Robert M. Langer

Practical Application of Consumer Privacy Laws to Franchised Businesses*

May 17, 2010 Published Work

This year brings the commencement or increase in enforcement of three major privacy initiatives. First, on March 1, 2010, Massachusetts began enforcement of its specific, and as many would claim, onerous privacy regulation. While only a Massachusetts state regulation, the implementing law states that its jurisdictional reach is to all businesses that possess personal information about a Massachusetts resident. Thus, although this jurisdictional claim has not been tested, many businesses have chosen to comply if there is any chance that they may be subjected to the law rather than deal with the possibility of litigation as a conseqeuence for failing to comply. The second privacy initiative set to be enforced is the FTC's Red Flags Rule. According to the FTC, the Red Flags Rule requires businesses that provide goods and services in exchange for deferred payment to adopt certain policies and procedures to detect, mitigate, and respond to instances of identity theft. Third, the credit card association standards, called the Payment Card Industry Data Security Standards or PCI DSS, which have existed for many years but received little enforcement, are thought to become a subject of increased attention. One commentator suggested that "[a]ny business in any industry that accepts, stores, manages, processes or transmits payment card information will be subject to intense scrutiny."1 More notably, as of January 1, 2010, compliance with PCI DSS for those subject to it became a legal obligation in Nevada. This article considers those three developments, and it offers a summary of the current status of state data breach notification laws.2

Why does any of this matter? Some franchisors who do not directly handle personal information (or who only deal with a very limited amount for a handful of direct employees) may perilously fail to consider the potential ramifications of mismanagement of personal information by a franchisee. For example, in September 2009, the United States District Court for the Eastern District of Louisiana denied a motion to dismiss a complaint against Jackson Hewitt Tax Services, Inc., and its franchisee, Crescent City Tax Services.3 The plaintiff, Vicki Pinero, alleged in the complaint that she had discovered that her tax information had been deposited in a dumpster by an employee of Crescent City. Pinero discovered the alleged dumping when a local news station contacted her to return the information to her. Jackson Hewitt, the franchisor, had no direct part in the alleged dumping of Pinero's personal data. The court permitted Pinero's claims against Jackson Hewitt, the franchisor, to survive nevertheless because "the franchise agreement show[ed] that Jackson Hewitt had control over Crescent City's general operating procedures."4 Pinero also alleged that she signed and relied on a privacy policy issued jointly by Jackson Hewitt and Crescent City.

*Our sincere appreciation to Sabrina Houlton of Wiggin and Dana for her invaluable assistance in the preparation of this paper.

1Gary Sturinsky, "2010 Compliance Challenges: Three More Areas That Matter," Corporate Compliance Insights, Mar. 4, 2010, available at

2This article does not cover recent developments in HIPAA, such as the implementation of HITECH. It also does not address international data privacy issues.

3Pinero v. Jackson Hewitt Serv. Inc., 638 F.Supp. 2d 632 (E.D. La. 2009).

4Id. at 638.