How is the General Data Protection Regulation, passed in the EU affecting us in real estate here in the US? Get a closer look at the measures abroad and in the states to protect users’ privacy.
Scott Petronis, Chief Product and Technology Officer at eXp Realty, moderates a discussion with Scott Lockhart, CEO at Showcase IDX, and Marinda Neumann, Managing Attorney at Lotus Law Center, APC at Inman Connect's Hacker Connect in New York 2019.
Conference / Event: GDPR and Its Effect in the US at Inman Connect 2019
GDPR applies to any agent, broker or real estate marketing pro that works with European citizens. The upcoming California Consumer Protection Act (CCPA) will be closer to home and affect agents and brokers more directly. While there is a "stick" in the law, there is a huge opportunity for Realtors and brokers that successfully meet consumer's needs and desire for privacy. Listen to the discussion for more details.
Scott Lockhart: A serial entrepreneur
Marinda Neumann: Marinda is the managing attorney at Lotus Law Center, APC. Her firm represents multiple listing services and associations providing transactional and policy counsel. The firm also provides legal services to real estate professionals, vendors, and service providers, individuals, and businesses with a focus in contract, business law, data privacy and security, technology and data licensing, copyright, and trademark. Prior to becoming an
Scott Petronis: As eXp Realty’s Chief Product and Technology Officer, Scott leads the delivery of strategic agent-centric solutions that power the company’s business and rapidly growing agent base. Scott has more than 20 years of experience in delivering software and SaaS products for businesses and consumers. For more than six years, Scott has been a fixture in industry technology initiatives through his work with the Real Estate Standards Organization (RESO), including leading the Web API initiative as the Chair of the Transport Workgroup. In that role, he drove agreement on a new standard that allows companies to more rapidly innovate solutions for the real estate industry.
Pictures from Inman Connect 2019 in New York
Scott Petronis: Hopefully we're going to keep us moving along, about fifteen minute, wow, fifteen minutes to talk about GDPR, what do you think? Can we do it?
Scott Petronis: So welcome, sit. So what the heck is GDPR, so the general data protection regulation.
Scott Lockhart: Regulation, yeah.
Scott Petronis: So, GDPR of course, just by quick show of hands, how many people have had freak outs over the past year about GDPR?[crosstalk 00:00:36] pretty good portion of the room.
Scott Petronis: What I thought we would do is talk a little bit about, GDPR as it relates to our day to day life in North America, and let's see if we can dive into a couple topics that you can give people in the audience some good take-aways to figure out what does it mean to us, and how will it affect us here. OK?
Scott Petronis: So as a starting point, one of the things that, I think would be beneficial to talk a little bit about is, lets start with you Marinda, do you believe that there are going to be cases or are there already cases where the EU is going after companies and or individuals in the U.S. or abroad anywhere? Are there cases where there is true real threat of prosecution for …
Marinda Neumann: Well, there are a few in-fact, Google was one of the first.
Marinda Neumann: The french authorities lead me to fifty-seven million dollar finding in school, for improperly, or not sufficiently disclosing their data collection use for targeted directed marketing.
Marinda Neumann: There's another interesting case in Portugal, where the Portuguese authorities fined a hospital four-hundred million euros, and what was interesting about that is that it was an external data breach it was an internal data breach where about one-thousand staffers had access to patient records, where they only had like three-hundred doctors on staff, and so they were finned against that.
Marinda Neumann: So, I raised that point because it illustrates that we don't necessarily know how the regulation is going to be enforced, and so that's significant.
Marinda Neumann: I think, one of the questions that's often asked is, at least now that its there because regulation has been slow to start, I think it's primarily because the regulators really weren't prepared, there has been a number of reports and high volume reports, but the question now is, is it going to be proactively preventative, or is it going to be putative like, reactively putative, so that's kind of the question that out there now as to what's it going to look like, what's the landscape going to be in the future from the ring leaders stand point.
Scott Petronis: Would you like to talk a little bit about that?
Scott Lockhart: Yeah, sure. So just to give everyone a bit of an idea of what's happened since may 25th, when GDPR went into effect.
Scott Lockhart: With in the first five or so months there was over forty-two thousand reports, over notifications and its not just people who are doing this, so there's NGO's who are out there, there's a few prominent ones in the EU who are aggressively going after what they see is a breach's, breach's of data security, what Marinda talk about there is Google's power antagony.
