With the implementation the EU's General Data Protection Regulations ("GDPR") and the California Consumer Privacy Act ("CCPA"), everyone, including REALTORS, needs to be aware that security is no longer discretionary.
"Privacy and compliance standards are now are tightly regulated. We can no longer conduct business the way we did just a few years ago., Business need proper security systems in place in the same way they need to adhere to tax and other laws." - Dave Tuckman, GSWS CyberSecurity - firstname.lastname@example.org
As part of their acclaimed realegal(r) series, the California Association of Realtors(r) published in-depth guidance for Realtors on both the GDPR and the CCPA.
- o EU’s General Data Protection Regulation (“GDPR”)
- o California Consumer Privacy Act (“CCPA”)
EU’s General Data Protection Regulation (“GDPR”)
The importance of data privacy to consumers today cannot be underestimated. Leading the way internationally, the European Union adopted the General Data Protection Regulation (“GDPR”) effective May 25, 2018, causing a flurry of concern from companies that collect and use consumer data. But what is GDPR, what does it regulate, and most importantly, why should a California REALTOR® care about a European law?
GDPR, controlling law in all member states of the European Union (and Iceland, Liechtenstein, and Norway), regulates when and how businesses store and handle consumer personal data, and what rights a consumer has in such data.
What could concern a California REALTOR®? GDPR requires compliance from businesses operating within an EU member state, but also any business located outside the EU handling an EU person’s data, if one of two conditions apply: 1) the business offers goods or services to EU persons; or 2) the business monitors a data subject’s behavior to the extent such behavior occurs in the EU, which could include tracking online behavior using cookies or some other method. A California REALTOR® advertising Pacific Coast holiday homes to German and Italian buyers would likely be required to comply with GDPR, but under an expansive view of the law—which is new and has not yet been tested in courts of law—if an EU person visits your website and you have behavior tracking implemented, that could trigger your requirement to comply with GDPR. If you have concerns, you should consult with your website vendors or a data privacy expert to develop a strategy for handling EU visitors to your website.
For GDPR, “Personal Data” is defined broadly, meaning any information that by itself, or in combination with other information held by the business, would likely identify a living person. This can include various information like a person’s personal data such as name, age and physical or e-mail address, that person’s family and lifestyle details such as marital status or number of children, medical details, employment details, financial details and contractual details such as the goods and services provided to that person by the business.
If a business takes any activity relating to personal data of an EU person, that business will need to comply with GDPR’s requirements. Additionally, a business regulated by GDPR must not only make sure its own practices conform with the regulation, but also must ensure compliance by any third-party businesses the business has contracts with to process data on its behalf, such as vendors, service providers, and related corporate entities.
To comply with GDPR, a business must clearly disclose to consumers what data it is collecting, for what purposes, and the business may not go beyond the disclosed categories and purposes. A consumer’s personal data can usually only be collected, stored and used if the business can prove it obtained the consumer’s affirmative consent; the consumer’s silence, the use of pre-checked consent boxes, or the consumer’s failure to object are all insufficient grounds to show affirmative consent. Businesses should ensure that data is kept accurate and up-to-date, and stored only as long as necessary (qualified by any legal requirements mandating longer storage, such as DRE record requirements), and the consumer must be given the right to correct any data held by the business. The business must also afford the consumer a “right to be forgotten,” which is the right to demand erasure of the consumer’s data once there is no longer any business need and there are no prevailing legal requirements to maintain storage. The business must also ensure it adopts appropriate technical and organizational security measures so that consumers’ personal data is stored securely and protected against unauthorized or illegal access or use, and accidental loss or destruction.
GDPR’s breathtaking penalties include the higher of 20 million Euros or 4% of the business’ total global turnover for the previous financial year. While this level of penalty will likely be reserved for only the most egregious breaches of GDPR, a failure to comply with GDPR could prove costly. Unfortunately, it is beyond the scope of this article to cover in depth all the requirements for compliance with GDPR. Although California REALTORS® should be aware of GDPR, many likely will not fall within its regulatory scope; however, if you have specific questions about your business and GDPR, you should seek your own counsel from a data privacy expert.
California Consumer Privacy Act (“CCPA”)
Not to be outdone by its European cousins, the California legislature recently passed the California Consumer Privacy Act (“CCPA”) making sweeping changes and additions to California’s existing privacy legislation. CCPA, not taking effect until January 1, 2020, was passed in an extremely short period to prevent an even broader and perhaps more troublesome privacy initiative appearing on the November 2018 ballot.
The law applies to any business doing business in California that directly or indirectly collects consumers’ personal information and determines the purpose and means of processing such information, provided that one of three conditions is met:
- The business has $25 million or more in annual revenues;
- The business derives half or more of its revenues from the sale of consumer data; or
- The business annually buys, receives for its commercial purposes, sells, or shares for its commercial purposes, the personal information of 50,000 or more consumers, households or devices (which breaks down to as little as 137 transactions or website visitors per day on average).
More broadly defined than in other California laws, “consumer” includes individual customers, employees, independent contractors and vendors, and “personal information” applies to all data capable of being associated with an individual or household, not only electronic information. As a result, many California REALTORS® may fall within CCPA’s coverage.
Among other requirements, covered businesses must provide information to their “consumers” regarding information that is collected and why, delete information on a consumer’s request, and allow opt-out on sale of personal information. Additionally, the business will be required to provide additional information on the specific data, use and disclosures upon consumer requests.
CCPA prevents most private lawsuits, reserving enforcement action to the California Attorney General, although certain data breach allegations may be subject to private lawsuit provided that the Attorney General approves the lawsuit. A business must also be given a right to cure an alleged violation before any enforcement action by the Attorney General or private complainant may proceed.
It is possible that the specifics of CCPA may be amended by the California legislature before it becomes effective in 2020, but California REALTORS® should start to consider if CCPA applies to them and, if so, how to comply.