Recent reforms to the Privacy Act 1988 (Cth) in Australia introduce significant changes aimed at enhancing individual privacy rights and increasing regulatory powers, with key amendments taking effect from June 10, 2025. We’re already seeing the Office of the Australian Information Commissioner (OAIC) take a tougher stance on accountability and transparency in data handling. For franchising networks, this raises some specific legal and operational challenges that are often overlooked.
The franchising privacy blind spot
One of the most common mistakes we see in the franchising sector is the assumption that the franchisor’s privacy policy covers the entire network. Franchisees often believe they can rely on the head office’s privacy policy when collecting or using customer data, especially when customer interactions occur under a shared brand.
The reality? That’s rarely the case.
In many franchise systems:
- The franchisor is the data controller for some activities (e.g. loyalty programs, national marketing) and owns and controls the customer database; but,
- But the franchisee operates as a separate legal entity, collecting and managing customer data independently for bookings, enquiries, or local promotions.
If the franchisor’s privacy policy doesn’t explicitly state that it applies to franchisees – and explain how information is shared across the network – it may not meet legal requirements for proper notice or consent.
Common issues we see in franchise privacy compliance
| Privacy policies don’t mention franchisees | Many franchisors use generic privacy templates that don’t explain the structure of the business or the independent role of franchisees in data handling. Customers are often unaware that their data may be held or used by multiple legal entities. |
| No clear disclosure of third-party data sharing | Data collected by a franchisee (e.g. through a website enquiry or booking) may be shared with the franchisor or other franchisees for operational reasons. But unless this is clearly disclosed and justified, it may breach the Australian Privacy Principles (APPs), especially APP 6 (use and disclosure) and APP 5 (notification). |
| Inconsistent or missing consents | Consent for marketing or data sharing is often collected inconsistently, especially if franchisees run their own systems or use third-party booking platforms. This can leave the entire network exposed to compliance risk if a customer complains or opts out. |
| Overreliance on website disclaimers | Simply including a privacy policy link in the footer of a website isn’t enough. Privacy notices need to be timely, specific and clearly visible at the point of data collection—whether that’s a form, a POS system, or an app. |
| Franchisees don’t understand their obligations | Privacy law is an important matter for all small businesses, be they franchised or not. But in franchise systems, franchisees often assume the franchisor ‘has it covered’, not realising their own legal obligations and vulnerabilities.
We often recommend a specific chapter on privacy law be included in the operations manuals. |
What’s changing under the Privacy Act reforms?
While the current Privacy Act already requires clear notice, lawful data handling, and individual rights (such as access and correction), the proposed reforms will introduce:
- Stronger consent requirements
- More detailed transparency obligations about profiling, data sharing and cross-border disclosures
- Higher penalties for serious or repeated breaches (up to $50 million)
- A direct right of action for individuals and a statutory tort of privacy
These changes will raise the bar for every business, but especially for franchise networks where data responsibility is shared across multiple parties.
What Should Franchisors Do?
With the tightening of laws, now is the perfect time for Franchisors to audit their compliance with Privacy laws. As franchise legal experts, we work with our franchisor clients to draft network-applicable policies, and manual chapters that promote compliance. And with penalties of up to $50 mill on the line (as well as potential bad publicity that comes with legal issues) we think the investment on firming up your franchise response is well worth the effort!
What Should Franchisees Do?
If you’re a franchisee and handle or collect personal information, don’t assume the franchisor’s policy applies to you. Understand your own obligations and, if necessary, prepare your own policy.