Unlocking the Value of Tenant Data

May.13.2021

Landlords have access to an extraordinary amount of data. Building keycard systems accurately track when tenants enter a building or access specific amenities. Parcel lockers monitor the volume and frequency of package deliveries. And “smart home” devices provide detailed insight into tenants’ utilities usage and other behavior. When handled with care, these types of data can be used not only to guide day-to-day property management decisions, but also to generate an additional revenue stream. Prospective data buyers include hedge funds researching industry trends, advertisers seeking to understand building demographics, and third-party data brokers simply looking to grow their data sets. Before monetizing such data, however, it is important to understand the legal landscape governing such sales. Consider asking two key questions: First, can you sell your tenants’ data? And second, should you sell that data?

Can you sell your tenants’ data?

The collection, use and disclosure of data are subject to a complex patchwork of privacy restrictions, including federal and state laws, international regulations and contractual requirements. Any landlord considering selling data should work with experienced counsel to understand and proactively address potential restrictions well in advance of any data sales. Here are five frequent areas of risk exposure to keep in mind:

State restrictions on data sales. Recently enacted state and local laws specifically regulate the sale of data that is capable of being associated with an individual or household. For example, the New York City Tenant Data Privacy Act prohibits the sale of tenants’ data in some contexts. Similarly, under the California Consumer Privacy Act (CCPA), a landmark privacy law initially championed by a San Francisco real estate developer, companies that have over $25 million in gross annual revenue, process large volumes of California residents’ personal data or generate more than 50% of their annual revenue from selling such data must provide California residents with notice and the opportunity to opt out of any data sales. Virginia’s Consumer Data Protection Act and Nevada’s SB-220 both impose similar obligations in some contexts. In addition, both Vermont and California have annual registration requirements for companies that sell data relating to individuals in their states with whom they do not have a “direct relationship.”
Unfair and deceptive trade practices. The Federal Trade Commission (FTC) and state attorneys general routinely use laws prohibiting unfair and deceptive trade practices to investigate whether companies act contrary to the promises made in their online privacy policies. If a landlord does not clearly notify tenants that their data may be sold, or expressly promises that their data will not be sold, data sales may lead to regulatory scrutiny.
Contracts. A landlord’s rights in data stored on property management software or other third-party platforms may be limited by contracts entered into with those third parties. Proper diligence is needed to confirm that proposed data use cases do not breach existing contract terms, such as license restrictions and confidentiality obligations.
Sector-specific restrictions. Certain categories of data are subject to additional regulation, including protected health information, financial information, consumer reports and children’s information. In addition, certain uses of data may be restricted by law—for example, using data that is considered “material non-public information” to inform investment decisions may be prohibited by insider trading laws.
International requirements. Companies that do business outside of the United States are subject to an ever-growing set of data protection requirements in other jurisdictions. For example, the EU General Data Protection Regulation (GDPR) imposes notice and consent requirements in some contexts, as well as specific restrictions on international transfers of personal data. Companies that do business in Brazil similarly should keep in mind potential obligations under Brazil’s general data protection law (LGPD). Furthermore, data sales may be subject to export control and trade sanctions requirements.

Landlords that do not comply with applicable legal or contractual requirements risk regulatory penalties including fines and injunctive relief, litigation costs and reputational damage. Careful planning can help landlords to preserve and capitalize on the value of their data assets.

Should you sell your tenants’ data?

The fact that you can sell your tenants’ data does not mean you should sell that data. Journalists and consumer advocates are quick to criticize companies who use data for unexpected purposes, and privacy is paramount in assessing when and how to sell data. Consider structuring any data sales to remove personally identifiable information or otherwise proactively protect your tenants’ privacy.

Conclusion

Tenant data may be an attractive source of new revenue, but landlords should proceed with caution. Careful planning can help to address privacy concerns in advance so data assets do not also become a liability.

Authors

Shannon Yavorsky Partner, Cybersecurity & Datenschutz, Technology Transactions

San Francisco; London

See my bio

D: +1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cybersecurity & Datenschutz
Technology Transactions
Compliance & öffentliches Recht
Behördliche Untersuchungen und Vollstreckungsmaßnahmen
Environmental, Social & Corporate Governance (ESG)

vCard

See full bio

Shannon Yavorsky Partner Cybersecurity & Datenschutz, Technology Transactions

San Francisco; London

Shannon K. Yavorsky is a leading authority on United States (U.S.) and European data privacy and security issues. She is uniquely qualified in California, England and Wales and Ireland and helps clients navigate the increasingly complex global privacy and data security regulatory landscape.

Shannon Yavorsky is the head of Orrick's global Cyber, Privacy & Data Innovation Group. Shannon advises clients on a broad range of United States (U.S.) and European data privacy and cybersecurity issues, including emerging issues surrounding the California Privacy Rights Act (CPRA), the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) and the e-Privacy Directive. She helps clients undertake comprehensive privacy and cybersecurity assessments worldwide, evaluates privacy and security risks in corporate transactions and drafts and negotiate data-related vendor and arrangement contracts. She also counsels clients on cross-border data transfers, data breaches and developing global privacy compliance programs. She has significant experience with model contract clauses, privacy policies, website terms and conditions, data processing agreements and privacy and security issues in corporate transactions.

In addition to the GDPR, CPRA and CCPA, Shannon advises on an array of privacy and security laws and regulations, including:

Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Telephone Consumer Protection Act (TCPA)
State breach notification laws
Advertising and payment card processing self-regulatory frameworks

Shannon also has an active general consumer protection practice and counsels clients on interest-based advertising, sweepstakes and marketing promotions, retail sales and e-commerce platforms. Her clients are multinational clients across diverse industry sectors, with an emphasis on technology, financial services, retail, staffing, advertising, healthcare, and automotive.

David Curtis Managing Associate, Cybersecurity & Datenschutz, Technology Transactions

Seattle; Boston

See my bio

D: +1 206 839 4338
E: [email protected]

Practice:

Litigation & IP Sector
Technology & Innovation Sector
Cybersecurity & Datenschutz
Technology Transactions

vCard

See full bio

David Curtis Managing Associate Cybersecurity & Datenschutz, Technology Transactions

Seattle; Boston

David provides privacy and security guidance to technology-led companies, from start-ups to multinationals.

David drafts and negotiates data licenses and other commercial contracts in which privacy and security issues are a key concern. In addition, he regularly advises clients on privacy policies, website terms and conditions and data processing agreements. David also counsels clients on digital advertising, Internet law and consumer protection, with a particular focus on compliance with the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act (CPRA), the EU General Data Protection Regulation (GDPR), restrictions on unfair and deceptive trade practices and app store privacy requirements. David helped develop Orrick’s CCPA Readiness Assessment Tool, which enables companies to test how ready they are to comply with the CCPA as a first step to constructing a strategic compliance roadmap.

Before joining Orrick, David was an associate at Ropes & Gray LLP and an adjunct professor at Harvard Law School, where he taught legal research, writing and analysis. David clerked for Justice Barbara Lenk of the Supreme Judicial Court of Massachusetts.