CCPA Compliance Challenges Multifamily

California’s new consumer privacy act sends ripples across marketing efforts nationwide.

Following in the footsteps of the European Union, California launched its own California Consumer Privacy Act this year. The new regulations give consumers more rights and control over the use of collected data but also bring in a pain point for multifamily marketing. From email and phone numbers, all the way to employment and financial details, owners and operators must now take extra layers of precaution in how sensitive data is handled and shared.

READ THE DIGEST

“All lines of multifamily operations will be impacted by these new privacy standards,” said Kevin Donnelly, vice president of government affairs at the National Multifamily Housing Council. “Whether it’s a traditional marketing company or marketing to specific residents, companies need to be fully aware of what requirements will come from this.”

Broadstone Summer Street, Houston. Image courtesy of Alliance Residential Co

Who Does CCPA Apply To?

The CCPA affects for-profit entities that process data for California residents and meet one of the following three criteria: annual revenues of $25 million or more; obtains personal information of 50,000 or more residents; or derives 50 percent of its annual revenue from selling California residents’ personal information.

This policy shook the industry, with NMHC even adding a day to its OpTech Conference last November to tackle the subject. During the event, Rob Traycoff, vice president of regulatory compliance at RealPage, said that “We’re trying to hit a moving target. If we’re not in this together, we’ll crash and burn with CCPA.”

There are now close to 30 other states that have pending legislation or are planning to pass similar laws. Scott Pechersky, senior vice president of Technology at Alliance Residential Co., said that these new regulations will provide a wakeup call regarding how “personal information” is collected and used for marketing purposes. Real estate marketers and managers collect personal information in a number of ways, including search histories that they track or purchase, login information, property tours and resident applications.

“Everyone was worried, but I think there is a great opportunity to greater evaluate the data you have and where it is going,” Perchensky said.

NMHC partnered with Manatt, Phelps & Phillips LLP to produce a white paper providing an overview of the data privacy landscape, emerging challenges and considerations to assist multifamily owners and operators in navigating these complex changes. As noted in the white paper, this new framework “takes a notable shift away from the assumption that businesses have primary authority in deciding how to use the information they collect.”

The CCPA law breaks this down into three segments: access; choice and control; and deletion. Consumers can request that a business provide an explanation regarding what types of personal info are maintained, how the data is being used and with whom it is shared and why. Individuals can restrict a company’s ability to process personal data and object to certain forms of processing. Lastly, they can request that all data held by third parties be deleted.

Broadstone Summer Street, Houston. Image courtesy of Alliance Residential Co

How Is Marketing Affected?

Marketing is the first to take a hit since it’s the main driver of how and why information is collected in the first place. The law itself doesn’t throw a huge wrench in marketing tactics. However, it does aim to ensure compliance once the marketing process is completed.

According to a Deloitte quick reference guide on the CCPA law, penalties for noncompliance per violation are $2,500 if unintentional or $7,500 if intentional. If personal information is exposed during a data breach, consumers can sue the company for anywhere between $100 and $750 per incident. The deadline for the California Attorney General to publish regulations is July 2, 2020.

With such high stakes, it is crucial for multifamily businesses to comply, especially when focusing on marketing. Targeting consumers will be more difficult without personal data to use in ads or search tracking. Those utilizing third parties will also be at a greater risk because the policy involves more compliance layers, for both you and the third party.

Regardless of state, the new law is bound to affect everyone soon. According to Jonah Digital Agency, what matters most is who visits your websites and where they’re browsing from. Let’s take an owner or operator of Boston communities as an example. Say there is a potential resident, currently living in Los Angeles and being transferred to Boston for work. From the first data point you collect, the company is affected because we’re talking about a California resident, covered by the CCPA. As there is no way to know for sure in advance, it’s better to stay one step ahead and avoid issues down the road.

Broadstone Summer Street, Houston. Image courtesy of Alliance Residential Co

What Is CCPA Compliance?

The first step is conducting a data-mapping exercise. It is vital to understand what information your organization has collected and stored, as well as looking at what you no longer need and what could increase liability, said Julianne Goodfellow, senior director of Government Affairs at NMHC. “Analyze its purpose and use cases, why you have it, what you’re doing with it and make sure your third-party relationships understand their obligations from a security and privacy perspective,” she added.

The next step is updating procedures to reflect any ongoing changes and information that has been upgraded from the data-mapping exercise. Under the new law, businesses must give consumers advance notice on what personal information has been collected, where it was collected from, why it was compiled and how it will be used and shared in the future.

Once the privacy policy and data collection practices are updated, you need an internal system that deals with consumers wishing to access stored personal data. “Every company should have a mechanism in place that deals with resident requests. This can usually be found through an 800 number or a form on the website to request the data,” said Alliance Residential’s Pechersky.

“Hopefully there can be a generalization for where the information is going and a company won’t need to name specifics, but it depends on the data you have.” He added that owners and operators should do their due diligence and really understand where the data is being transferred so they know where it is when a resident asks for it, allowing them to easily follow up with that third party for access.

Read the April 2020 issue of MHN.