From building keycard records to detailed financial information, landlords, developers and property management companies have access to huge amounts of data, and U.S. regulators are starting to take note. A growing number of states are enacting privacy laws that impact how personal data can be used and how it should be protected, and at least one jurisdiction has enacted a tenant-specific law meant to curb the amount of information a landlord can collect. In this rapidly changing regulatory landscape, real estate professionals need to be proactive to avoid regulatory scrutiny and stay out of the headlines.
This guide outlines the five key real estate privacy concerns that landlords, developers and property management companies should keep in mind this year.
Implementing and maintaining reasonable security measures is a key concern for developers and property management companies. In several states, companies that suffer a security incident can be required to pay civil penalties that can scale quickly if large volumes of data are accessed by bad actors. In addition, under the California Privacy Rights Act (“CPRA”), California residents have a “private right of action” in connection with security incidents—they can sue if their non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’s failure to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. Congress is currently considering a similar bill with a private right of action similar to the CPRA. Plaintiffs already have filed at least one class action suit against a California landlord alleging a failure to properly secure and safeguard their sensitive information. While the case is ongoing, it highlights the litigation risks landlords and property management companies may be exposed to for failing to secure their residents’ information.
Security is particularly important for Internet of Things (“IoT”) technologies, such as “smart” locks and thermostats and internet-connected appliances, which are increasingly targeted by bad actors looking to exploit software vulnerabilities. For example, California and Oregon have adopted specific minimum-security standards for IoT devices. The Federal Trade Commission (“FTC”) is similarly focused on IoT security risks. In 2020, the FTC published a report specifically advocating for enhanced security for IoT devices using a risk-based approach. Companies should consider carefully reviewing the security practices of their IoT vendors to ensure they have appropriate security measures in place to limit the risk of a security incident and regulatory scrutiny.
Before using tenants’ personal information, companies should take care to ensure they have provided adequate notice to the individuals to whom the information relates. Several recently enacted state privacy laws may require businesses to provide clear and conspicuous notice of expected use cases for personal information at or before the point at which the information is collected. For example, under the CPRA, covered businesses need to disclose what personal information they collect, for what purposes and how individuals based in California may exercise certain state-specific privacy rights. Other new state privacy laws—including Colorado’s Privacy Act, Connecticut’s Data Privacy Act, Utah’s Privacy Act and Virginia’s Consumer Data Protection Act—will also impose similar obligations when they become operative in 2023.
Under recently enacted state privacy laws, many individuals have new expectations relating to their rights with regard to personal information about them, such as the right to access their personal information, to correct such information, to delete it and to obtain a portable copy. Complying with these rights can be a major administrative challenge when information is stored across several different software platforms and not carefully tracked. To limit the compliance burden, consider collecting data in organized and centralized databases or inventories and maintaining an up-to-date data map or inventory.
Good vendor management practices are another important aspect of data protection compliance, as state privacy laws are increasingly focused on ensuring companies maintain reasonable privacy practices at each step in their supply chain. Under the recently enacted state privacy laws, companies may be legally required to include specific minimum data protection terms in their vendor contracts, such as restrictions on the use of personal information, subcontracting requirements and privacy-specific audit rights. Procurement departments should work with experienced privacy counsel to develop contracts that include at least the minimum protections required under applicable law.
Landlords, developers and property management companies that do not comply with applicable laws or regulations risk regulatory penalties, including fines and injunctive relief. Additionally, they may lose their residents’ trust and suffer reputational damage. Accordingly, companies should keep a close eye on the rapidly developing legislative landscape, including monitoring new state privacy laws and developments in relation to a proposed federal privacy law. Consider consulting privacy counsel to comply with legal and regulatory obligations and to mitigate related risk.