California and Nevada have both passed laws affecting consumers’ data privacy rights, which create affirmative compliance obligations for certain self storage owners, operators, and vendors. California’s law becomes effective on January 1, 2020 and Nevada’s becomes effective on October 1, 2019.
The California Consumer Privacy Act of 2018 (CCPA) was passed in response to privacy breaches and data misuse issues. Overall, the intent of the CCPA is to provide consumers with:
- The right to know what information is being collected about them;
- The right to know whether their personal information is being sold and to whom;
- The right to say no to the sale;
- The right to access their personal information or have it deleted; and,
- The right to equal service and price, even if they exercise these rights.
Businesses that transact with California residents and that satisfy one or more of the following must comply (“Covered businesses”):
- Has annual, company-wide gross revenues in excess of twenty-five million dollars ($25,000,000); or,
- Annually buys, receives, sells, or shares the personal information of 50,000 or more California consumers, households, or devices; or,
- Derives 50 percent or more of its annual revenues from selling California consumers’ personal information.
Consumers can request that covered businesses provide them with the personal information the business has compiled about them. Once a business receives a “verifiable request” from a consumer, it must provide the requested information either electronically or in hard copy. Although the CCPA is aimed at protecting California residents, the CCPA contains certain ambiguities that may make it advisable to comply with any “verifiable request” without determining the consumer’s residency.
Further, consumers may direct covered businesses to delete the personal information they have collected about them. While the law provides some exemptions to the deletion requirement, it will require that businesses functionally “process” each request to determine whether it must delete the consumer’s information.
Finally, consumers may direct a covered business to cease selling their personal information to third parties. Each covered business must have a “clear and conspicuous” link on its internet homepage to inform consumers of their right to opt out of the sale, titled “Do Not Sell My Personal Information.” Once a consumer exercises the right, the business must honor it.
The CCPA also makes it unlawful for businesses to treat consumers differently or discriminate against them if they exercise their rights described above. However, the CCPA does permit businesses to offer financial incentives to consumers for the collection, sale, or deletion of their information.
To learn more about the CCPA, click HERE
The Nevada law is thankfully less expansive than its California counterpart. Nevada Senate Bill 220 (SB 220) requires a business to comply if it:
- Owns or operates an internet website or online service for commercial purposes;
- Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and,
- Purposely directs its activities toward Nevada or consummates some transaction with Nevada or one of its residents.
A business meeting the definition above must establish a procedure that allows consumers to direct the business to cease selling any of their “covered information,” which includes, but is not limited to, addresses, phone numbers, and social security numbers. Even if a business does not sell consumer data, it must still establish such a procedure.
Each covered business is required to establish a “designated request address” that allows a consumer to submit a “verified request,” directing that business to stop the sale of their personal information. Once a covered business receives that request, it must respond within sixty (60) days after receipt and must stop the sale of any covered information. Again, even if a business does not sell consumer’s data, it must still respond to the request.
To learn more about SB 220, click HERE
Both laws are likely to create some compliance headaches for covered businesses, including SSA members. To address those concerns, as well the proliferation of other state privacy laws, the SSA recently joined the Main Street Privacy Coalition (MSPC). The MSPC is seeking a federal resolution with strong preemption to prevent a patchwork of state privacy laws. To learn more about the MSPC, review the October 2019 Magazine article.