1. Scope
This Notice applies to Franchisees who are residents of the United States only.
Please note that this Notice does not apply to customers or employees of McDonald’s or employees of Franchisees. If you are a customer and wish to learn how we process our customers’ personal information, please review McDonald's US Customer Privacy Statement. If you are an employee of a Franchisee, please contact your employer for information on their privacy practices.
2. Information We Collect
McDonald’s collect, and we have collected in the past twelve (12) months, the following categories of personal information about Franchisees:
(A) Identifiers and contact information such as a real name, suffix, alias, postal address, unique identification numbers, online identifier, internet protocol address, email address, Social Security number, passport number, usernames, passwords (whether assigned by McDonald’s or selected by you), accounting and payment information such as federal tax identification number, VAT number, country, bank account, name of the account holder, bank category, reference details, SWIFT code, IBAN, bank name and address, terms of payment, accounting correspondence (to the extent it qualifies as personal information), real-estate related data, which may incidentally include personal data, and any other similar identifiers.
(B) Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) that may identify, relate to, describe, or be capable of being associated with particular individuals, including, the “identifiers” listed in the preceding bullet point (A), and the following: date of birth, marital status, birth or marriage certificates, nationality, signature, physical characteristics or description (e.g., photographs), address, home and mobile telephone numbers, driver’s license or state identification card number, bank account information or any other financial information.
(C) Characteristics of protected classifications under California or federal law, collected for diversity, equity, inclusion, and other lawful purposes within the McDonald’s franchise network, such as race, color, ethnicity, religion or philosophical beliefs, national origin, sex, gender, sexual orientation, marital status, medical conditions, disability status, information on physical limitations, special needs and other medical or health-related workplace accommodations, military and/or veteran status, residency, work permit status, age (40 years and older), and where permitted by law and proportionate in view of the function to be carried out by a Franchisee, the results of credit and criminal background checks, drug and alcohol testing, and other screening procedures.
(D) Biometric information, such as photographs included in bios provided by Franchisees in their franchise applications.
(E) Internet or other electronic network activity information, including, but not limited to, information regarding and/or collected automatically as part of your interaction with the Systems (as defined below in Section 7); electronic content produced or received by you using the Systems (including documents, information, and emails and other electronic communications transmitted or received through the use of the Systems); information relating to your accounts held on the Systems, websites, or apps (including account profiles on McDonald’s websites or apps and data stored in relation to such accounts, e.g., rights and privileges, activity, interests, preferences, or other information that may be associated with your account); and information received by McDonald’s if you sign into the Systems, websites, apps, or accounts using social media or other third-party tools. This also includes voicemails, emails, and other work product correspondence and communications created, stored, or transmitted using McDonald’s computers, devices, or other communications equipment.
(F) Geolocation data – If you use certain McDonald’s apps or websites, such apps or websites may collect location data.
(G) Audio, electronic, visual, or similar information, such as photographs, and information captured on security systems, including key card or other entry control systems and CCTV systems.
(H) Business, Professional or Employment-related information, including:
- Employment history, educational background and status, professional certifications, language capabilities, references, letters of recommendation and interview notes;
- work history, spouses or relatives who may work for McDonald’s and your relationship to them, technical skills, training records, and emergency contact information;
- Information collected in connection with taxation (such as information collected via standard tax forms) and verifying your right to work in the United States;
- Acknowledgements regarding McDonald’s policies, such as our Standards of Business Conduct, as well as information provided pursuant to McDonald’s policies, such as information regarding potential conflicts of interest or similar compliance-related information;
- Information we collect, including through third-party suppliers, regarding content and other data posted on the Internet (such as data posted on social media and other public locations on the Internet);
- Any information needed to comply with McDonald’s policies or other reporting obligations, or requests from any court, governmental entities, or law enforcement authorities;
- Franchisee application data such as financial data, CVs of key personnel, background checks, including criminal background check (to the extent it qualifies as personal information);
- Information on the franchise agreement concluded with the relevant Franchisee (“Franchise Agreement”), including commercial terms, legal terms, and any other contractual documentation, information about contract performance, instances of non-performance, and information about the expiration and termination of the Franchise Agreement (to the extent it qualifies as personal information);
- Financial data and performance-related data of the relevant Franchisee; financial records, data on corporations, limited liability companies, partnerships and trusts that Franchisees assign to the McDonald’s restaurants they operate including direct and indirect shareholders, beneficiaries and trustees, quality assurance and quality control documents, and other information relevant for an audit (to the extent it qualifies as personal data); and
- For training purposes, information about the status of your training courses and the date of their completion, as well as any test scores, technical data in relation to your usage of the training platform and the device, system, software, and peripherals from which you are accessing the platform.
