Alycia Workman, Esq., is Senior Associate General Counsel at MRI Software.
The California Consumer Privacy Act (CCPA) is set to have a major impact on the multifamily real estate industry, beginning as early as January 2020. The new consumer privacy law gives California residents significant control over their personal data, including the right to know who’s collecting it, what it’s being used for, whether it’s being sold or shared with others, and the right for it to be deleted.
The new regulation isn’t just aimed at big tech companies like Facebook and Google – it impacts a large number of private, for-profit organizations that do business with consumers in the state of California, including multifamily organizations.
What is the CCPA?
The CCPA will impose strict requirements on how multifamily owners and operators interact with a wide range of personal information of each California resident that they engage with, including prospects and former residents. It also covers business contacts, vendors, and employees. The CCPA gives consumers the right to restrict the sale of their data and to have their information deleted. The law will, in large part, go into effect January 1, 2020 with some exceptions extending to 2021. Fines for violations range from $2,500 to $7,500 per incident, which can add up to a significant financial impact.
Companies that need to comply with the CCPA are those that meet one of the following criteria:
- The business has annual gross revenue in excess of $25 million.
- The business buys, receives for commercial purposes, sells, or shares for commercial purposes (alone or in combination) the personal information of 50,000 or more consumers, households, or devices annually.
- The business gains 50% or more in annual revenue from selling the data of California residents.
As such, this purview of the CCPA includes multifamily owners and operators that collect resident/tenant data as part of their everyday business. Even if your organization doesn’t currently meet any of these criteria, the CCPA outlines some twelve month lookback periods, particularly around disclosures for use of the data over the previous twelve months, which a business would need to meet if it becomes subject to the law in the future.
How can your multifamily organization prepare for the CCPA?
The first step is to understand what data your business is collecting and why, where and how it’s stored, and whether it’s being shared with any other organizations. If you don’t know the answer to that, then you need to undertake a data mapping exercise to identify and document the answers to those questions. It can be a painful process, but it’s necessary to look at each of your systems and figure out what information is being collected, why it’s there, and how it’s being managed.
From there, you will need to incorporate the data mapping information into your privacy policies and data consent document. The CCPA outlines some very specific steps for consumer consent, so we recommend that you consult privacy counsel to ensure you are in compliance with the legal requirements.
Next, you will want to establish processes for handling consumer requests. For example, what steps will your staff take when a consumer requests to access the personal information you hold on them; how will you erase the consumer’s information if they make a proper request for it; how will you pass that request to your service providers; how will you verify that the requests are coming from the consumer themselves; etc. Additionally, in general, consumers may opt out of the sale of their personal information to another party.
If you are feeling overwhelmed by these requirements, take solace in the fact that the opt-in requirements of data collection under the CCPA are less onerous than the opt-in requirements for our British and European colleagues under the General Data Protection Regulation (GDPR).
Are there any exceptions?
You may be wondering how your multifamily property can continue doing business with consumers who have exercised their rights under the CCPA, such as the right to have their information deleted. Here are a few exceptions that may help you breathe a bit easier:
- You are not required to delete a resident’s personal information if it’s necessary to provide the services to the resident, i.e. a resident cannot use the right to delete as a way to avoid paying rents.
- You are not required to delete a consumer’s personal data if it is being used solely internal uses that are reasonably aligned with the expectations of the consumer
- You are not required to delete a consumer’s personal data if it’s required to for you to comply with another law, like FCRA for example.
- The attorney general proposed regulations specify that de-identified information (which cannot be re-identified) is except from deletion and disclosure.
CCPA software for multifamily
In addition to putting processes in place to help your staff handle consumer requests for deletion, purpose-built property management and accounting software can enable your multifamily organization to maintain compliance. With version X.5.4 of MRI Software’s residential management solution, you have less to worry about regarding CCPA compliance. When a prospect applies to your multifamily property, the system tags each field that can be anonymized, so, should a resident ask to be forgotten, you can quickly comply with the request (subject to the allowed exceptions, of course).
What if I’m already GDPR-compliant?
Many businesses outside of the UK and Europe have already been impacted by GDPR, which took effect in May 2018. Multifamily organizations that are already in compliance with GDPR will have an easier time preparing for CCPA. While there is overlap between the two regulations, businesses may need to make additional modifications to ensure compliance across both laws.
While GDPR took more than a year to take effect, CCPA has taken shape much more quickly, giving businesses less time to prepare. As we await the final iteration of the attorney general regulations, multifamily owners and operators need to start planning today to make sure the right technology is in place. Learn more about how MRI Residential Management can make that easier.