Newly passed laws affecting consumer data-privacy rights in California and Nevada could have an impact on self-storage operations. California's law goes into effect on Jan. 1, while Nevada's goes into effect on Oct. 1, according to the national Self Storage Association (SSA), which shared the information in an Sept. 23 newsletter to members.
The California Consumer Privacy Act of 2018 (CCPA) was passed in response to privacy breaches and data-misuse issues that prompted a ballot initiative from the state’s voters. It requires businesses to inform customers what information is being collected about them; if their personal information will be sold and to whom; the right to say no to a sale; the ability to access their personal information or have it deleted; and the right to equal service and price, even if they exercise these rights.
Companies that will be required to comply must meet several conditions. For example, they must have an annual, company-wide gross revenue of more than $25 million; annually buy, receive, sell or share the personal information of 50,000 or more California consumers, households or devices; or derive 50 percent or more of its annual revenue from selling California consumers’ personal information.
The CCPA allows for “individual or class-action lawsuits on behalf of consumers whose nonencrypted or nonredacted personal information was accessed without authorization, stolen or disclosed as a result of the covered business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Statutory damages up to $750 per incident or actual damages can be pursued. Intentional violations may result in a civil penalty up to $7,500 per incident.
Under Nevada Senate Bill 220 (SB 220), businesses must establish a procedure that allows consumers to direct them to cease selling their “covered information.” This includes first and last names, physical and e-mail addresses, phone numbers, and Social Security numbers. Even if a business doesn’t sell consumer data, it must establish a procedure.
A business must comply if it owns or operates a website or online service for commercial purposes; collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service; and purposely directs its activities toward Nevada or consummates some transaction in the state or with one of its residents. Each covered business is required to establish a “designated request address,” such as e-mail, that allows a consumer to submit a “verified request,” directing it to cease sales of any covered information to a third party.
Businesses that aren’t in compliance have 30 days to remedy the issue. If they fail to cure any violations, the Nevada Attorney General can seek impose a civil penalty up to $5,000 per incident.
Self Storage Association, New Privacy Requirements Coming for California and Nevada Businesses
California Consumer Privacy Act of 2018
Nevada Privacy Law