California, Nevada Pass Privacy Requirements That Could Affect Self-Storage Operators

Update 1/3/20 – Though the CCPA went into effect on Jan. 1, the California Attorney General’s Office won’t begin enforcing the data-privacy law until July. While that timetable gives businesses six months to comply, confusion persists as to how the law will be applied and which companies and data activities are affected, according to the source.

Last month, the California Self Storage Association was among several trade groups that attended a meeting in Los Angeles to discuss the measure. During the summit, board member Peter Watson asked for clarification on the businesses impacted by the law. He wanted to know, for example, if a self-storage operator captures the IP addresses of more than 50,000 website visitors in a year, whether that meets the law’s standard for having gathered “personal information.” Similarly, in discussing how to handle retroactive opt-out requests or providing a copy of personal information stored, meeting attendees questioned whether they would need to collect additional personal information, such as Social Security numbers, to verify that the person making the request matches the customer on file.

California Atty. Gen. Xavier Becerra hasn’t specified precisely how the law will be enforced. “Our office will promulgate final CCPA regulations in time for them to go into effect on July 1, 2020,” Becerra’s office told the source. “In the meantime, we cannot weigh in regarding whether the practices of a specific company or business are consistent with the CCPA. Once the regulations are final, we will move to enforce the law and ensure compliance.”

To help navigate the uncertainty, some large companies are working with businesses that specialize in compliance. Solutions include a website opt-out button that allows a user to request the company not sell his personal information, according to the source. Last month, Google signed on to a framework recommended by the Interactive Advertising Bureau and has provided a toolkit to help businesses build opt-out functionality into their websites, according to the source.

The process to comply with the CCPA is likely to cost businesses billions of dollars. A 2019 report commissioned by the attorney general’s office estimated upfront costs at $55 billion, with affected companies expected to pay another $16 billion during the next 10 years to remain in compliance, the source reported.

Further changes to privacy regulations could wind up on the 2020 state ballot. Those behind the CCPA have called for a state agency, not the attorney general, to enforce the law. Other provisions that could be part of a ballot measure include an opt-in system for users under 16 and additional restrictions on information, such as location, health status and sexual orientation, according to the source.

12/11/19 – The SSA submitted 20 pages of comments on Dec. 5 to the California Attorney General (CAG) requesting amendments be made to the proposed implementation regulations of the CCPA. The CAG regulations are intended to fill gaps and provide “instruction” to businesses on how to comply with the CCPA, according to the Dec. 9 “SSA Magazine Weekly” newsletter.

With CCPA set to kick in on Jan. 1, association officials described the measure as the “nation’s toughest data-privacy law,” which has sent “businesses scrambling to comply.” Though the CCPA will affect only the largest self-storage operators, public companies and some large regional players in the state, data privacy is being examined by state governments nationwide, according to the newsletter.

“With at least seven other states considering enacting their own data-privacy laws, experts say even smaller operators would be wise to start thinking more strategically about their data,” officials said.

9/25/19 – Newly passed laws affecting consumer data-privacy rights in California and Nevada could have an impact on self-storage operations. California's law goes into effect on Jan. 1, while Nevada's goes into effect on Oct. 1, according to the national Self Storage Association (SSA), which shared the information in an Sept. 23 newsletter to members.

The California Consumer Privacy Act of 2018 (CCPA) was passed in response to privacy breaches and data-misuse issues that prompted a ballot initiative from the state’s voters. It requires businesses to inform customers what information is being collected about them; if their personal information will be sold and to whom; the right to say no to a sale; the ability to access their personal information or have it deleted; and the right to equal service and price, even if they exercise these rights.

Companies that will be required to comply must meet several conditions. For example, they must have an annual, company-wide gross revenue of more than $25 million; annually buy, receive, sell or share the personal information of 50,000 or more California consumers, households or devices; or derive 50 percent or more of its annual revenue from selling California consumers’ personal information.

The CCPA allows for “individual or class-action lawsuits on behalf of consumers whose nonencrypted or nonredacted personal information was accessed without authorization, stolen or disclosed as a result of the covered business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Statutory damages up to $750 per incident or actual damages can be pursued. Intentional violations may result in a civil penalty up to $7,500 per incident.

Under Nevada Senate Bill 220 (SB 220), businesses must establish a procedure that allows consumers to direct them to cease selling their “covered information.” This includes first and last names, physical and e-mail addresses, phone numbers, and Social Security numbers. Even if a business doesn’t sell consumer data, it must establish a procedure.

A business must comply if it owns or operates a website or online service for commercial purposes; collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service; and purposely directs its activities toward Nevada or consummates some transaction in the state or with one of its residents. Each covered business is required to establish a “designated request address,” such as e-mail, that allows a consumer to submit a “verified request,” directing it to cease sales of any covered information to a third party.

Businesses that aren’t in compliance have 30 days to remedy the issue. If they fail to cure any violations, the Nevada Attorney General can seek impose a civil penalty up to $5,000 per incident.

Sources:
Los Angeles Times, California Is Rewriting the Rules of the Internet. Businesses Are Scrambling to Keep Up
SSA Magazine Weekly 12/9/19, SSA Seeks Changes to the California Privacy Law Regulations
Self Storage Association, New Privacy Requirements Coming for California and Nevada Businesses
California Consumer Privacy Act of 2018
Nevada Privacy Law