Window to the Law: Enforcement of Data Privacy Laws - Transcript
Real estate professionals often collect personal information in the course of serving consumers. With a growing number of states enacting comprehensive data privacy laws, this issue could make its way to a place near you next. And, with increased enforcement of existing laws, it is more important than ever for real estate professionals to understand how data privacy laws impact their business and how to incorporate best practices for handling consumers’ personal information.
While the federal government has yet to enact a comprehensive data privacy law, a growing number of states have. Generally, these state laws confer a host of rights to consumers, such as the right to know what information a business collects, the right to ask a business to delete or correct data and to know if the business is selling consumers’ information.
In 2020, the California Consumer Privacy Act – or CCPA - became the nation’s first comprehensive data privacy law, and was recently amended to further expand consumers’ rights under the law. Colorado, Connecticut, Iowa, Virginia, and Utah have also enacted comprehensive data privacy laws. All 50 states have enacted data breach notification laws that require businesses to notify consumers of data breach events involving their personal information, and most states have also enacted data disposal laws that require businesses to destroy, dispose, or otherwise make stored personal information unreadable.
Enforcement efforts are also ramping up. California recently established a state privacy protection agency to raise awareness about data privacy and to investigate potential violations, and in 2022, California’s Attorney General reached a settlement with a major US retailer for more than $1 million dollars for its alleged failure to disclose to consumers that their personal information may be sold and for failure to process consumer opt-out requests.
Significant enforcement efforts increase the likelihood that a violation of a data privacy law may be detected and pursued. So to avoid harm to your business, both financially and reputationally, it is important to ensure that your business is complying with applicable state laws. Keep in mind that even if the state where a business is located doesn’t have a comprehensive data privacy law, the business may be subject to another state’s law if it collects personal information of residents of that state.
Here are some best practices to reduce the risk of violating data privacy laws:
- Maintain and publish a privacy policy that explains to consumers how the business will manage consumer data. And, of course, be sure to follow that policy.
- Understand applicable state laws and related consumer rights with respect to their personal information, and be sure to follow-up and process consumer requests.
- Create and implement a sound data security program and adopt a document retention policy and a breach notification policy.
- Educate and train staff about your business’ data security program and policies.
Check out NAR’s Data Privacy and Security Toolkit to learn more about data privacy laws and how to create a sound data security program. Thank you for watching this episode of Window to the Law.
