Self-storage doesn't look like a data business from the outside. It looks like a building full of metal doors. But every facility that runs a modern operation is collecting government-issued identification, payment card details, contact information, and digital access credentials from every single tenant at move-in. Facilities that have deployed smart entry systems with fingerprint scanners or facial-recognition cameras are collecting biometric identifiers on top of all of that. The data footprint of a modern self-storage operation is substantially larger than most operators have formally mapped.
Twenty U.S. states now have comprehensive privacy laws in effect as of 2026, according to MultiState Associates. Indiana, Kentucky, and Rhode Island joined the group with laws that took effect January 1, 2026. Connecticut, Arkansas, and Utah laws took effect July 1, 2025. The cumulative effect is a national privacy compliance landscape that has changed more in the past 36 months than in the prior 20 years, and self-storage operators, who have been focused on pricing regulation and lien law modernization, have largely not kept pace with it.
The exposure is not theoretical. Illinois BIPA litigation generated more than 150 new class action cases in 2025 alone. The statute carries $1,000 to $5,000 per person in statutory damages. For an operator running a facility with fingerprint-scan entry in Illinois without a written consent policy and a compliant data-destruction schedule, the math on potential exposure is not complicated.
What Self-Storage Operators Are Actually Collecting
The typical self-storage tenant file at a modern facility is more extensive than most operators recognize. At move-in, operators collect a copy of government-issued identification, a mailing address and phone number, email address for digital communications, payment card data stored in a property management system, and the tenant's assigned gate code. For facilities with app-based entry, the tenant's smartphone device identifier may also be recorded.
Facilities that have deployed fingerprint-pad entry systems, which have become increasingly common in urban markets as a replacement for PIN-code access, are collecting biometric identifiers in addition to everything else. Facilities with AI-powered security cameras that use facial-recognition software to verify authorized users or flag unknown visitors are collecting facial-geometry data, which falls under biometric definitions in multiple state laws. As AI-powered smart-entry platforms expand, the biometric data footprint in self-storage is growing faster than the compliance infrastructure around it.
All of this data lives somewhere: in property management software platforms, in access control systems, in third-party cloud backups, and in integrations between systems that individual operators may not have fully audited. Inside Self-Storage identified payment-card data, contact details, smart access codes, and biometric identifiers as the primary exposure categories for self-storage operators in its 2026 legal threats review, and noted that operators frequently assume their technology vendors bear primary responsibility for breach liability.
Biometric Compliance Is the Sharpest Edge
The Illinois Biometric Information Privacy Act remains the most litigated biometric privacy law in the country, even after the state legislature amended it in August 2024. That amendment replaced the original per-scan damages model, which allowed statutory damages to multiply with every fingerprint or facial recognition scan, with a per-person framework. The Seventh Circuit Court of Appeals held on April 1, 2026, that this amendment applies retroactively to pending cases. The result is a narrower but still substantial exposure: $1,000 per person for negligent violations, $5,000 per person for intentional or reckless violations.
For a self-storage operator in Illinois with 400 tenants using fingerprint-pad access and no written consent policy, the potential exposure under BIPA remains material. The class action mechanism that makes BIPA cases expensive, a single plaintiff can represent a class of all affected tenants, has not changed. The litigation dropped from 427 cases filed in 2024 to 150 in 2025, but that reflects the damages cap more than a reduced underlying compliance risk. The statute still requires a written publicly available retention policy, informed written consent before collecting biometric data, and defined schedules for biometric data destruction. Most self-storage operators running fingerprint-pad systems have none of these in place.
Illinois is not alone. Texas's Capture or Use of Biometric Identifier Act and Washington's My Health MY Data Act both require explicit consent before biometric data collection. As other states consider biometric privacy legislation, the legal exposure associated with facial-recognition security cameras and fingerprint-based entry systems is only going to grow for operators who have not addressed consent and retention documentation.
The Vendor Contract Problem
The most common self-storage operator assumption about data privacy is that it is primarily a vendor problem. The software company, the access control manufacturer, the payment processor: if they hold the data and get breached, they bear the liability. That assumption does not survive review of most vendor contracts.
Inside Self-Storage's review of self-storage legal threats in 2026 found that vendor indemnification clauses are frequently written to limit vendor liability and leave operators exposed for third-party breaches. If a property management platform or smart-entry system is hacked and tenant data is compromised, the self-storage operator may have independent notification obligations under state law regardless of where the breach occurred in the vendor chain. All 50 states have data breach notification laws. Depending on the state, operators may be required to notify affected tenants within 30 to 90 days of discovering a breach. Failure to meet those timelines carries its own penalties.
Cyber-liability insurance covers breach response costs, notification expenses, regulatory defense, and resulting fines, but only if the operator carries it. Many independent operators do not. For those who do, the interplay between biometric privacy exclusions that some insurers have been adding to policies and BIPA-specific exposure requires careful review of what is actually covered.
