When the European Union’s General Data Protection Regulation (GDPR) took effect in 2018, some U.S. companies ignored it, assuming that the laws applied only to European companies. They began to pay more attention once authorities started issuing fines to U.S. companies for noncompliance. The amounts were hardly chump change: Marriott and Google, for example, face proposed penalties of $123 million and $56 million, respectively.
Now a similar scenario is playing out with the California Consumer Privacy Act (CCPA), which went into effect Jan. 1. CCPA, in a nutshell, gives California consumers the right to: know what personal information businesses hold on them and why; require action upon that personal information; and restrict the sale of that personal information.
As with GDPR, the law has an impact beyond its provenance. The CCPA is industry-agnostic, which is unlike previous privacy laws in the U.S. So, it applies to every company that meets the criteria, regardless of its market.
For-profit companies that collect personal information while conducting business in California are subject to the CCPA if they meet any of the following criteria: 1. have annual gross revenue above $25 million; 2. buy, receive, sell, or share the personal information of more than 50,000 consumers, households, or devices per annum for commercial purposes; or 3. generate at least half their revenues from the sale of data from California residents.
This means a company does not have to have a physical presence in California to be subject to CCPA. It’s also worth noting that companies that meet these criteria in the future, rather than in the present, may be subject to a 12-month look back period for disclosures on the use of data.
Courtesy MRI Software
Alycia Workman
Again, similar to the rollout of GDPR, some companies aren’t paying much attention. Yet those that ignore CCPA could face stiff penalties, both through the California attorney general and through a private consumer action. The risks are significant for multifamily firms, given the amount of data exchanged in everyday business operations.
Multifamily Considerations
These days, data collection pervades many aspects of the multifamily industry. At the most basic level, owners and operators receive personal information on prospective residents and tenants. But the relevant parties extend far beyond tenants and other occupiers. CCPA applies to data obtained from former tenants, prospects, business partners, vendors, and employees.
Another complicating factor is the growth of IoT and smart devices. Many tenants view smart-home capabilities as an important amenity. They appreciate the ability to control their thermostat from their phone. They also welcome enhanced security through technology, which enables package tracking, video and camera monitoring, and electronic visitor logs. All of these examples involve the transfer of data, putting the onus on owners and operators to disclose its collection.
What Owners and Operators Should Do
It’s still early days for CCPA, so we can expect some further clarifications on its scope and implementation. Nevertheless, multifamily companies should act now. Here are some important steps you can take to protect your company:
1. Conduct a “data-mapping” exercise. With data mapping, you examine the data you collect, the methods of collection, the reasons for collection, where it is housed, whether it is shared with or sold to other entities, who has access to it, and how long it’s retained. This is an ideal time to reconsider any processes that are unnecessary or irrelevant to your business.
2. Update your policies and consent forms. Using the information you’ve uncovered in your data-mapping exercise, the next step is to update your policies to provide transparency for consumers. Under CCPA, businesses must give adequate notice to the consumer so that they understand the following (non-exhaustive list): what personal data is being collected, where it’s being collected from, why it’s collected, how it will be used, and who it will be shared with. Businesses must let consumers know their rights with respect to their personal information, such as their right to request additional details about the personal information, to request deletion of it, and request that it not be sold.
3. Establish procedures for addressing consumer requests. You’ll need to have internal systems in place for verifying the identity of the consumer, providing the requested information, and enabling opt-outs of data sharing with third parties.
4. Ensure sufficient security. All businesses subject to the CCPA are required to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. The information gathered in your data-mapping exercise can help determine whether your business meets the reasonable security procedures and practices and if they are appropriate for the nature of the information. You will also need to understand whether your service providers meet these requirements—you won’t get off the hook by using a third party.
Although these steps hardly constitute a comprehensive privacy plan, they are a good start. Property owners and operators who follow them are better positioning themselves to avoid fines and damage to their reputations. And they’ll be prepared for future legislation, which is a near certainty. Some states are following California’s lead and enacting privacy laws of their own.
The time for compliance is now, and that’s an opinion I’m happy to share publicly.
Legal disclaimer: The information provided in this document is designed to provide an overview of CCPA and should not be taken as legal advice. Please consult a lawyer to address the individual needs of your business.