The Data Privacy Law That’s Shaking Up Multifamily

California’s CCPA regulation goes into effect Jan. 1, 2020. Here’s what you need to know about it.

Panelists speak about CCPA at the NMHC OPTECH 2019 conference in Dallas this week. Photo by Holly Dutton

A data privacy law that goes into effect next year could have a huge impact on how the multifamily industry operates, leaving companies that aren’t compliant with the new rules vulnerable to lawsuits, financial penalties and a damaged reputation.

The new law is so concerning to those in the industry, it prompted the National Multifamily Housing Council (NMHC) to add on an extra day to its annual OPTECH Conference in Dallas this week in order to host a three-hour data privacy standards and compliance summit.

The California Consumer Privacy Act (CCPA) began to take shape in 2018, when legislators in the state, upset over major data breaches from companies like Target, Equifax and Cambridge Analytica, sought to quell the concerns of residents in the state who were outraged over the way their personal information was being collected and used.

More states are looking to follow in the CCPA’s footsteps—as of now 27 states either have pending legislation or are seeking to pass new laws. For its part, NMHC has published a white paper on the issue and is pushing for a federal framework.


CCPA is the broadest and most comprehensive consumer privacy and data protection legislation in the U.S. Often called “GDPR-lite,” referring to the General Data Protection Regulation (GDPR) adopted by the European Union in 2016 and put into effect last year, the law applies to businesses across several industry sectors and gives more rights and control to consumers over their data.

CCPA will go into effect on Jan. 1, 2020. Businesses that fall under the law must be for-profit entities, must process the data of California residents and one of the following must be true of the company:

  • Annual revenues of $25 million or more
  • Obtains personal information of 50,000 or more California residents
  • Derives 50 percent of annual revenue from selling California residents’ personal information

The kinds of data regulated is any data that identifies a single person or household, or is reasonably capable of doing so if combined with additional data. That can include social security numbers, mailing addresses, phone numbers, biometrics, driver’s licenses, medical information, IP address, physical characteristics, internet activity related to browsing and search, financial information and more.

Consumers will have the right to access data, the right to opt out of data sales, the right to deletion of data and the private right of action for data breaches. The law is enforced by California’s Attorney General and gives entities a 30-day right to cure. Penalties for noncompliance can include fines up to $2,5000 per violation under the unfair competition law and up to $7,500 per intentional violation of CCPA.


Meanwhile, the multifamily industry is struggling to wrap their heads around exactly what the new law will entail, as some parts of the law are still unclear.

“We’re trying to hit a moving target,” said Rob Traycoff, vice president of regulatory compliance at RealPage, at a panel discussion at the NMHC OPTECH 2019 Conference in Dallas this week.  

For many in the industry, the biggest challenge with the new law is issues related to disclosure. Something as simple as a guest card with contact info that a prospective renter fills out when visiting a property could be subject to the new regulation, as well as contact info forms routinely featured on a community’s website.

And even if a company does its due diligence and educates itself on the new regulations in order to be compliant, they need to make sure third-party vendors are on board too. Multifamily owners and operators use third-party companies for everything from door locks to property management software packages.

“If we’re not in this together, we’ll crash and burn with CCPA,” said Traycoff.

You May Also Like