(I) Education information, defined as information that is not publicly available personally identifiable information, as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99). This includes details contained in letters of application and resumes/CVs such as institutions attended and performance.
(J) Inferences drawn from any of the information identified in this section to create a profile about a person reflecting the person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(K) Sensitive personal information such as government-issued ID (e.g., Social Security or passport number), account login or payment card information in combination with credentials allowing access to the account, precise geolocation data, certain characteristics of protected classifications such as racial or ethnic origin, contents of mail, email, and text messages, and biometric data, in each case as further described above in the relevant categories.
We collect this personal information: (1) directly from you when you provide information to us, for example, when you respond to a requests for information relating to your franchise application and/or dealings and interactions with McDonald’s, use our Systems, websites, or apps, or contact us; (2) indirectly from your computers, devices, or other communications equipment when you communicate with our Systems or applications; (3) from our security Systems, including key card or other entry control systems and CCTV systems; (4) from other companies and organizations such as our advertising agency partners, social media networks, data brokers, payment processors, and other providers; and (5) from publicly available sources.
3. Purposes for Which These Categories of Information Are Collected
We use your personal information for various business purposes which include purposes disclosed in this Notice or purposes compatible with the context in which the personal information was collected. For example, business purposes include auditing, helping to ensure security and integrity, debugging, short-term, transient use, performing services, providing advertising and marketing services, undertaking internal research for technological development and demonstration or undertaking activities to verify or maintain the quality or safety of a service or device. We also use your personal information for the following purposes associated with the management of the franchise relationship (including the provision of optional services requested by the relevant Franchisee):
- The administration, management and oversight of the franchise relationship (e.g., financial and performance-based reporting, billing and collection of rental and service fees);
- The provision and facilitation of access to McDonald’s and McDonald’s vendors’ systems and applications utilized during the course of the franchise relationship (including identity and access management or in-restaurant technologies);
- Monitoring the security and use of our networks, communications and systems, offices and facilities, property and infrastructure, and information security services optionally offered to franchisees;
- Reporting and statistical analysis (e.g., System usage, content access, and transactional level detail);
- Optional services offered by McDonald’s and various learning platforms;
- Compliance with legal and regulatory obligations such as compliance with anti-money laundering and trade sanction-related requirements, including record-keeping and reporting obligations;
- Dispute and complaint resolution, internal investigations and reviews, auditing, compliance with internal policies, and risk management;
- Establishing, exercising, or defending against legal claims;
- Assessment of a potential Franchisee’s suitability as a franchisee as part of our franchise due diligence process; and
- Quality management in respect of our products, services and Systems, improvement of the restaurant operation process of the relevant Franchisee.
To the extent any envisioned use is inconsistent with or outside of the contemplated uses in this Notice, we will communicate that to you as required by law.
We may de-identify personal information about you or receive de-identified personal information about you, and we may use and disclose such information for any purposes in accordance with applicable law. We will maintain de-identified information in de-identified form, and will not re-identify such information, except in accordance with the requirements of applicable law.
