MacDonald's is facing a "new crackdown" from the Equality and Human Rights Commission (EHRC) due to its failure to stop ongoing, widespread sexual abuse and harassment. This is happening despite the company signed a legally binding agreement in February 2023 intended to protect its staff. This dramatic escalation serves as a powerful illustration of failed corporate self-regulation, suggesting the 2023 agreement was fundamentally inadequate and failed to move the company beyond cosmetic compliance or address the toxic culture's root causes. The EHRC's return to the table with a stronger mandate confirms that this is not a problem of isolated incidents but a systemic failure to protect a young and vulnerable workforce.

The Essential Role of Investigative Journalism

This corporate misconduct, which includes allegations of groping, assault, and bullying against a workforce comprised largely of young people, would have remained hidden behind corporate PR. This was, once again, a case where investigative journalism played the essential watchdog role. A BBC investigation, which first brought over 100 allegations to light and has since been followed by hundreds more, exposed the toxic reality that the company's internal mechanisms had failed to address. The legal pile-on has grown: Leigh Day says more than 700 workers—across 450+ restaurants—have instructed the firm, with the EHRC confirming hundreds of reports to its own channels.

The Necessity of State Regulation

This case is a powerful example of why robust government intervention is necessary to protect the public from abusive behaviors linked to corporate power. McDonald's, a powerful multinational enterprise, had already promised to "clean up" its act. Yet, the scale and persistence of complaints made clear that voluntary measures were ineffective.

Legal context that actually binds employers matters here:

• Equality Act 2010 (EA 2010): harassment is unlawful, and employers are liable for acts “in the course of employment,” subject to the “all reasonable steps” defense. Liability also extends to acts done by agents (s.109), widening exposure where authority or agency can be shown.

• Worker Protection (Amendment of Equality Act 2010) Act 2023: since October 26, 2024, every UK employer has a positive duty to take reasonable steps to prevent sexual harassment. Tribunals can uplift compensation by up to 25% where that preventative duty was not met, and the duty covers risks from third parties (customers, clients). The EHRC can enforce.

• EHRC powers (Equality Act 2006): the regulator can investigate (s.20), issue Unlawful Act Notices (s.21), require action plans (s.22), and enter binding agreements (s.23); it can seek court orders if commitments fail. That toolkit sits behind the “strengthened measures” now in play.

• Health & Safety law: employers must protect workers’ health, safety and welfare (HSWA 1974, s.2), including psychosocial harm, and must conduct suitable and sufficient risk assessments (MHSWR 1999, reg.3). HSE and Acas are explicit that work-related stress and harassment risks require assessment and controls.

The legal framework in the UK is built on the understanding that companies may fail to police themselves, which is precisely why statutory bodies like the EHRC are empowered to intervene when corporate self-regulation proves insufficient. This structure exists because of the inherent conflict of interest in any corporation attempting to self-police; its primary duty is often to its profitability and other private interests, not to the public good. The EHRC's new crackdown on McDonald's is a step in the right direction. Crucially, McDonald's public statements about making "significant progress" highlight this exact conflict. Such corporate claims, and even the introduction of seemingly useful self-regulatory measures, cannot be considered a substitute for independent state regulation and intervention. When significant societal harm is at risk—in this case, the systemic abuse of a young and vulnerable workforce—relying on a company's internal mechanisms is inadequate. The regulator's decision to escalate its enforcement is therefore justified by the clear evidence, from continuous worker allegations and mounting litigation, that the abusive practices are ongoing and that mandatory, external oversight and enforcement are essential.

The Dangers of Cosmetic Compliance and “Tick-Box” Practices

The McDonald's case appears to exemplify a phenomenon that might be termed "cosmetic compliance," where organisational responses risk prioritising visible artefacts over substantive, preventative action. A "tick-the-box" approach creates the illusion of ethical governance while failing to alter the underlying culture. When a 21-year-old worker who reports harassment is told to "suck it up," it renders the company's 95% "awareness" rate for its reporting channel meaningless.

The implementation of policy documents, new reporting channels, or slideware-based training modules does not, in isolation, satisfy the full scope of the statutory preventative duty or necessarily constitute the "all reasonable steps" required for a legal defence.

From a regulatory perspective, the focus is increasingly on the evidence base and efficacy of such measures. This includes demonstrating a thorough, evidence-based risk assessment that identifies specific, known vulnerabilities within the operational environment. Consequently, effective compliance would require controls targeted at these high-risk points, for example, specific protocols for night shifts, procedures for managing late-hour customer interactions, or clear policies addressing the risk of grooming via social media and direct messaging.

Furthermore, a robust compliance framework moves beyond simple implementation to include managerial accountability and a continuous focus on measurable outcomes. Regulators seek to differentiate substance from optics by examining metrics that demonstrate a system's functionality. This might include data on incident time-to-triage and time-to-resolution, complete with established escalation gates for serious allegations. It would also involve the systematic tracking of repeat-offender and repeat-location rates, with clear evidence that this data is used to inform disciplinary follow-through and further preventative action.

