Lori Ballen is a member of the Amazon Associates Program and earns money from qualifying purchases. Posts contain affiliate links that benefit Lori as well.
Bottom line: You must disclose how you collect visitor data and how you use it.
The EU Privacy Laws, also known as the General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. This rule may seem like it shouldn’t impact you because your real estate website is based in the United States. However, it has a rather profound impact on your company and your real estate website. In addition, privacy policies have reached us in the United States, with California rolling out the first act: California Customer Privacy Act (CCPA).
This video features Meg White from REALTOR Magazine discussing the GDPR with Finley Maxson, NAR Senior Counsel and Liz Sturrock, NAR Vice President of Information Technology. Many of the questions you may be asking will be answered within the video.
The Eu Privacy Laws or GDPR is a new regulation replacing the old Data Protection Directive 95/46/EC. It was debated for about four years before final approval was granted by the EU Parliament on April 14th of 2016. The regulation is designed to harmonize the laws governing data privacy across Europe.
The goal of the GDPR is to protect EU citizens and their data. This new regulation has an impact on many businesses found in the United States including those in the real estate industry.
How is the GDPR Different?
The GDPR changes the way websites can collect and use data. EU Privacy Laws change the way consent is given.
The reason the GDPR impacts United States real estate businesses is due to the protection it provides. This new regulation doesn’t care where the business or owner of the website is located, it cares about the user. If the person is an EU resident, the GDPR applies.
Best Practices for GDPR
Most real estate companies need to change the way they handle consumer information. The first step is to figure out where this information is stored and how to locate it.
According to Liz Sturrock, NAR’s Vice President of Information Technology, “To know what data you have on consumers, you need to do a data inventory
It’s necessary to speak with your entire staff and all your associated to ensure you have a full accounting of all the data you have and where it’s currently stored.
Achieving compliance doesn’t have to be difficult. At first, you can add a pop-up window or a “lightbox” feature to your website asking the user to give consent. This is an easy way to ensure you’re in compliance moving forward.
In addition, website owners need to add a form to their website to offer the option for EU residents to be forgotten. This can also be accomplished by providing an email address where you can be contacted if a user wants to be forgotten.
Your vendors are also important as you’re liable for how they use the data they collect from your website. Make sure your vendors are complying with these new rules.
Make sure Your Vendors are in Compliance
Since website owners are liable for the activities of their vendors, it’s important to make sure they are in compliance. Marketing companies love to use personal data and sensitive personal data for marketing.
Sensitive personal data includes:
- Racial or ethnic data
- Political opinions
- Religious and philosophical beliefs
- Trade union memberships
- Genetic data
- Health data
- Sex Life and Sexual Orientation
Be sure your marketing team won’t be improperly using any data collected on your website.
One of the best ways you can remain in compliance is simply asking for consent from everybody when they arrive at your website.
Then, if you use forms, ask if the person is an EU resident at the very beginning of the form. If they are, this data needs to be handled in a certain way.
Penalties for Non-Compliance
If you don’t become compliant, you may face very stiff penalties. An organization may be fined up to 4% of the annual global turnover if they are in breach of the GDPR or 20 million pounds. This is the maximum fine and will likely be reserved for the most serious infringements, such as not having the customer’s consent to process their data.
The fines used for non-compliance use a tiered approach. For example, a company may only be fined 2% if they don’t have their records in order. These rules apply to both processors and controllers.
What to do if there’s a Data Breach?
What happens if you’re hacked or someone steals consumer data from your website? If this happens, and you have EU resident data as a part of the stolen data, you have 72 hours to contact the authorities for each country where users reside.
]It’s best to be ready for this now and have a plan in place. The last thing you want is to have a data breach and be scrambling to figure out who you need to notify in each county while the clock is already ticking
Does the GDPR Impact how Real Estate Companies Target United States Residents?
The short answer is No, but there’s more to it than just saying it doesn’t impact the way you target residents of the U.S. Both Sturrock and Maxon agreed in the video that the GDPR is the way data privacy and security is headed. It’s better to become compliant now and not have to worry about it later as states or the federal government start to change the way data privacy is handled in the United States.
Rights of European Residents
EU residents have new rights including:
- The Right to be Forgotten – This right allows EU residents to ask a website or company to remove their online depositories and data. If someone requests this removal, you have to find their data and dispose of it. This includes cookies, IP addresses and other data collected for analytics.
- The Right to Data Portability – This right allows an EU resident to request the data you have on them and you must provide it.
- The Right of Access – This right allows an EU resident to ask a business if they have data on them, and if they do, the business must inform them of the data.
- The Right of Restriction of Processing – This right allows EU consumers to give permission to a business to store data, but they can also ask that the business doesn’t use that data.
- The Right to Rectification – This right allows an EU consumer to review their data and have any errors corrected.
Defining Personal Data
In order to remain compliant with the GDPR, it’s important to define personal data. Any information about the person or related to the person is considered to be personal data. If the data can be used to indirectly or directly identify the person it’s considered personal data. This may include a picture, bank details, medical information, a computer IP address, an email address, a name or even posts on a social networking website.
The Bottom Line
When it comes to the GDPR and other acts such as CCPA, it’s important to make sure you’re in compliance. Watch the video above and make sure you take the steps now to become compliant. Don’t wait until it’s too late.
The sooner you can comply with the GDPR, and the sooner you add your privacy act, the easier things will be moving forward.