Question: We live in a guard-gated community with a homeowners association. The management company sent letters to owners and residents requiring information for parking permits. They require a signed form stating name, property and mail address, telephone number, driver's license number or California identification card number of all adults in the household, DMV vehicle registrations and number of cars we park here. Management wants originals to copy and store. If vehicles are "company" cars, they require an employer's letter stating who is on the title and registered to drive it. If information isn't provided by a certain date, fines of $50 a month apply until "compliance." Our parking privileges will be suspended, unregistered vehicles will not be allowed to enter the community, and if parked inside, will be towed.
Our manager said this information goes to three different databases: homeowner association office, security guard company and management company. She said: "It's not for regulating parking or HOA information. We're registering vehicles of all our clients. We want a master database we can use for future business and in case we're sued." She says they "track" people moving from one complex to another and if the company is sued, "we won't have to waste money asking the court's permission to get this information." The security company is paying the management company for their residents database but it's unclear what they plan to do with the information. Owners don't want to provide this information. There are no minutes showing board motions and votes authorizing collection of personal information, no rules referencing this, and our covenants, conditions and restrictions are silent. The association attorney said: "The board has the right to enforce parking rules whatever way they think is appropriate." Is this legal?
Answer: The association's attorney is wrong. Boards do not have unrestricted power and unconditional authority to act unilaterally when enforcing so-called rules predicated on the board's interpretation of what is appropriate. That is not the standard for fiduciaries. Parking privileges cannot be suspended, and requiring employer letters subjects the association to lawsuits. Simply put, the board has no independent power. If there's no legal authority and express authority in the association's governing documents, no prior documented rules, no minutes, motions or votes corroborating authority to collect and/or stockpile owner information, then the $50 fine for non-compliance is null and void and owners should not pay or provide their personal details.
There is an abysmal lack of protection for titleholders' privacy rights under the Common Interest Development Act. Therefore, owners must be hyper-vigilant protecting themselves. No owner wants identifying information to be warehoused with any third party vendor as there are no quantifiable assurances, safeguards or statutory "chain of custody" procedures.
Because the association is the contracting party for goods or services with third parties, such as management and security guards, titleholders whose privacy is violated by a vendor have no standing to pursue an action against that vendor. And, even if they did, third party vendor contracts are laden with "hold harmless" clauses and provisions indemnifying even their intentional acts.
Worse, Civil Code section 5215 punishes owners: No association, officer, director, employee, agent or association volunteer shall be liable for damages to a titleholder or third party as the result of identity theft or other breach of privacy unless the act was intentional, willful or negligent. Then, under Civil Code section 5230, nothing limits the association's right to injunctive relief and to collect damages, costs, expenses and attorney fees for an owner's misuse of information obtained from association records. Little, if nothing, confers equal rights to titleholders for the association's misuse of their information.
A homeowners association is a business. Civil Code section 1798.81.5 mandates businesses that own or license personal information about Californians to provide reasonable security for that information. The phrase "own" includes, but is not limited to, personal information that a business retains as part of its internal accounts or for the purpose of using that information in transactions with the person to whom the information relates.
Businesses that disclose and/or carry personal information about a California resident shall implement and maintain security procedures and practices to protect that personal information from unauthorized access, destruction, use, modification or disclosure, under Civil Code section 1798.81.5. "Disclose" means to release, transfer, disseminate, or otherwise communicate orally, in writing, or by electronic or any other means to any third party, according to Civil Code section 1798.83.
"Personal information" means any information that identifies, relates to, describes or is capable of being associated with a particular individual, including, but not limited to, his name, signature, address, telephone number, driver's license number and/or California identification card number, under Civil Code section 1798.81.5. Associations requiring signatures on election materials must provide security measures for collection, retention and destruction of that information.
Prior to towing, the association and its agents must meet all the criteria set forth in Vehicle Code sections 22658 and 22953, including issuing a notice of parking violation and waiting 96 hours after issuance. Associations must display signage in accordance with these code sections. A towing company shall not commence removal of a vehicle from an association of a common interest development without first obtaining written authorization from an employee, agent of the association and/or board director, who shall be present at the time of removal and verify the alleged violation.