Understanding Privacy Policies
From membership lists to financial records, virtual board meetings to security footage – handling sensitive association data is all in a day’s work for managers and directors. Any software that handles data should have an accessible privacy policy. Understanding privacy policies, and its effect on managing and directing, further adds to the ongoing “Best Practices” discussion.
First, become acquainted with the mechanics of a privacy policy to make issue-spotting easier. Reviewing a policy is a simple process, though admittedly, the majority of software users skim through or skip reading altogether. A robust policy will address (1) encryption, (2) data collection and retention, (3) security management, and (4) breach notification procedure, to name a few. These terms are well defined in privacy policies for common programs, such as Google and Microsoft. Other programs used by managers and directors likely have similar policies with different phrasing or organization. But take note of ones that do not address or adequately define these terms. A general rule to follow is vague language signals increased risk exposure.
Privacy awareness and compliance is becoming more important as its laws become ubiquitous to more businesses. Even Automated License Plate Recognition (ALPR) operators are now encouraged to publicize its privacy policy or risk litigation, given a recent ruling from the California Court of Appeal. In Bartholomew v. Parking Concepts, Inc., the court held that collection and use of license plate information without publishing a statutorily required privacy policy regarding such collection caused the requisite harm to sue under Civil Code sections 1798.90.5-1798.90.55. Thus, gated communities using cameras should make its ALPR privacy policy easily accessible to all members.
Next, require clear exit terms when a subscription ends to maintain control of association data. A privacy policy should state whether data is returned, deleted, or retained. For example, attorneys are instructed to retain client files for at least 5 years after the attorney-client relationship has terminated before mass shredding. Data sanitization destroys electronic files like shredding destroys hard files. Similarly, managers and directors are encouraged to consider a reasonable retention period and a reliable sanitization method of electronic association records. If not, then personally identifiable information (PII), including full names, addresses, dates of births, and even license plate numbers can be sold to data brokers, potentially leading to imprudent results.
While the Davis-Stirling Common Interest Development Act facilitates a homeowner’s access to association records, the California Consumer Privacy Act gives California residents the right to access and delete their PII from businesses. This right is bolstered for common interest developments under the Safe at Home Program, to which associations must redact the PII of a program participant from association records, e.g., membership lists. Though a task that generative artificial intelligence (GAI) software can handle, users should know when GAI collects data to train its Language Learning Models (LLMs) through prompting. LLM training is how a lot of companies improve its GAI. Which is fine, so long as the privacy policy explicitly states that prompting is anonymized or aggregated, or the user affirmatively opts in.
Privacy law continues to evolve, so treat privacy policies as living documents. For further suggestions and tailored recommendations, managers and directors are encouraged to consult with their community association’s legal counsel, or a certified information privacy professional. Over time, comprehension and repetitive review of privacy policies will contribute to well-rounded governance.
