On January 1, the California Consumer Privacy Act (CCPA) went into effect. It was a result of the California legislature’s action to provide additional protection to consumers and their personal information. The law is gaining attention not just in California but across the nation as other states take up the issue of personal privacy, and businesses prepare to comply with the most wide reaching U.S. privacy law to date.
Beyond regulation and legal obligation, we are living in a time of heightened sensitivity around the protection of personal information. At CES, the most high profile gathering of connected device manufacturers and enthusiasts, Kaya Yurieff, a reporter with CNN Business stated “The hottest product at CES 2020 is privacy.” The property industry has always been a steward of a lot of private information but with the explosion of data collection and data analysis technology, real estate companies now need to take on much more responsibility when it comes to data privacy.
The CCPA applies not just to real estate but across other industries as well. The California law applies to any for-profit business that collects personal information while conducting business in California and meets or exceeds specific activity levels. These include annual gross revenue of $25,000,000 or higher, buying, receiving, selling or sharing for commercial purposes (alone or in combination) the personal information of 50,000 or more consumers, households, or devices annually; or (iii) a for-profit business that gains 50% or more in annual revenue from selling the data of California residents. This applies to property owners and managers, security companies, retail stores and more. It means your organization does not have to be physically located in California to be impacted by the CCPA. The CCPA also outlines some twelve-month look-back periods, particularly around disclosures for use of personal information.
There are some cues on enforcement that can be taken from what has occurred in Europe since the passage of The General Data Protection Regulation (GDPR). Cases finalized under GDPR definitively show that privacy is viewed as a serious matter that regulators will enforce. Relevant governing bodies have issued over $400 billion in fines for GDPR failures so far.
The real estate industry needs to take action to ensure compliance. Balanced against this new law are increasing consumer demands which drive the real estate market. Consumers are demanding a single, often mobile, experience in all aspects of their lives. This includes both where they live and where they work. Many organizations, particularly residential real estate organizations, now have a wide range of data points on their residents used to provide and enhance the services in the manner residents have shown a preference for.
For example, real estate owners, service providers and property management firms are offering smart home technology in residential units, which can track household preferences through digital devices. Temperature adjustments can be made remotely through smart thermostats, using an application available on a mobile phone or other digital device. Others are adding additional security features to protect their residents and tenants, such as package tracking, security cameras, and electronic visitor logs – services often provided through third parties. With multiple devices installed across properties collecting data, it’s easy to see how the threshold of 50,000 could be reached in a geographic area the size of California. What can organizations do to make sure all this personal information is CCPA-compliant, and provide appropriate disclosures to consumers?
Know your data
Once you know what you are looking for, the next step towards compliance is understanding what personal information you have today. Gaining the knowledge of your organization’s data footprint is necessary to begin your CCPA compliance journey. One way to do this is with a data mapping exercise where you identify:
- What personal information your business is collecting
- Why it’s collected
- Where and how it’s stored
- What security is in place to protect it
- Whether it’s being shared with any other organizations
- What is being stored by your third parties
- How the third parties are storing it
- What security provisions those third parties have in place to protect the data
- Whether any of your third parties are selling the personal information
Personal information is much broader under the CCPA, and can be defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household.
This includes name, social security number, banking information, physical address and IP address, and less obvious information such as biometric information, images on security cameras, smart home technology settings, and consumer profiles compiled using various data points and digital devices. In order to adequately comply with CCPA as well as other privacy laws related to personal information, you must have a handle on all of the personal information flowing to and from your organization.
Flag any areas of risk or needed improvement, both within your organization and with third parties who handle data on your organization’s behalf. Compliance with CCPA may also require changes to your existing third party agreements. Ask the question, “Is the personal information we’re collecting providing a current or future benefit to our organization and our customers?” If not, re-evaluate why you’re collecting it at all.
Update policies and procedures
After you’ve identified the personal information you have, your next step is to examine your company’s security policies and procedures to ensure the risk of data loss is minimized. Thereafter, you should begin a review of your company’s privacy policies to ensure they are compliant with privacy law. Remember that one of the most fundamental rights granted by the CCPA is that consumers have the right to be informed. Updating your consumer-facing privacy policies is in itself providing a mechanism to meet the fundamental right of consumers to be informed. At a minimum, your organization’s privacy policies need to spell out what information is being collected about consumers, and for what purpose the information is being used.
Next, update your internal procedures to allow your company to address the other rights that consumers might take advantage of, like their right to receive access to their personal information, and the right to request its deletion. With certain exceptions, the CCPA grants a right to consumers to receive access to the information that is being collected or held about them, including: 1) the categories of personal information collected; (2) the sources from which the information was collected; (3) the business or commercial purpose for collecting or selling the information; (4) categories of third parties with whom the business shares the information; (5) the specific pieces of personal information the business collected about the consumer. In most instances, the time period covers the last twelve (12) months. Your organization needs to have processes in place to tell your employees what to do when a request comes in, how to verify that the person making the request is authorized to make it, how to gather the information promptly, and how to securely deliver the information within the 45 day timeline. Make sure to include at least two designated methods for consumers to submit requests for information, including a toll-free telephone number and the business website address.
Under the CCPA, consumers also have a right to have their personal information deleted. As an organization, you will need to have a process to receive those deletion requests, to verify the identity of the person requesting the deletion, to identify if the personal information falls into a category that is exempt from deletion, to delete the information that is not exempt, and to confirm that deletion has been completed.
The CCPA also grants consumers the right to opt out of sale of their personal data. It’s a “don’t make money from my data“ option. As an organization, you will need to have a process in place to receive the opt-out request, verify the identity of the requester, and store the information so that you can reference it later (make sure to include the date that you received the request). You also need to identify what steps should be taken when that request is received so that the individual’s information is pulled from any future sale.
Outsourcing poses additional responsibilities. CCPA calls for companies to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information collected. The CCPA permits a private right of action with statutory damages per consumer against a business for a failure to maintain reasonable security procedures and practices. This risk does not go away once personal information is shared with third parties. The regulated business is responsible for ensuring that any business partners to which it provides personal information are maintaining reasonable security as well, even if that business partner is not directly regulated by the CCPA. For this reason, it is critical that regulated businesses review the security practices of their vendors to ensure they meet the “reasonable security” standard required under the CCPA.
In addition to ensuring that third party business partners have reasonable security procedures in place, if businesses share personal information with service providers, they will have to contractually ensure that service providers do not sell the personal information they receive. They will also need assistance with consumer requests for access to, or deletion of, personal information held by that service provider. Businesses will have to ensure that their service providers have proper procedures in place to comply with these requests within the timeframe required under CCPA.
Compliance with consumer privacy laws is mandatory, with stiff penalties for non-compliance and potential loss of consumer trust. Consumers and business partners are already demanding privacy-centered business practices in and out of the real estate market. Non-compliance is a non-option. The real estate industry can benefit from taking a more holistic approach to collecting and storing data by implementing a data governance strategy built on a standardized approach to data. Not only will it streamline compliance for future privacy regulations, it will help you make more meaningful business decisions by having access to accurate and timely data.
Please note: This article is not intended to provide legal advice, so please consult a legal professional for further and more specific guidance on your organization’s compliance with provisions of the CCPA.