What is CCPA?
California Consumer Privacy Act (CCPA) is a bill that enhances privacy rights and consumer protection for residents of California. It provides residents of California the right to:
- Know what personal information (PI) is being collected about them.
- Know whether their PI is sold or disclosed and to whom.
- Say no to the sale of PI.
- Access their PI.
- Request a business to delete any PI.
- Not be discriminated against for exercising their privacy rights.
What is Personal Information?
CCPA defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers. (Source)
What does it mean for me?
If a resident of California exercises their right to retrieve, delete, or opt-out of the collection of their PI, affected businesses need to respond accordingly to remain legally compliant.
I don’t operate any storage facilities in California. Does the CCPA apply to me?
If you have a customer who claims California as their state of residence, then yes, CCPA does potentially apply to you.
However, the CCPA only applies to businesses that meet at least one of the following criteria (as enumerated in section 1798.140.C.1) :
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
You’ll need to consult with your legal counsel and internal teams on if your organization falls within these criteria.
Can any consumer exercise a provision of the CCPA?
Action should only be taken on verified requests from actual consumers. In order to appropriately respond to each request, businesses should first verify the requesting consumer’s identity and the validity of the request. Only upon successful verification and satisfaction that applicable defenses do not apply should businesses act upon the request.
How can a consumer submit a request to exercise a right under the CCPA?
Consumers need to be able to submit a request to your organization in at least two ways:
- A dedicated toll-free phone number
- A website (where your business has a website) or email address
Storable does not provide either of those two methods specifically for your organization.
How can I verify a consumer’s identity?
Regulations have not been established on what is precisely required to verify consumer identity, so storage operators will need to use their best judgment to determine how best to verify a consumer’s identity until regulations are formalized. The CCPA notes that a request submitted through a password-protected account maintained by the consumer while logged into the account may be treated as a verified request.
A “verifiable request” is a request (1) made by a consumer, by a consumer on behalf of a child, or by a person authorized to act on behalf of a consumer; and (2) that the business can reasonably verify the identity of the consumer about whom the business has collected PI.
A current tenant, past tenant, or non-tenant requested a disclosure on which PI was collected and sold for a business purpose, what steps do I take?
Consumers have the right to request that a business disclose which categories of PI were collected and sold, as well as to whom the data was sold, for the previous 12 months. While Storable does not sell consumer data, Storable does collect consumer data via the leads and move-ins recorded in storEDGE.
Storable will reasonably assist you in responding to consumer requests. Consumers can request their personal data at different levels of fidelity. Those two levels are:
- Abbreviated disclosure
- Expanded disclosure
A request for an abbreviated disclosure requires that the business provide the consumer with the categories and specific elements of PI that have been collected.
A request for an expanded disclosure requires that the business provide the consumer with the categories and specific elements of PI that have been collected, in addition to details on the source of the PI, the business or commercial purpose of collection, and the third parties with whom the PI is shared.
If a customer has submitted one of these requests to your organization, you can request Storable’s assistance with such disclosures by contacting Storable support at either CCPASupport@storable.com or 1-888-503-0583.
A consumer wants to know how my organization has sold their PI, and to whom. What steps do I take?
You have not sold such data to Storable - Storable is acting as a processor of such data, processing it on your behalf to provide services to the consumer. As far as Storable’s handling of consumer PI, Storable does not sell consumer data.
Storable cannot control how your organization has handled consumer data - please consult with your internal team and legal counsel on how best to respond to these inquiries.
A consumer wants to opt out of having their PI or their children’s PI sold to third parties. What steps do I take?
You have not sold such data to Storable - Storable is acting as a processor of such data, processing it on your behalf to provide services to the consumer. As far as Storable’s handling of their data, Storable does not sell consumer data. In this matter, the consumer can consult the text of the bill here, in section 1798.115.
Storable cannot control how an individual storage operator handles consumer data, and advises that you work with your internal team and legal counsel on how to respond to these inquiries on behalf of your organization.
A current tenant requested I delete their personal data, what steps do I take?
If they are a current tenant you can inform them that you cannot delete all of their data, since maintaining a tenant record is a requirement of renting a storage unit, which is the service that the consumer has asked to receive. The consumer can consult the text of the law here, but if the consumer wishes to continue receiving the service, we will have to maintain some of their personal data. Any other PI that has been provided through storEDGE that is not necessary to provide services to the applicable data subject is subject to the requirements of the CCPA.
A past tenant or someone who was never a tenant requested I delete their personal data, what steps do I take?
storEDGE allows you to anonymize old tenant records if the record hasn’t been deleted. To do so, simply open the tenant’s record and replace their first and last name with “anonymous” as well as any other personal information you may have on file with them (postal address, email address, social security number, driver's license number, passport number, or other similar identifiers). storEDGE may retain records for a commercially reasonable time after termination of the services for backup, archival, fraud prevention or detection or audit purposes, or as otherwise required by law.
A consumer has requested access to their PI, what steps do I take?
A consumer’s request to access their PI requires that the business provide the consumer with the requested PI in a readily usable and portable format.
If a customer has submitted one of these requests to your organization, you can request instructions on how to provide an abbreviated disclosure or expanded disclosure by contacting Storable support at either CCPASupport@storable.com or 1-888-503-0583.
I have additional questions about my company’s obligations under CCPA.
Storable is unable to provide legal recommendations. We recommend you seek legal counsel as necessary.