4. Disclosures of Personal Information
We may disclose your personal information to our affiliates and third parties as appropriate for any purposes described in this Notice. In general, we disclose personal information to the following categories of third parties:
- Members of the McDonald’s Family, including McDonald’s Corporation, McDonald’s USA LLC, and each of their respective subsidiaries, and affiliates, and McDonald’s franchisees;
- Vendors and service providers who help McDonald’s operate our business;
- Public authorities and courts;
- Buyers or other parties involved in a corporate transaction if we decide to sell or transfer all or part of our business or assets;
- Professional advisers such as our legal representatives, auditors, and insurance brokers; and
- Other business partners if they are involved in franchisee recruitment, training or relationship management matters.
We disclose, and have disclosed in the past twelve (12) months, personal information for purposes described below:
- To administer the franchise relationship as well as provide the services described in this Notice, personal information of Franchisees may be disclosed to McDonald’s employees, certain McDonald’s subsidiaries, and the relevant Franchisees.
- To engage vendors to assist us with processing the personal information subject to this Notice, we may disclose personal information to our vendors.
- To comply with legal obligations or in connection with legal claims, we may disclose personal information to public authorities, courts, or our professional advisers for the following specific purposes:
- Cooperation with law enforcement agencies concerning conduct or activity that may violate federal, state or local law;
- Establishing, exercising or defending against legal claims;
- Compliance with McDonald’s policies and legal obligations;
- Dispute and complaint resolution, enabling compliance reporting, internal investigations and reviews, auditing, and compliance and risk management;
- Preventing illegal, wrongful, or unethical conduct in the conduct of the McDonald’s business;
- Protecting the health and safety of Franchisees and others;
- Safeguarding and maintaining the security of our premises, assets, IT systems, and infrastructure;
- Compliance with record-keeping and reporting obligations; and
- Compliance with civil, criminal, or regulatory inquiries, investigations, subpoenas, or summons by federal, state, or local authorities.
- In the event of a merger or acquisition, asset sale, a transfer of some or all of McDonald’s business, or other related transaction, we may disclose your personal information to the parties involved in the transaction.
- When we believe in good faith that a disclosure is required by law or to protect the safety of our employees, Franchisees, Franchisees’ employees, the public, or McDonald’s property, we may disclose your personal information to law enforcement agencies.
As is common practice among businesses that operate Internet websites and mobile apps, within the past 12 months, we have disclosed certain identifiers such as email addresses and pseudonymized identifiers, information about the use of our websites and apps, and inferences drawn about Franchisees to our consultants and analytics partners for diversity, equity and inclusive initiatives and other efforts. Under certain state laws, this may be considered to be a sale of personal information for consideration or a sharing of personal information for cross-context behavioral advertising.
5. Security
We maintain technical, physical, and organizational security measures that are designed to protect against unauthorized access, disclosure, damage, or loss of personal information. However, the collection, transmission, and storage of information can never be guaranteed to be completely secure. Please take steps to secure your access credentials such as login name and password, and do not share them with anyone.
6. Retention
Unless a specific retention period is mandated or permitted under applicable law, McDonald’s will only retain your personal information for the duration of time necessary to fulfill the purposes described in this Notice. This means that, in some cases, we may retain your personal information for a period of time following termination of your relationship with McDonald’s pursuant to our retention policy.
7. Notice of Monitoring of McDonald’s IT Systems
We may provide you with access to information technology systems, networks, and/or applications owned or operated by McDonald’s (the “Systems”) so you, as our Franchisee, can communicate and collaborate with us. While we respect the privacy of your email communications, we do have to draw a distinction in respect of your use of the Systems which McDonald’s may monitor and record in order to operate and secure the Systems, for compliance and audit purposes, and to protect against fraud, illegal activity, violation of McDonald’s policies, or misuse of the Systems or McDonald’s information assets or other property. Accordingly, save in respect to the privacy of the content of your email communications, you should not have any expectation of privacy otherwise in connection with your use of the Systems.
8. Your Obligations
Please help keep your personal information up to date and inform us of any significant changes to your personal information.
