United States: Mobile Home Park Privacy Matters

Various laws require companies to post and regularly update privacy policies that reflect the information practices of the company.
 

We did a sampling of both small private and public mobile home park (“MHP”) operator websites. Out of the 11 websites we reviewed, 2 did not have any policy (including 1 large company within the top 10 mobile home park portfolio companies) and many had policies that did not comply with applicable laws.
 

Many of the policies we found had not been updated in multiple years, contrary to legal requirements to annually update privacy policies. Some policies only seemed to address the MHP's website and not the data that they collect offline, such as in person or on calls. Some of the larger MHPs did cover the California Consumer Privacy Act (“CCPA”) as well.
 

Somewhat surprisingly, we found that certain forms widely available in the industry did not address legal requirements for website data collection and did not include standard up to date terms or language required by new state laws, such as terms allowing disclosures to service providers and contractors.
 

MHPs are likely subject to a plethora of privacy laws that should be addressed. While there are other state laws that may apply, below is a listing of California and Federal laws that may apply to MHPs:

• CCPA - The CCPA went into effect January 1, 2020 and requires detailed terms in external facing customer privacy policies, as well as employee privacy policies. The CCPA also applies to both online and offline data. Depending on how the data is being used and disclosed and vendor relationships, MHPs may be required to have a “Do not Sell or Share my personal information” link on their website. Certain terms must be included in vendor agreements. The California Privacy Protection Agency is vigorously going after businesses under the CCPA.
• CalOppa - The California Online Privacy Protection Act (“CalOppa”) has been in effect since July 1, 2004. As described by the California Attorney General's office, it requires “operators of commercial web sites or online services that collect personal information on California residents through a website to conspicuously post a privacy policy on the site and to comply with its policy. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information.
• California's Shine the Light law requires that businesses with 20+ employees that share personal data with third parties for the third parties' direct marketing purposes have to either have given the user the choice regarding their data sharing or certain notices and information on request.
• FTC - Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” According to the FTC, a company that does not comply with its own privacy policy is violating Section 5 of the Federal Trade Commission Act for being unfair and/or deceptive. This means that a MHP privacy policy must be accurate and unambiguous and include details of both the technical and personal data being collected. It must reflect the MHP's actual data-related practices. As an example, under Section 5, it would be unfair to not disclose all of the personal information your MHP collects, and it would be deceptive to state that your MHP does not share personal information when in fact your MHP does. The FTC actively pursues companies that have violated their privacy policies and has brought privacy lawsuits against companies. 

Penalties for violations of any of these laws can be high. Historically, fines in the United States from the FTC have been higher than in the European Union where privacy is paramount. For example, penalties under the CCPA are $2,500 per violation or $7,500 for violations that are intentional or involve children. It is worth highlighting that these violations are per individual per occurrence. Thus, penalties can add up for one incident where each adversely impacted individual would be a violation. Additionally, there is a significant risk of class action lawsuits under privacy laws, including when there is a security breach.

Please reach out to us if you need any assistance in updating your privacy policies or privacy choice mechanisms, or have other privacy compliance concerns related to your MHP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.