07 May 2024
Self-storage operators, along with a growing number of consumer-facing businesses, are becoming more exposed as the target of potential litigation and state and federal regulatory scrutiny and enforcement, especially in cyber and data liability. These days, self-storage operators must not only tackle the regulatory compliance issues included as part of their state lien laws but must also hold themselves accountable to a myriad of other laws that impact its day-to-day management. Specifically, in the areas of increasing state consumer privacy laws, operators must carefully consider consumer data collection and management in the context of consumer privacy disclosures through privacy policy disclosures and website data collection.
There are state privacy laws in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia currently signed into law. Some of these states require specific disclosures be made within a company’s privacy policy so consumers are aware of their new rights by statute. Of these 13 new laws, only five are currently effective (California, Colorado, Connecticut, Utah, and Virginia) with Montana, Oregon, and Texas set to become effective in July of 2024.
A common requirement of these laws is that a business that qualifies (based on annual revenue or number of customers) must establish, and shall describe in a privacy notice, “one or more secure and reliable means for consumers to submit a request to exercise their consumer rights”. Additionally, the qualified company must utilize a system of notices on its website to permit its customers to consent to the use of its personal data. It is these requirements that have led to the implementation of the so-called “cookie banners” that we now ubiquitously see every day on websites and mobile applications. These “cookie banners” are a designed methodology to comply with the new laws and provide a display so that businesses using the data can represent that notice has been given and consent has been obtained when a consumer clicks through to the website
In general, cookie banners and click through consents are utilized to ensure that consumers are aware of any online tracking that may occur across multiple websites, may identify a consumer’s geolocation data or may allow third party advertising to that consumer. A company must work closely with its web design and marketing teams to identify which cookies may be in use, their purpose and how to properly explain such use in the context of its privacy policy. In general, states take various positions on whether consumers should be given the opportunity to “opt out” of any tracking that may occur as a result of the cookies that are included in their websites.
In the current environment of class action litigation on the issue of privacy, a cookie banner is recommended even if the business may otherwise not be included in the general statutory law that applies to the state where the business is headquartered. Transparency on websites and mobile applications relating to customer data and privacy is now just “good business”.
Inevitably, a business’ privacy policy needs to be updated each time there is a material change in the way the company handles the data it collects from its customers. In addition, a privacy policy must be specific about how any such updates will be made known to its users. Ultimately, due to the ever-changing environment relating to data privacy (especially on a state-by-state basis), a privacy policy must be a “living and breathing document” which is subject to change to reflect the company’s evolving data practices.
It is very important that a privacy policy be regularly updated to reflect the changing legal requirements that are applicable to the business. The business’ privacy policy should also be consistent in addressing variations in the specific state compliance obligations when operating in multiple states. Privacy policies should be regularly reviewed to account for new legislation and internal business process that may evolve or change because of innovation, new customer engagement initiatives, adoption of new software for consumer engagement or any other changes that may involve the way consumer data is being managed by the business.
Finally, companies should prepare summaries and analyze their current cyber liability insurance coverages to determine the adequacy of their coverage amounts, exclusions and deductibles. Operators must better familiarize themselves with these insurance services to lessen the economic impact of a data breach on their businesses.
This article was originally published by Modern Storage Media and written by Scott Zucker, April 16th 2024.
Scott Zucker is a founding partner in the Atlanta law firm of Weissmann Zucker Euster Morochnik &; Garber P.C. and has been practicing law since 1987. Scott represents self-storage owners and managers throughout the country on legal matters including property development, facility construction, lease preparation, employment policies and tenant claims defense. He also provides, on a consulting basis, advice to self-storage companies in the areas of foreclosure and lien sales, premises liability and loss control safeguards. Scott can be reached at 404-364-4626 or by e-mail at Scott@wzlegal.com