A Twenty-State Patchwork Without Federal Preemption
The reason state-by-state privacy compliance is genuinely complex for self-storage operators with facilities across multiple states is that there is no federal privacy standard that preempts state variation. The 20 comprehensive state privacy laws in effect differ on data categories covered, consent requirements, opt-out versus opt-in frameworks, consumer rights to access and delete data, and enforcement mechanisms.
California's CPRA gives consumers the right to opt out of sale or sharing of their personal data and the right to correct or delete it. Virginia's CDPA has broadly similar consumer rights but a different enforcement framework. Indiana, Kentucky, and Rhode Island each added their own specific requirements with their January 2026 effective dates. An operator running facilities in California, Texas, Illinois, and Virginia is operating in four different legal frameworks simultaneously, each with its own notice, consent, and data handling requirements.
Baker Donelson noted in its January 2026 privacy compliance review that data minimization, the practice of collecting only what you actually need and deleting it on a defined schedule, is now required or strongly implied under most state frameworks. For self-storage operators who have been indefinitely retaining identification copies, gate code records, and access logs because there was no clear policy for deleting them, 2026 brings real compliance obligations they have not previously faced.
What Operators Need to Do Before They Have a Problem
Compliance here is not a software purchase. It is a documentation and policy exercise. The steps are known; most operators have simply not taken them yet.
A data inventory is the starting point: what data does the facility collect at move-in, what does each software system retain and for how long, and where is it all stored. That inventory maps the exposure. For facilities with fingerprint or facial-recognition systems in Illinois, Texas, or Washington, the biometric consent process is an immediate priority: written policy publicly posted, written consent obtained from every tenant before first biometric data collection, and a written schedule for data destruction when the tenancy ends.
Vendor contracts need to be reviewed for indemnification scope. Operators need to know specifically whether their property management software, access control system, and payment processor contracts require the vendor to notify them of a breach, what the timeline for that notification is, and whether liability for tenant notification sits with the operator or the vendor. Cyber-liability insurance should be verified to cover biometric privacy claims, not just generic data breaches, and exclusion language should be reviewed carefully.
The compliance overhead for a single-facility or small-chain operator is manageable. The litigation and regulatory exposure from ignoring it is not.
The Numbers Worth Writing Down
- Twenty U.S. states have comprehensive data privacy laws in effect as of 2026 (MultiState Associates)
- Three states added January 1, 2026: Indiana, Kentucky, Rhode Island
- Illinois BIPA statutory damages: $1,000 per person for negligent violations, $5,000 per person for intentional violations
- BIPA litigation in 2025: 150 new class action cases filed (down from 427 in 2024 following 2024 amendment)
- Seventh Circuit held April 1, 2026: 2024 BIPA damages cap applies retroactively to pending cases
- States with biometric-specific laws requiring written consent before collection: Illinois, Texas, Washington
- All 50 states have data breach notification laws requiring tenant notification after confirmed breach
- Data categories self-storage operators routinely collect: government IDs, payment card data, contact information, gate access credentials, and, at some facilities, biometric identifiers
- Most biometric data collection by self-storage operators operates with no written consent policy and no documented data destruction schedule
Privacy Regulation Is the Next Compliance Wave. Most Operators Aren't Tracking It.
The self-storage industry's regulatory attention in 2024 and 2025 was appropriately focused on pricing transparency, lien law modernization, and the FTC's junk fees enforcement posture. Those battles produced real legislative outcomes across dozens of states. Data privacy has been developing on a separate track, with less industry-specific advocacy and less operator awareness, and it is now producing its own compliance requirements.
The operators most exposed are the ones who deployed modern technology, smart entry, AI security cameras, digital payment systems, without asking what data those systems collect, where it goes, or what state law requires of them. That describes most of the industry. The combination of twenty active state privacy laws, a biometric litigation landscape that remains active even after the Illinois damages reform, and vendor contracts that routinely push breach liability back onto operators means the compliance risk is real, present, and unaddressed in most self-storage portfolios today.
Sources
- The Top Self-Storage Legal Threats and How to Guard Against Them, Inside Self-Storage
- 20 State Privacy Laws in Effect in 2026: Key Dates & Changes, MultiState Associates
- Privacy Laws Ring in the New Year: State Requirements Expand Across the U.S. in 2026, Baker Donelson
- Illinois' Damages Limitation for Biometric Privacy Violations Applies Retroactively, Hunton Privacy & Cybersecurity Law Blog
- 2025 Year-In-Review: Biometric Privacy Litigation, Privacy World Blog
- New 2026 Laws Every Self Storage Operator Should Know, Forge Building Company
- Data Security in Self-Storage: Protecting Tenant Information in the Digital Age, Tenant Inc.
- Data Breach and Cyber-Attack in Self-Storage: Risk, Prevention and Response, Inside Self-Storage