item image
29 May 2020

How Will CCPA Affect California's Real Estate Industry & When Will the Rest of the Country Join the Data Privacy Bandwagon?

At the start of 2020, the new California Consumer Privacy Act—or CCPA—went into effect. The law applies to any for-profit business, including real estate, that collects personal information while conducting business in California and meets additional criteria, including organizations that:

  • Have an annual gross revenue of $25,000,000 or higher or
  • Engage in buying, receiving, selling, or sharing the personal information of 50,000 or more consumers, households, or devices for commercial purposes or
  • Gains 50% of revenue from selling the data of California residents.

This means that even if you don’t have a physical location in California, your residential or commercial real estate organization may be subject to the CCPA regulation. Like its European counterpart, GDPR, CCPA was introduced to better protect consumers and their personal information. And, also like GDPR, CCPA compliance failures could be costly. Regulators enforcing GDPR have issued more than $100 million in fines in the past 20 months, according to CNBC, including a $54 million fine on Google for alleged infringements of GDPA related to data collection transparency and a lack of valid consent. 

Addressing CCPA in the real estate industry

Whether your real estate business is currently subject to the CCPA or not, you should start preparing to ensure compliance, particularly because the digital transformation taking place across the real estate industry elevates data privacy and protection risk.

Consumers increasingly want to use their smartphones for conducting real estate research, which means you’re collecting more data from digital interactions. In addition, a wide range of IoT devices, like smart home technology, are being used to deliver the experiences consumers want. In densely populated regions, this can quickly exceed the 50,000-person threshold set by CCPA. And, under the law, organizations are expected to ensure that any third-party service providers that collect data on their behalf—including security companies, digital agencies, and the like—also comply with the regulation. Whether you’re in residential or commercial real estate, data collection is inevitable. A recent Lexology article pointed out that the familiar process of providing ID to a security desk before entering large commercial office spaces would be subject to CCPA, even if the guard simply writes down a name on a paper sign-in sheet. How can you prepare to meet these standards?

  • Map your data footprint. This includes identifying what information is being collected on individuals or households and why, as well as where it is being stored and the security being used to protect it. In addition, determine whether it is being shared with any organization. Then conduct a similar assessment for third parties that you work with, with an added caveat to verify if any of the data is being sold.
  • Update policies and procedures. Determine if you have adequate security measure and privacy policies in place. One of the key components of CCPA, and conceivably future laws, is the consumer’s right to be informed about what information is being collected and how that information will be used. In addition, make sure that employee and third-party contracts reflect the new requirements. Finally, establish policies to address consumer requests to access the information that you’ve collected and to correct or delete the information.
  • Make consumer-facing policies public. Websites are prime territory for immediate updates since online access could take place from California, even if your organization is located in a different state. But as the Lexology example above shows, CCPA may also require that you put a statement on data collection policies on signage to alert consumers to less obvious ways that data is being gathered.

More state—and perhaps federal—laws ahead

While California was first out of the gate with this type of consumer data privacy and protection law, at least 15 other states are considering or are enacting similar legislation, including Nevada, New York, Maryland, Massachusetts, and Hawaii. In addition, The Data Protection Report notes that “The possibility of a US federal privacy law is still under consideration in Washington, DC, with the House Energy and Commerce Consumer Protection and Commerce Subcommittee Chairwoman Rep. Jan Schakowsky (D-IL) stating that she hopes to have a draft bill before Congress breaks for its August recess.

Whether the bill will move forward given the current COVID-19 pandemic, is yet to be seen. Recently, 32 trade associations representing companies across real estate, technology, banking, and other industries formally requested an enforcement delay, noting that “… the widespread adoption of mandatory work-from-home policies in the United States has affected businesses attempting to achieve CCPA compliance.” For now, at least, California’s attorney general has indicated that enforcement will still start July 1, 2020.

Since the writing is on the wall, however, real estate firms should start preparing now for tighter regulations around the collection and use of consumer data. What do you need to do to stay on the right side of the law?

See how Nexis® for Real Estate can help you find the data you need to grow your business, legally.