View Page As PDF
Share Button
Tweet Button

Co-authored by ctito


On April 7, 2014, the District Court in New Jersey allowed the FTC to proceed with its suit against a franchisor hotel chain alleging unfair and deceptive trade practices in connection with the Defendants’ failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.  While the case is far from over, it has far reaching implications for franchisors and franchisees relating to independence between franchisor and franchisee, liability for one another’s actions and data security issues. This is part one of a three-part series touching on these issues – next will be implementing a data breach plan and the third will address vicarious liability.


The Court ignored the traditional franchisor/franchisee relationship in the context of a motion to dismiss the complaint (which addresses the sufficiency of the allegations in the complaint and not the substantive legal issues) and found that the FTC has the authority to regulate a franchisor’s failure to maintain reasonable and appropriate data security; the FTC adequately pled “substantial injury to consumers” requirement; and the FTC pled deceptive practices. 


Of utmost interest to both the franchisor and franchisee, is the discussion in the opinion regarding the FTC’s deception claim.  The franchisor argued that the branded franchisee hotels are separate legal entities, that each franchisee maintains its own computer networks, and that each has its own data-collection practices.  The franchisor also argued that the privacy policy of the franchisor specifically excluded the franchisees and that this exclusion was consistent with traditional franchise law.  The FTC argued that the franchisor was responsible for the data-security failures and accordingly, it did not need to plead actual control over the franchisees’ activities. 


Relying on the allegations in the complaint, the Court found that the representations on the franchisor’s website – that the franchisor safeguarded the customers’ personal data, along with the control mechanisms of the franchise agreements themselves – indicated that the suit was viable. Finally, the Court held that a reasonable consumer would have understood the privacy policy applied to both the franchisor outlets and franchisee branded hotels.


The suit could have far reaching implications as to the traditional independence between franchisor and franchisee not only in terms of data protection but labor and employment or other areas of the law.