Data Privacy Duties

Pending online data privacy rules in California require website operators to notify visitors (and obtain their consent) when their identifying information is being captured and explain what that information will be used for.

The new California data privacy law that addresses growing concerns over how online companies are using people’s personal information may be the beginning of a nationwide trend that could also affect REALTOR® associations, MLSs, and brokerages. Eight other states are using the law as a model for their own legislation, and your REALTOR® associations and MLS may need to change some practices when these laws take effect.

What the California Consumer Privacy Act does

The California Consumer Privacy Act, which was based on the European version called GDPR, goes into effect on Jan. 1, 2020. It defines personal information very broadly and requires certain disclosures to consumers about how their personal data is collected and used. Not all businesses will need to comply with the law, and there’s also a nonprofit exemption. Although this law is limited to the personal data of California residents, anyone who collects the information from California residents outside of the state may need to comply as well.

Here’s an overview designed to help AEs in California and nationwide get an idea of what their data privacy policies, procedures, and practices may look like in the near future.

What’s considered personal

“Personal information” has a broad definition under California law and includes anything that identifies, describes, or is capable of being associated with a particular consumer or household and is not limited to electronic data. For example, if you collect any names, property addresses, or even IP addresses using cookies or signup forms on your website or public-facing MLS, you’ll need to comply with the consumer disclosures in the law.

Who has to comply?

The California law will apply only to businesses that fall into the following categories:

• Organized as a for-profit
• Does business in California
• Collects personal information
• Determines how the information collected is processed and for what reason

Note that doing business in California is not limited to those businesses physically in the state; it will also cover businesses that interact with California residents—think Amazon, Netflix, Zillow, and Redfin.

If the business has the above elements, then the law applies if it meets any of the following criteria: It 1) has gross revenue of more than $25 million; 2) derives half its revenue from the sale of consumer data; or 3) buys, sells, shares, or receives for its commercial purposes the personal information of 50,000 or more consumers, households, or devices.

Although many associations and MLSs would not appear to meet the above categories, large MLSs will need to consider the personal information they have about ­California residents. For example, many MLSs purchase or receive data about properties that may include those owned by California residents.

Although the California law exempts nonprofits from compliance, there is an important caveat for nonprofit REALTOR® associations: If a nonprofit, such as a REALTOR® association, controls and shares branding with a for-profit subsidiary that needs to comply with the law—an MLS, for example—then the nonprofit entity may lose its exemption and need to comply with the law. “Common branding” is a shared name, service mark, or trademark.

How to comply

To comply with the California privacy law, businesses must post privacy policies and respond to consumers’ requests to have their data deleted, among other duties. Businesses that not only collect but also sell personal information have additional procedures to follow.

We’ve only touched upon the many requirements of the privacy law here. As this law and others like it become more popular, look to NAR to provide associations and MLSs with detailed compliance guidance.