And That’s the Way the Cookie Crumbles: Resident Data Privacy

December 13, 2020 |

Updated December 13, 2020

3 minutes

With so much resident and prospect information collected by operators, it’s critical to understand and comply with the laws regulating data privacy.

By Paul Willis

Apartment operators collect volumes of personal information from residents and applicants alike. If that data is breached, it can cause myriad legal issues and have a lasting negative effect on the brand. 

Yet, many apartment operators only have a loose understanding of data privacy legislation currently impacting the multifamily landscape.

“We need to be aware of data privacy regulations,” said Scot Haislip, Vice President of Legal Counsel and Affairs for the National Apartment Association. “Because if not, there are some serious consequences to that.”

A panel of experts recently discussed the state of data privacy in the industry, including the California Consumer Privacy Act (CCPA), during NAA’s APTvirtual session,  “And That’s the Way the Cookie Crumbles: Resident Data Privacy.”

California has traditionally led the way with regard to data privacy legislation, which has continued with the recently unveiled CCPA, the most comprehensive privacy law in the U.S. The Act introduces an expansive definition of personal information, new statutory damages in the case of data security breaches, mandates that companies must provide training for employees responsible for handling consumer inquiries and applies to companies worldwide.

“What it did is import a lot of concepts from European privacy law into the United State for the first time,” said Michael Egan, Partner of Baker & McKenzie LLP. “For instance, what we'd normally consider privacy information in the United States—your social security number, medical information, bank account number, the secret stuff—this goes far beyond that. And it creates new rights within that data.”

So what does the CCPA mean for the multifamily industry? John Napier, Senior Director of Legal Services for Greystar, explains. “One of our challenges as a national property manager is that we have operations outside of California in addition to within California,” he said. “So how are we going to apply this law? And what steps are we going to take to process the requests or the compliance for consumers when we’re not sure where they’re located? We had to evaluate the way we were going to approach compliance.”

Greystar weighed whether to limit compliance to only California residents or to build a process that applied the CCPA concepts to other states. Ultimately, the apartment giant decided to adjust website language to indicate areas that pertained to California residents, but it’s an evolving process.

Another new concept introduced by the CCPA is the penalty involved for statutory damages, which can reach as high as $750 per person, per incident for affected individuals.

“So, if you’re looking at losing the sensitive personal information of several hundred thousand California residents, it could be quite a costly venture for you,” Egan said.

The Act also requires more detailed communication to consumers about how their personal data is handled and more stringent language ensuring that data will not be sold. Organizations are advised to have strict protocols in place to verify the identity of any requesting individuals. This is to proactively combat a recent trend in Europe in which cyber attacks were launched in this fashion to steal personal information.

Greystar is among the operators that have remained on the cutting edge of keeping resident data secure while regularly monitoring for updates within the space.

“We were evaluating the touchpoints of where we were acquiring personal information, and a lot of times we were looking at it under the lens of a website or some type of online platform,” Napier said. “But there are a lot of interactions that take place on a property. Someone might walk in to take a tour and we might take down their name, email and other personal information.”

As such, Greystar has made certain to become CCPA compliant with offline interactions. Other operators have followed suit and similarly addressed their overall data privacy measures as cybersecurity becomes much more of a priority in the industry.

Paul Willis is a Content Manager for LinnellTaylor Marketing.