Scott Lockhart: These are not necessarily one time infractions, these are ongoing ways that,
Scott Lockhart: It does have some parallels to real estate in lead information and things like that, as well as homes information and sales and all that kind of stuff, but just to put a bit of context to it as well, the Google thing that they fined fifty million euros for, was reported by June first, so within a week GDPR going into effect.
Scott Lockhart: It was announced on January 24th, or the 21st in the last week or so.
Scott Lockhart: So, and that's a big one, right?
Scott Lockhart: So until the french authorities had seen, and looking, Okay well were gonna call a lot of [inaudible 00:04:22] on to this but its just that, we don't really know the effects internationally, Google is just probably the livest fish so they targeted that first, but there's bound to be more happening.
Scott Petronis: So, I know we're talking about GDPR but, maybe we can bring it down to a North American level for a minute and just think about, what, there's been a lot of talk about modifications potentially to GDPR because its number one- extraordinarily confusing, number two- very difficult to actually implement some of the things that they are shooting for, but regardless of that, it seems to have created a bit of a movement, right?
Scott Petronis: Has that movement, have you started to see other changes in so, I know, Canada has some interesting rules and regulations that are evolving, morphing, I know, I think California has some new rules and regulations that their toying with, and who knows, there maybe some specifics that come out for the United States in general that are closer to what GDPR is going for.
Scott Petronis: What are your opinions on, are you seeing movement on those fronts about moving closer to the direction what's going on in the EU right here in our back yard and are there things that we should, I shouldn't say concerned with but, prepare for?
Marinda Neumann: I think there's definitely a trend, the United States work governed patchwork of privacy regulations, and there's virtually every state has a data breach notification law.
Marinda Neumann: So, that's kind of the immediate concern.
Marinda Neumann: There has been a lot of talk about the federal government coming up with some whole regulation that governs it all but, that's not necessarily anywhere [crosstalk 00:06:12] in the near future. The California Consumer Privacy Act is probably going to have a large impact given one- California is the fifth largest economy in the world, it's gonna have a broad, broadest effect.
Marinda Neumann: They often are the leaders in this kind of thing and other states will follow suit.
Marinda Neumann: The problem with privacy is its defined differently, so from your perspective its understanding what markets you're in and what laws govern the conduct that you're doing.
Marinda Neumann: So, I think there's definitely a trend and its not just North America, it is really global.
Marinda Neumann: Canada just reviewed their privacy act and they came up with a new data breach notification that's very similar to the GDPR and sometimes its very ambiguous so that's the difficulty, what is the actual requirement?
Marinda Neumann: So, staying ahead of it, and understanding what those regulations are demanding, and trying to prepare as best you can.
Scott Petronis: And, Scott, how are you seeing this effect, this must, in a practical way, right? It's got to effect the products that you build as well.
Scott Lockhart: For sure, and when you look at the GDPR's effect on us over here, it was really designed to be a motivator for other country's to do this because of, some of the very far rich income impacts that it has, penalties and such. So CCPA is something you need to look at, The California Consumer Protection Act of 2018, CCPA, write that down because you're going to hear a lot about that.
Scott Lockhart: It's enforceable in any state that does trade with California residents, and moreover than anything, the takeaway is that you guys really need to start thinking about the contents of it, as well as CASL which is the Canadian Anti-Spam Law, GDPR, they all have this kind of core threat, that's disclosure.
Scott Lockhart: Telling people the data you're taking from them, or using with their consent, so a lot of this requires explicit consent, as opposed to opted out consent or implicit consent, deletion, so being able to delete peoples information and giving them access to that as well.
Scott Lockhart: So not just telling them what you're taking but showing them what you have of theirs, and then be able to opt out of anything you've got as well.
Scott Lockhart: CCPA is interesting because they do have a lot, revolves around the selling of information which, is roughly defined as moving information around, if it has value, which is pretty much most [inaudible 00:08:52], so there's quite a bit of stuff in there, that pretty much every one in this room should be looking at, it goes into effect January 1st 2020, it was passed last year, and enforcement goes into effect, July 2020.
Marinda Neumann: Just to expand on one point with that, as far as applicability, there's three categories of applicability, one of the biggest one is, if you're collecting information on fifty-thousand individuals, devices or households, that's very, very sweeping, and so I think a lot of company's will probably find the applicability falls in that category, rather than the twenty-four million, if all your doing is [inaudible 00:09:41].
Scott Lockhart: There's one more part to it and that's that the stick, right?
