20 Jan 2025
While the issue of data privacy and security is true in any business these days, it certainly cannot be ignored in the self-storage industry. The collection of data by operators regarding their tenants (and even prospective tenants) is inevitable and that data must be protected. And the practices and policies of the self-storage operator related to the management and use of that data must be disclosed in a transparent way to avoid the violation of any federal and state data and privacy laws which may apply.
First, operators must understand that there are three “classes” of data:
The “class” of the data is extremely important in recognizing your legal obligations. Generally, data cannot be collected and utilized without the party’s consent. To the extent the information gathered is through the use of “cookies” on a website (or otherwise a methodology of tracking), the website provider must conspicuously disclose and obtain clear consent from the website visitor to use and retain the information the visitor provides while on the website. It is this disclosure and consent, typically described as a “cookie banner,” that a visitor often sees displayed the first time accessing the website.
Once the information is obtained, it must be secured. It is important to have a security plan in place, including limiting access to the collected data, conducting regular security audits and assessments to protect the data, and enhancing employee training and awareness regarding the importance of data security.
The evolving laws relating to this data have also changed how businesses operate (and how their websites work). Now, consumers who provide their information have certain rights as to how that information (typically defined as “personally identifiable information” or “PII”) is held, used, shared, deleted, or transferred.
A “Data Subject Access Request” or “DSAR” is a request submitted by a consumer to a website controller (business) to identify the controller's possession of certain information, to correct inaccurate information about the consumer or to delete the consumer's information. Again, this DSAR can be used to opt for the deletion of the information, to request a change or correction to the information, or to request the portability of the information. A company that fails to respond to a DSAR is subject to both federal and state liability under relevant data privacy statutes.
More and more states are adding data privacy laws to their state statutes. Currently, California, Connecticut, Colorado, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Montana, New Hampshire, Nebraska, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia all have some form of data privacy laws on the books to protect the consumers in their states.
These laws are in addition to “Data Breach” laws, which are found in every state and address the rights of consumers that have suffered a risk of identity theft arising from the unlawful and unauthorized access to their personal information. The bottom line is that every company should be reviewing its website privacy policies to ensure that they have created a compliant method to address and handle DSAR requests in a timely and competent manner.
Under these data breach laws, companies that fail to have certain protocols and safety measures in place may suffer liability for their actions or omissions. Many companies have moved to encryption and secured back-up systems to thwart the potential risk of data intrusion and misappropriation of the stored information. Similarly, if a breach does occur, it is incumbent upon the company to immediately and properly notify the affected parties.
This article was originally published by Modern Storage Media and written by Scott Zucker, November 15th, 2024.
Scott Zucker is a founding partner in the Atlanta law firm of Weissmann Zucker Euster Morochnik &Garber P.C. and has been practicing law since 1987. Scott represents self-storage owners and managers throughout the country on legal matters including property development, facility construction, lease preparation, employment policies and tenant claims defense. He also provides, on a consulting basis, advice to self-storage companies in the areas of foreclosure and lien sales, premises liability and loss control safeguards. Scott can be reached at 404-364-4626 or by e-mail at Scott@wzlegal.com