Finally, current regulatory guidance, such as that from the EHRC and Acas, places significant emphasis on proactive steps and the mitigation of third-party risks. Ignoring vectors of harm from customers or other external parties is a significant omission. An employer's preventative duty is increasingly understood to include mitigations such as appropriate security presence, clear protocols for refusing service to abusive individuals, and explicit zero-tolerance signage, and failing to address these factors will likely count against an employer in a legal or regulatory context.

A Potentially Useful Corporate Governance Solution

The proposal to introduce an external body to review the company's handling of claims is a notable governance initiative; however, its actual value is entirely contingent upon its structural design and implementation.

To be effective, this body must possess genuine structural independence, which would be secured by mechanisms governing its appointment, tenure, and remuneration that are explicitly designed to mitigate the risk of corporate 'capture'. Its operational remit must also be comprehensive, extending beyond corporate-owned entities to include the complex franchise network and the critical issue of third-party harassment controls.

Beyond independence, sufficient resourcing and unfettered access to information are paramount. This would include enterprise-wide access to all relevant data streams—from complaint logs and digital records to Human Resource Information Systems (HRIS)—coupled with the authority to conduct unannounced audits. Such authority would be substantially strengthened by the EHRC's latent enforcement powers, providing a necessary legal backstop should corporate cooperation diminish.

Finally, a robust transparency mandate is essential. This would require the public disclosure of findings, benchmarked against established legal standards such as the "reasonable steps" defence under the Equality Act 2010 and the new 2024 preventative duty. Critically, these public reports should identify systemic, root-cause patterns and mandate specific, time-bound remediation. Lacking these fundamental elements of independence, access, and transparency, the initiative risks functioning merely as a symbolic gesture or another form of 'cosmetic' governance, rather than a substantive control mechanism.

The Franchise Loophole: A Structural Failure

This case exposes significant structural weaknesses inherent in franchise systems regarding the uniform enforcement of legal compliance. The original 2023 EHRC agreement, which legally bound only the McDonald's UK corporate entity, created a "compliance seam," as franchisees were not direct parties to it. This gap leaves a significant area of non-compliance unless it is effectively backfilled by embedding stringent requirements within brand standards, complete with robust audit mechanisms and the ultimate leverage of contract termination. While the EHRC has since attempted to bridge this gap by warning all franchise owners directly, the precise legal allocation of risk between franchisor and franchisee remains complex.

Several legal principles, however, challenge any assumption that the corporate headquarters is shielded from liability. Under section 109 of the Equality Act 2010, a company can be held liable for the actions of its agents, and a franchisee's status as an "agent" is a matter of common-law determination, not a status defeated by branding alone. Furthermore, the anticipatory nature of the new preventative duty, which explicitly covers third-party harassment, means a franchisor that sets standards but tolerates obvious, systemic risk factors across its estate—even where direct employment links vary—invites regulatory attention. This is reinforced by health and safety duties, which require risk assessments not only at the site level but also across the entire system wherever hazards, such as the conduct of late-night customers toward young staff, are predictable.

To effectively move the needle and embed genuine compliance across such a federated system, governance fixes must be structurally integrated. This would include making "People and Brand Standards" contractually enforceable, subject to independent audits, and linked to mandatory data sharing, with termination as a clear sanction for non-compliance and estate-level KPIs published for transparency. It would also necessitate mandating site-specific sexual-harassment risk assessments, which must include contemporary vectors like social media grooming, and requiring verifiable proof of these controls as a condition for license renewal. Finally, a truly independent "Speak Up" pathway, structurally aligned with whistleblowing law (PIDA), would be required, with its credibility reinforced by public reporting on anti-retaliation outcomes. SOURCES

• Noor Nanji & Zoe Conway, McDonald's faces new crackdown on sexual abuse, BBC, Nov. 7, 2025, https://www.bbc.co.uk/news/articles/cpwv01r2wj5o?app-referrer=push-notification
  

• Sarah Butler and Kalyeena Makortoff, This article is more than 9 months old

  McDonald’s sacked 29 people after sexual harassment allegations, MPs told, The Guardian, 7 Jan., 2025, https://www.theguardian.com/business/2025/jan/07/mcdonalds-workers-legal-action-harassment-claims?utm_source=chatgpt.com

#Business #CCO #Compliance #Corporate #CorporateAccountability #CorporateCrime #CorporateCrimeObservatory #CorporateCulture #CorporateGovernance #CorporateMisconduct #Corporation #Crime #EHRC #Enforcement #Franchise #HumanRights #InvestigativeJournalism #LaborLaw #LaborRights #Law #Policy #Regulation #Safeguarding #Sex #SexCrimes #SexualAbuse #SexualHarassment #Transparency #UK #Watchdog #WorkplaceSafety