Self-Storage & Data Privacy

What You Don't Know Can Hurt You

While the issue of data privacy and security is true in any business these days, it certainly cannot be ignored in the self-storage industry. The collection of data by operators regarding their tenants (and even prospective tenants) is inevitable and that data must be protected. And the practices and policies of the self-storage operator related to the management and use of that data must be disclosed in a transparent way to avoid the violation of any federal and state data and privacy laws which may apply.

First, operators must understand that there are three “classes” of data: 

• Information gathered on your channels/website is “first party” data
• Specific information gathered from others for leads is “second party” data
• General/non-specific information collected from data aggregators is “third party” data.

The “class” of the data is extremely important in recognizing your legal obligations. Generally, data cannot be collected and utilized without the party’s consent. To the extent the information gathered is through the use of “cookies” on a website (or otherwise a methodology of tracking), the website provider must conspicuously disclose and obtain clear consent from the website visitor to use and retain the information the visitor provides while on the website. It is this disclosure and consent, typically described as a “cookie banner,” that a visitor often sees displayed the first time accessing the website. 

Once the information is obtained, it must be secured. It is important to have a security plan in place, including limiting access to the collected data, conducting regular security audits and assessments to protect the data, and enhancing employee training and awareness regarding the importance of data security. 

The evolving laws relating to this data have also changed how businesses operate (and how their websites work). Now, consumers who provide their information have certain rights as to how that information (typically defined as “personally identifiable information” or “PII”) is held, used, shared, deleted, or transferred. 

A “Data Subject Access Request” or “DSAR” is a request submitted by a consumer to a website  controller (business) to identify the controller's possession of certain information, to correct inaccurate information about the consumer or to delete the consumer's information. Again, this DSAR can be used to opt for the deletion of the information, to request a change or correction  to the information, or to request the portability of the information. A company that fails to respond to a DSAR is subject to both federal and state liability under relevant data privacy statutes.

More and more states are adding data privacy laws to their state statutes. Currently, California, Connecticut, Colorado, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Montana, New Hampshire, Nebraska, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia all have some form of data privacy laws on the books to protect the consumers in their states.

These laws are in addition to “Data Breach” laws, which are found in every state and address the rights of consumers that have suffered a risk of identity theft arising from the unlawful and unauthorized access to their personal information. The bottom line is that every company should be reviewing its website privacy policies to ensure that they have created a compliant method to address and handle DSAR requests in a timely and competent manner.

Under these data breach laws, companies that fail to have certain protocols and safety measures in place may suffer liability for their actions or omissions. Many companies have moved to encryption and secured back-up systems to thwart the potential risk of data intrusion and misappropriation of the stored information. Similarly, if a breach does occur, it is incumbent upon the company to immediately and properly notify the affected parties.

More Self-Storage Legal Issues

We Are Proudly Sponsored By:

About Us

Scott Zucker is a partner in the law firm of Weissmann Zucker Euster + Katz P.C. in Atlanta, GA. Scott specializes in business litigation with an emphasis on real estate, landlord-tenant and construction law. For more visit www.wzlegal.com. 

Shop Now

This newsletter is for the purpose of providing general legal insight into the self-storage industry. It should not be substituted for the legal advice of your own attorney.