personal data. Secondary businesses are treated as part of the same “business” as the primary business for purposes of the CCPA.

Thus, if a franchisor qualifies as a “primary business,” and a franchisee qualifies as a “secondary business,” both entities would need to comply with the CCPA.

The key question for a franchise-based business is whether the franchisor “controls” the franchisee. The CCPA defines “control” to mean “ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company.” Many franchise-based businesses will not meet this definition of control, but this determination will need to be made on a case-by-case basis. 

Practical Considerations

As discussed above, with the exception of the CCPA, franchisees—should determine whether they are individually subject to each state privacy law (independent of their affiliation with a franchisor). Under the CCPA, franchisees also should consider whether they could be brought within the scope of the law as a “secondary business by virtue of their affiliation with the franchisor.”

Even if a franchisor and franchisee are independently responsible for compliance with the state consumer privacy laws, consider whether the franchisor has access to personal data collected by franchisees (e.g., through shared systems). In that case, the parties should each understand the role they play with respect to such data (controller or processor) as this will impact their compliance obligations. If the franchisor is processing that data as a processor, for example, although it would be subject to limited compliance requirements, it also would be limited to processing the data solely on the franchisee’s behalf and would generally be restricted from processing the data for its own purposes.

If the franchisor acts as a controller, it would be permitted to process the data for its own purposes but also would be fully responsible for complying with applicable privacy laws, even if it did not collect that data directly from the consumer. Also, if both parties are controllers, they should consider whether their sharing of personal data could be deemed a “sale,” as some states define the term broadly to include disclosures for any “valuable consideration.” If the sharing is a sale, consumers would have a right to opt out of such sharing, which could have significant business implications.

In addition, many consumers will ultimately see a franchisor and franchisee as the same business, so franchisors should consider the reputational risks of a franchisee not complying with a state consumer privacy law. Franchisors should thus consider educating franchisees about potentially applicable state consumer privacy laws and facilitating their compliance with relevant laws through standardized compliance mechanisms (e.g., template privacy notices).

Originally published on September 18, 2025, online with QSR Magazine. Reprinted with permission. Further duplication without permission is prohibited. All rights reserved.