Scott Lockhart: So GDPR came out scaring a lot of people cause it was like, up to twenty million euros fines for a breach and four percent of global turnover, which is a lot, unless you're having a lot of global turnover …
Scott Lockhart: CCPA is a little bit different in that it has actual damages and, sub-statutory damages that are in there too, but it can add up and one thing that, Marinda can talk, she's a lawyer, I'm not, but there's some absolute opportunity out there for class action cause it doesn't have to come from the state AG, …
Scott Lockhart: Anyone can bring suit over this stuff when it goes into effect after July 1st, we're probably gonna talk about that.
Scott Petronis: That way you can …
Scott Lockhart: Talk to your lawyer.
Scott Petronis: So, just bringing this down to the practical level, right?
Scott Petronis: You mentioned some of the things people are going to, that are, were going to know about, understand and appreciate, as anyone in this audience designing products or trying to take existing products and bring them into this new century of these requirements related to not just, privacy but control for the consumer.
Scott Petronis: What are the things that we should all be thinking about from a design perspective?
Scott Petronis: What are those things that we should, and I don't just mean UI/UX product design but even policy designs and those sorts of things right?
Scott Petronis: There always talking about some, all encompassing things all related to how Google deals with privacy, right?
Scott Petronis: You know Google's not the only one that needs to be concerned about that, that's something that everybody in this room, if you're building products, these are the things that we need to all be concerned about.
Scott Petronis: Just in the last few minutes, what are some of those practical things we can think about from our product perspective as well as from a policies and procedures perspective in our businesses that we can apply to help get us prepared for 2020 and things that we need to …
Scott Petronis: We can't wait until January, we need to start working on these things now and put them in place.
Scott Petronis: So Scott, in your estimation, what are those things?
Scott Lockhart: Sure, well, one of the big things from GDPR and one of the tenants of it, the main tenants and the first tenant they always talk about is the privacy by design, so its incorporating this privacy as a core part of the way you think about building a product, not as kind of a thing you slack on after the fact once you freak out about all you didn't know about before it took place.
Scott Lockhart: That being said, now, you're obviously gotta figure out what works for you and your product, but it's going to be the law and GDPR is fun to think about being a [inaudible 00:12:37] they're never gonna prosecute us over here, ha-ha, that's fine, isn't that nice?
Scott Lockhart: It's time to get real over here guys, looking at not just a product standpoint but also a marketing and business standpoint, privacy has a competitive advantage and being able to show your customers that, yeah, you take this seriously, yes you've got their back and you're protecting them, is gonna be probably the biggest opportunity that's out there, well beyond just the threat of some kind of Location or whatever.
Scott Petronis: I really like what you had to say, I just want to pause really quick on that point and we have less than two minutes.
Scott Petronis: Think about what Scott just said is, treating this as an opportunity, right? Not a stick, yes there's a stick but, the opportunity to differentiate yourself in this market.
Scott Petronis: What can you do to put the consumer in the greater control, and make them feel like you have their back?
Scott Petronis: That seems to be a huge standpoint.
Marinda Neumann: Absolutely, and I think, just being prepared. In order to understand what regulations actually apply, you kind of have to know what data you have, so we call it data mapping.
Marinda Neumann: So you figure what data you're collecting, what intent are you stirring and how are you using it, and you decide what policies and procedures you need to have in place and you can understand what rules and regulations apply.
Marinda Neumann: From a practical standpoint that's kind of the place to start in preparing and getting ahead of those regulations as they come out, and the other thing to remember the rules are designed to protect the consumer not necessarily the data, although the data security is absolutely relevant, but keep that in mind, the idea is to protect the consumer.
Marinda Neumann: If you're designing these things, what risk is that putting at the consumer and what are the regulators going to look at?, and that comes down to controlling those kinds of things, because to be fair, we're belief economy right?
Marinda Neumann: Which means the consumer is the arborator of business success, so if they're demanding these things then, as you said, find it as an opportunity, take it as an opportunity and the consumers will follow.
Scott Petronis: That's a great point, and so if you haven't gone through and exercise like this, a data mapping exercise, right?
Scott Petronis: Understand what you're capturing, understand how it's being used, understand even where its being stored in some cases we need to know.
Scott Petronis: Understand where it is traveling to, right?
Scott Petronis: Those are the things that you need to be prepared for because if you don't have that visibility, you're going to have a very difficult time figuring out what you do you need to do.
Marinda Neumann: And where its traveling from, because you don't necessarily know who is providing that data unless you know, they could be providing it from anywhere in the world.
Scott Petronis: Awesome, well, we have successfully accomplished this in fifteen minutes, next up is going to be Lucy to introduce the next panel, thank you so much Scott and Marinda.