On May 25th, 2018, the European Union's General Data Protection Regulation (GDPR) will take effect. You might be thinking, "Why on Earth would I have to worry about that? I'm a Realtor in the USA". The short answer is, that you do. The GDPR has a wide-ranging reach that could have a significant impact on websites and businesses outside of the EU. Yes, even yours in the United States.
What is the GDPR?
The General Data Protection Regulation (GDPR) was created by the European Commission to increase the privacy protections given to EU citizens through stricter laws and stiffer penalties. These laws cover all EU citizens, and not just in Europe. This regulation will impact you if you have, or potentially could have, any website visitors, any online leads or any clients that is from the EU. 92% of U.S. companies recently surveyed recently by PwC, said that GDPR is a top data protection priority.
The goal of the GDPR is to give people insight, access, and control over how their own personal data is used and distributed online. To do this, the GDPR is based on 8 data rights. It's like the bill of rights for online privacy. These rights are:
- Right to information about collected data
- Right to access personal data
- Right to modify or update the personal data
- Right to withdraw consent of personal data use
- Right to object
- Right to object to automated processing (automated decision making)
- Right to have all data deleted
- Right to data portability
Every business that touches any EU citizen in any way, even if they are abroad, must, under the GDPR, be prepared to respond to these rights and requests. This includes if an EU resident visits your website or becomes a lead.
With the proliferation of tracking, marketing, advertising, CRM's, APIs, and integrated applications that agents use on a daily basis, the potential impact of GDPR is high mind-blowing considering how much lead data is stored and passed around today with not much more than basic privacy considerations across the industry.
A major part of GDPR is getting consent from people to use their data in specified ways and if this includes sharing this data, openly disclosing with entities you are sharing the data and for what purposes. You basically cannot do anything with someone's (a lead's) personal information (name, email, phone number) without their explicit consent. Consequently, the real estate industry as a whole will have to be more careful about how they get lead info, where they get leads (it has to be compliant too), how they handle and process the lead information and with whom and using which technology platforms.
I can’t tell you as you don’t have consent to process my data.
What happens if privacy and confidentiality are breached?
You're probably back to thinking, how can some bureaucrats in Europe tell me what to do?!? Especially something that will take up so much time and is such a pain in the ass. Well, they can fine you €20 million or what amounts to nearly $24 million US Dollars or 4% of your global turnover. That being said, it's new and even a move towards compliance will be seen as a positive move and although there are steep penalties the likelihood of fines on first offenses is probably very low.
The GDPR also mandates that the company will have to report a breach to the data protection agency and inform any impacted customers/leads that there has been a breach within 72 hours. Simply put, there's a lot more regulation around the personally identifiable information that use, store and distribute.
Whether we like it or not, this is something that will have an impact in the U.S. So it's best to be prepared.
What should agents, teams, and brokerages do to prepare for the GDPR?
The GDPR goes into effect May 25, 2018, and realistically there is no way any of the regulators are going to be fining from day one for infractions or non-compliance for most real estate agents and teams. That being said, as many major online services and brokerage brands implement higher levels of privacy controls in conjunction with GDPR, the market, as in consumers, will start to expect it. We see the consumer expectations and push on this to be more profound than any regulatory threat of fines. While this post is coming out with mere days to go before the May 25th deadline, there are some things that agents, teams, and brokerages can do if they have not done anything yet to prepare. These are the basics and not an exhaustive list:
2. Get Verifiable Consent From Leads
You must get verifiable explicit consent (they have to opt-in) from users who wish to use your services… like your IDX, forms product and any other lead generation tool or product that collects personal information. You should also make sure that any service you use makes sure that you get verifiable consent and they keep clear records because the burden of proof is on the data controller (you).
3. Website Cookies
- Display a Cookie Banner
- Get explicit consent for installing tracking cookies
- Only install tracking cookies once you've received consent, not before.
4. Ensure All Your Technology Vendors Are GDPR Compliant
For most agents, teams, and brokerages much of the onus of GDPR compliance will be on the vendors they use that handle lead information, and transparency at the agent, team or brokerage website level as to who those vendors are, with links to the vendor's privacy policies. This is going to be crucial.
If you have a WordPress website there are a number of GDPR Compliance Plugins that can help you get set up to be compliant.
What is Showcase IDX doing to ensure GDPR Compliance?
Showcase IDX is taking GDPR seriously. It's clear that businesses of all sizes that have a presence on the internet need to be in compliance with the regulations if there's the chance that they will have contact with EU citizens and their data. If you have lead generation tools on your website or track visitor behavior, this means you. This is what Showcase IDX is doing to get started in its role as Data Processor and will have in place by May 25, 2018:
Updated Privacy and Cookie Policies
Showcase IDX Application Cookies
In terms of the actual Showcase IDX cookies that are used by the application, they are seen as intrinsically part of the application and do not contain any Personally Identifiable Identification (PIID). In turn, these cookies don't need any additional disclosures outside of what you'll need for the rest of the cookies on your website.
Required Consent On Lead Generation Forms
Lead Delete Account Deletes All Identifiable Lead Data
Currently, when a lead it is deleted, we delete all traces of record for this lead. Phew, we already do this.
Leads will be able to delete all their information completely from the Showcase IDX platform themselves. A notification email will be sent to the agent.
Internal Tracking and Documentation
We already do extensive event logging, so we'll be able to comply with this within the 30-day mandated time frame if the situation arises.
Not Using Showcase IDX?
Please, ask your real estate technology vendor what they are doing to keep you and your website in compliance.
Conclusion - GDPR for Real Estate
We highly recommend talking to your lawyer about GDPR and doing more research to learn the steps you need to take to be in compliance.
This blog post does not constitute a complete list of requirements for GDPR nor does it constitute legal advice in any way. We also don't guarantee the accuracy of any statement in this post, please confirm as this is not legal advice and should not be taken that way. This post is intended to be an introduction to the GDPR and a heads up that it ain't messing around.
One thing we have not talked about is the Data Protection Officer. You only need one of these if you have over 250 employees. Since most real estate teams and brokerages are made up of far less than 250 employees and most agents are independent contractors, we've decided to leave this out of this introduction. If you have more than 250 employees, you'll probably want to look into this, as well as more stringent privacy documentation requirements.
The chance of GDPR-related fines seems at this point remote, especially early on, however, the main driver of adoption and compliance will certainly be from internet users who want to ensure that their information is being used the way they intend, stored securely, and accessible.
Need a more exhaustive guide to GDPR? Here's one.