Landlords have access to an extraordinary amount of data. Building keycard systems accurately track when tenants enter a building or access specific amenities. Parcel lockers monitor the volume and frequency of package deliveries. And “smart home” devices provide detailed insight into tenants’ utilities usage and other behavior. When handled with care, these types of data can be used not only to guide day-to-day property management decisions, but also to generate an additional revenue stream. Prospective data buyers include hedge funds researching industry trends, advertisers seeking to understand building demographics, and third-party data brokers simply looking to grow their data sets. Before monetizing such data, however, it is important to understand the legal landscape governing such sales. Consider asking two key questions: First, can you sell your tenants’ data? And second, should you sell that data?
Can you sell your tenants’ data?
The collection, use and disclosure of data are subject to a complex patchwork of privacy restrictions, including federal and state laws, international regulations and contractual requirements. Any landlord considering selling data should work with experienced counsel to understand and proactively address potential restrictions well in advance of any data sales. Here are five frequent areas of risk exposure to keep in mind:
- State restrictions on data sales. Recently enacted state and local laws specifically regulate the sale of data that is capable of being associated with an individual or household. For example, the New York City Tenant Data Privacy Act prohibits the sale of tenants’ data in some contexts. Similarly, under the California Consumer Privacy Act (CCPA), a landmark privacy law initially championed by a San Francisco real estate developer, companies that have over $25 million in gross annual revenue, process large volumes of California residents’ personal data or generate more than 50% of their annual revenue from selling such data must provide California residents with notice and the opportunity to opt out of any data sales. Virginia’s Consumer Data Protection Act and Nevada’s SB-220 both impose similar obligations in some contexts. In addition, both Vermont and California have annual registration requirements for companies that sell data relating to individuals in their states with whom they do not have a “direct relationship.”
- Unfair and deceptive trade practices. The Federal Trade Commission (FTC) and state attorneys general routinely use laws prohibiting unfair and deceptive trade practices to investigate whether companies act contrary to the promises made in their online privacy policies. If a landlord does not clearly notify tenants that their data may be sold, or expressly promises that their data will not be sold, data sales may lead to regulatory scrutiny.
- Contracts. A landlord’s rights in data stored on property management software or other third-party platforms may be limited by contracts entered into with those third parties. Proper diligence is needed to confirm that proposed data use cases do not breach existing contract terms, such as license restrictions and confidentiality obligations.
- Sector-specific restrictions. Certain categories of data are subject to additional regulation, including protected health information, financial information, consumer reports and children’s information. In addition, certain uses of data may be restricted by law—for example, using data that is considered “material non-public information” to inform investment decisions may be prohibited by insider trading laws.
- International requirements. Companies that do business outside of the United States are subject to an ever-growing set of data protection requirements in other jurisdictions. For example, the EU General Data Protection Regulation (GDPR) imposes notice and consent requirements in some contexts, as well as specific restrictions on international transfers of personal data. Companies that do business in Brazil similarly should keep in mind potential obligations under Brazil’s general data protection law (LGPD). Furthermore, data sales may be subject to export control and trade sanctions requirements.
Landlords that do not comply with applicable legal or contractual requirements risk regulatory penalties including fines and injunctive relief, litigation costs and reputational damage. Careful planning can help landlords to preserve and capitalize on the value of their data assets.
Should you sell your tenants’ data?
The fact that you can sell your tenants’ data does not mean you should sell that data. Journalists and consumer advocates are quick to criticize companies who use data for unexpected purposes, and privacy is paramount in assessing when and how to sell data. Consider structuring any data sales to remove personally identifiable information or otherwise proactively protect your tenants’ privacy.
Tenant data may be an attractive source of new revenue, but landlords should proceed with caution. Careful planning can help to address privacy concerns in advance so data assets do not also become a liability.