9. Your California Privacy Rights
If you are a California resident, you have additional rights. We will honor requests received to the extent required by applicable law and within the time provided by law.
a. Right to Access, Right to Know, Right to Correct, and Right to Delete.
- Right to Access and Right to Know. You have the right to request that we disclose the following to you, in each case in the twelve-month period preceding your request:
- the categories of personal information we have collected about you;
- the categories of sources from which the personal information is collected;
- our business or commercial purpose for collecting, selling, or sharing personal information;
- the categories of third parties to whom we disclose personal information;
- the specific pieces of information we have collected about you;
- the categories of personal information about you, if any, that we have sold or shared, and the categories of third parties to whom we have sold or shared the information, by category or categories of personal information for each category of third party to whom we sold or shared the personal information; and
- the categories of personal information about you that we disclosed for a business purpose, and the categories of recipients to whom we disclosed the information for a business purpose.
As used above, “sold,” “selling,” “shared,” and “sharing” have the meanings provided in the California Consumer Privacy Act of 2018 as amended. Please note that we do not sell, and within the last 12 months, we have not sold, personal information, including personal information of individuals under 16 years of age.
- Right to Correct. You have the right to request that we correct inaccurate personal information that we have collected about you.
- Right to Delete. You have the right to request that we delete personal information about you that we have collected from you. Please note however that we may decline your requests under certain exceptional circumstances permitted under the law and we will communicate such exceptions where they apply.
For requests made in connection with the Right to Access, Right to Know, Right to Correct, and/or Right to Delete, please note:
- As required or permitted under applicable law, we may take steps to verify your request before we can provide personal information to you, correct or delete personal information, or otherwise process your request. To verify your request, you must provide your name, email address, and state of residence, and you may also have the option to provide your phone number. If we believe we need further information to verify your request as required by law, we may ask you to provide additional information to us.
- We will process your request within 45 days after receipt of a verifiable request, unless we notify you that we require additional time to respond, in which case we will respond within such additional period of time required by law. If your request involves us providing personal information to you, we may deliver the personal information to you through your account, if you maintain an account with McDonald’s, or electronically or by mail at your option. If electronically, then we will deliver the information to you, or at your request to another entity, in a portable and, to the extent technically feasible, structured, commonly used, machine-readable format that allows you to transmit the information from one entity to another without hindrance.
b. Right to Non-Discrimination. We may not discriminate against you because of your exercise of any of the foregoing privacy rights, or any other rights under the California Consumer Privacy Act, including by:
- Denying you goods or services;
- Charging different prices or rates for goods or services, including through the use of discounts or other benefits or by imposing penalties;
- Providing you a different level or quality of goods or services; or
- Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.
Requests to Exercise Your Rights
You may request to exercise these rights by:
As required or permitted under applicable law, please note that we may take steps to verify your identity before granting you access to information or acting on your request to exercise your rights. We may limit our response to your exercise of the above rights as permitted under applicable law.
Agent Authorization
You may designate a power of attorney or an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with written permission, signed by you, to act on your behalf. Your agent or a person who has power of attorney may contact us as set forth below in “How to Contact Us” to make a request on your behalf. Even if you choose to use an agent, as permitted by law, we may require verification of the agent’s authorization to act on your behalf, require you to confirm you have authorized the agent to act on your behalf, or require you to verify your own identity.
10. Disability Accessibility
If you are a user with a disability, or an individual assisting a user with a disability, and have difficulty accessing or navigating our digital channels – including this Notice – please contact us at accessibility@us.mcd.com. You can also review our Accessibility Statement.
11. Do Not Track
Please note that our websites and mobile apps are not designed to respond to “do not track” requests from web browsers.
12. How to Contact Us
If you have any questions or comments about this Notice, or if you would like us to update information we have about you, you can reach us at:
Privacy at McDonald's, Dept. 282
110 North Carpenter Street
Chicago, IL 60607-2101, USA
contact.privacy@us.mcd.com