Each year brings new challenges to a self-storage business. As technology systems and policies evolve, we see fresh legal issues follow those advancements. Unfortunately, there’s often increased liability exposure for facility operators while they work to catch up. Further, when it comes to consumer protections, the pendulum tends to swing against companies. They’re expected to keep pace with the fast-paced change, even when that change is costly to implement.
There are three legal concerns self-storage operators need to pay attention to this year: data privacy, ADA (Americans With Disabilities Act) compliance, and tenant communication. Let’s explore each as well as steps to reduce your risk.
The year began with the implementation of the California Consumer Privacy Act (CCPA). Under the law, state residents are given the right to know what personal information is being collected about them and if that information is going to be sold. Most important, they’re now able to control and limit the disclosure and sale of their information to third parties.
The CCPA doesn’t apply to every business in the state. To be compelled by the requirements of the law, the company must meet one of these criteria:
- Have an annual gross revenue in excess of $25 million
- Obtain the personal information of 50,000 or more consumers
- Earn more than half of its revenue from the sale of consumers’ personal information
If your business falls into any of these categories, you must implement practices to protect the consumer data you collect and procedures that allow consumers to recover their personal information and stop its sale to others. Some of the steps you must follow include updating your website to permit customers to request access to their stored data, restrict the sale of their data to others—a “do not sell” option—and communicate with your company about these issues through your website and a toll-free number.
The California law also enhances the protection of a consumer’s privacy and the use of his information if he’s under 13 years old. The sanctions imposed include statutory damages of $100 to $750 per California resident affected, fines in excess of $2,500 for unintentional violations, fines in excess of $7,500 for intentional violations, and the risk of criminal prosecution by the California Attorney General’s Office.
On the other side of the country, New York expanded its data-privacy laws to include the “Stop Hacks and Improve Data Security Act” (SHIELD), effective March 21. SHIELD applies to more business than the California law since it only exempts those that have fewer than 50 employees, less than $3 million in gross revenue (over the past three years), or less than $5 million in year-end total assets.
The New York act deals primarily with data theft and the obligation to notify customers who are affected. Pursuant to SHIELD, businesses must update their data-security systems to claim they’ve provided “reasonable safeguards to protect the security, confidentiality and integrity” of customer data through administrative, technical and physical programs; and procedures and controls that’ll detect, reduce and, hopefully, prevent cyber risks. These might include the regular testing of Internet systems and policies to control data loss arising from outside intrusions. Non-compliance will result in potential civil penalties up to the greater of $5,000 or $20 per instance of failed notification as well as exposure under the state’s existing deceptive business-practices law.
California and New York are just two of the states that have enacted data-security and privacy-protection laws. Others have added laws over the past five years to address these issues and expand privacy protections to consumers.
There’s been a recent group of cases that have focused on ADA violations, and not just on a per-location basis. Rather, they’re based on the assertion that a business, without limitation to the number of its locations, failed to maintain an appropriate policy to create and maintain its facilities to permit unobstructed access to its products and services.
Lawsuits have been filed against companies such as Cracker Barrel and Steak ‘n Shake, each with hundreds of stores, asserting a failure of the business to present and establish a demonstrable corporate program to audit and maintain its properties and ensure there are no barriers to access for disabled customers. These cases were class actions that alleged violations at all company stores. They were based on the claim that these locations lacked adequate “policies” to protect customers from barriers to access, primarily in their parking lots.
These widespread “policy” lawsuits are in addition to the influx of ADA cases that have been filed and will continue to be filed addressing the right of access for visually impaired customers to use a business website. Though there were already a significant number of lawsuits filed in the past year, including dozens against self-storage companies, a recent U.S. Supreme Court decision opened the door to more.
In the case of Guillermo Robles v. Domino’s Pizza LLC, a blind customer sued the chain, claiming he was unable to order food on its website because it didn’t have adequate screen-reader capability, which would permit visually impaired customers to use the applications.
Originally, the U.S. Federal Court of Appeals in the Ninth Circuit upheld the plaintiff’s right to sue Domino’s, even though the company argued the law only applied to physical accommodations at its stores. The Ninth Circuit decision was eventually appealed to the U.S. Supreme Court because it dealt with the application of federal law. However, rather than overturn the decision, the Supreme Court denied the petition by Domino’s to hear the case, leaving the lower court’s decision in place.
Based on the Supreme Court’s denial for review, there’s now established precedent for the holding that all companies must make their websites and mobile applications accessible to the disabled when those businesses offer “services” that are available at their physical locations and on their websites. If your storage business offers customers the ability to reserve, rent or pay online, those services must equally be available to customers who may be disabled. Otherwise, the business risks direct liability for failure to offer reasonable accommodations to customers with disabilities.
Fortunately, with every new legislative session, state laws are changing to ease the ability of self-storage operators to communicate with customers, primarily via e-mail. New York was just one of the more recent states that revised its lien law to permit the use of e-mail as notice to tenants of a potential lien sale. But less clear are the rules about calling or texting customers to communicate about their payment status, including potential default.
To make the risk even greater, a new law initiated in 2020, the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, increased fines on robo-callers from $1,500 to as much as $10,000 per illegal call. Though the law also places a higher burden on phone companies to protect their customers from such calls, the law is framed to elevate the potential liability of companies that use robo-calling and even addresses the use of unauthorized texting. This includes expanding the statute of limitations on any claims from one year to four years.
The solution to this particular risk can be reduced, however, by including in a tenant’s rental agreement a clear acknowledgement that the use of calling, e-mail and texting is permitted. Once consent is received, the risk of claims is reduced. But self-storage operators should be careful when using third-party companies that use robo-call marketing. There’s no doubt that this new law, coupled with previous state and federal laws dealing with unauthorized communications, could expose you to class-action exposure if your third-party agent violates the law.
It’s imperative to stay current on the laws that affect your self-storage business, especially when implementing new technology. If you’re ever unclear about a policy or practice, seek legal advice to help reduce your risk for liability.
Scott Zucker is a founding partner in the Atlanta law firm of Weissmann Zucker Euster Morochnik & Garber P.C. and has been practicing law since 1987. He represents self-storage owners and managers throughout the country on legal matters including property development, facility construction, lease preparation, employment policies and tenant-claims defense. He also provides, on a consulting basis, advice to self-storage companies in the areas of foreclosure and lien sales, premises liability, and loss-control safeguards. To reach him, call 404.364.4626; e-mail firstname.lastname@example.org.