Data Privacy in Self-Storage: How to Manage Your Risk Around Collection and Disclosure
If you aren’t actively communicating your privacy practices to tenants or, worse, you don’t have any, your self-storage business could be vulnerable to all sorts of legal problems. The following insight will explain why it’s imperative to be transparent with your disclosures and help you manage risk around the collection of customer data.
August 3, 2024
Self-storage operators are increasingly becoming the targets of potential litigation as well as state and federal scrutiny, especially in relation to cybersecurity and data liability. Due to growing consumer-privacy laws and their enforcement, you must carefully consider your data-collection and -management practices, particularly your privacy disclosures. Below is insight to help you mitigate this risk.
Your Legal Exposures
What types of legal risks do self-storage companies face when failing to accurately communicate their data-privacy practices to customers? When you tell people you’ll safeguard their personal information, the Federal Trade Commission (FTC) can and does take action to make sure you live up to the promise. It has brought legal action against organizations that have violated consumer-privacy rights, misled customers by failing to maintain security for sensitive information or caused substantial consumer injury. In many of these cases, the FTC has charged defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce.
The agency also enforces other federal laws relating to consumer privacy and security. To the extent a company misrepresents its data practices, it’s exposed to potential regulatory investigation and action by the FTC or its state attorneys general. The most recent case involved InMarket Media, which failed to fully inform its consumers and obtain their consent before collecting and using their location data for advertising and marketing. The company is now prohibited from selling or licensing any precise location data.
In its complaint, the FTC said InMarket failed to obtain informed consent from users of its shopping-rewards app CheckPoints and shopping-list app ListEase. When the company requested to use a consumer’s location data, it stated that it would be used for the app’s function. It failed to mention that the information would also be combined with other data obtained about those users and implemented in targeted advertising.
The FTC claimed that InMarket also failed to ensure that third-party apps that incorporate the company’s software-development kits obtained informed consent. In fact, the company neglected to tell third-party apps that the location data provided through InMarket’s kits would be combined with other data to create profiles of consumers.
New State Privacy Laws
There are new privacy laws in California, Colorado, Connecticut, Delaware, Idaho, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia, though only five are currently effective. The rest go into effect in July.
All of these states require companies to include specific contact information for consumers who seek to exercise the rights to access, correct, delete or opt out of certain types of processing and other rights they have under these statutes. Some of these laws require that specific disclosures be made within a company’s privacy policy so consumers are aware of their new rights. California, Colorado, Connecticut and Virginia also require companies to conduct written risk assessments if they’re processing specific types of data. For example, Virginia law Section 59.1-578 E states:
A controller shall establish and shall describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter. In addition, we also confirm with web-design teams the correct display so the company can represent consent is obtained when a consumer clicks through to the website and banners are appropriately drafted to obtain such consents.
Reduce Website Risk
Internet cookies are small pieces of data that are created and stored while a user is browsing a website. They’re placed on the consumer’s device to help the website remember them and their activity. Cookies can create convenience for users, however, they’re also considered to be personal data under most privacy laws.
Now’s the time to meet with your self-storage web-design and marketing teams to identify which cookies may be in use on your website, how they’re being used, and how to properly explain such use in the context of your company’s privacy policy. You must disclose any use of cookies to your customers and obtain consumer consent.
In general, cookie banners and click-through consents are used to ensure customers are aware of any online tracking that may occur across multiple websites. For example, cookies might identify a consumer’s geolocation data or serve them with third-party advertising. The states take various positions on whether consumers should be given the opportunity to “opt out” of any tracking and ad serving that may occur. For example, in Colorado, there’s a universal opt-out method for targeted advertising. In Connecticut, section four of the Act gives the consumer the right to opt out.
When to Update Your Privacy Policy
To help manage your risk around data privacy, consider consulting with an attorney to fully understand the laws that may impact your operation and update your privacy policy. Your policy should be revised any time there’s a material change in the way your company handles the data it collects from customers. It should also be specific about how such updates will be communicated to consumers and trigger the renewal. It needs to be a living and breathing document that’s always reflective of the company’s data practices.
In addition, it’s important that your privacy policy reflects changing legal requirements that are applicable to your business and that it’s consistent with your compliance obligations regarding consumer privacy rights. Review it every six months to account for new legislation and internal processes that may evolve because of innovation, new customer-engagement initiatives, technology implementation, or any other changes that may involve the way consumer data is being managed by your self-storage operation.
David F. Katz is a shareholder for the law firm Weissmann Zucker Euster + Katz P.C. He serves as counselor and advisor to executive-level managers and general counsel for public and private companies. He previously served as senior legal counsel in corporate law, advising a Fortune 1000 publicly traded company in Atlanta. He’s also a former Baltimore prosecutor and a judge advocate for the U.S. Army Reserve. He speaks and writes on matters relating to technology, privacy and data security. Follow him on X (formerly Twitter) @KatzFDavid or connect with him on LinkedIn.
About the Author
You May Also Like