Data Privacy Duties

California’s new data security legislation could become the norm nationwide.

Computer graphic showing text of California data protection law
Pending online data privacy rules in California require website operators to notify visitors (and obtain their consent) when their identifying information is being captured and explain what that information will be used for.

The new California data privacy law that addresses growing concerns over how online companies are using people’s personal information may be the beginning of a nationwide trend that could also affect REALTOR® associations, MLSs, and brokerages. Eight other states are using the law as a model for their own legislation, and your REALTOR® associations and MLS may need to change some practices when these laws take effect.

What the California Consumer Privacy Act does

The California Consumer Privacy Act, which was based on the European version called GDPR, goes into effect on Jan. 1, 2020. It defines personal information very broadly and requires certain disclosures to consumers about how their personal data is collected and used. Not all businesses will need to comply with the law, and there’s also a nonprofit exemption. Although this law is limited to the personal data of California residents, anyone who collects the information from California residents outside of the state may need to comply as well.

Here’s an overview designed to help AEs in California and nationwide get an idea of what their data privacy policies, procedures, and practices may look like in the near future.

What’s considered personal

“Personal information” has a broad definition under California law and includes anything that identifies, describes, or is capable of being associated with a particular consumer or household and is not limited to electronic data. For example, if you collect any names, property addresses, or even IP addresses using cookies or signup forms on your website or public-facing MLS, you’ll need to comply with the consumer disclosures in the law.

Who has to comply?

The California law will apply only to businesses that fall into the following categories:

  • Organized as a for-profit
  • Does business in California
  • Collects personal information
  • Determines how the information collected is processed and for what reason

Note that doing business in California is not limited to those businesses physically in the state; it will also cover businesses that interact with California residents—think Amazon, Netflix, Zillow, and Redfin.

If the business has the above elements, then the law applies if it meets any of the following criteria: It 1) has gross revenue of more than $25 million; 2) derives half its revenue from the sale of consumer data; or 3) buys, sells, shares, or receives for its commercial purposes the personal information of 50,000 or more consumers, households, or devices.

Although many associations and MLSs would not appear to meet the above categories, large MLSs will need to consider the personal information they have about ­California residents. For example, many MLSs purchase or receive data about properties that may include those owned by California residents.

Although the California law exempts nonprofits from compliance, there is an important caveat for nonprofit REALTOR® associations: If a nonprofit, such as a REALTOR® association, controls and shares branding with a for-profit subsidiary that needs to comply with the law—an MLS, for example—then the nonprofit entity may lose its exemption and need to comply with the law. “Common branding” is a shared name, service mark, or trademark.

How to comply

To comply with the California privacy law, businesses must post privacy policies and respond to consumers’ requests to have their data deleted, among other duties. Businesses that not only collect but also sell personal information have additional procedures to follow.

We’ve only touched upon the many requirements of the privacy law here. As this law and others like it become more popular, look to NAR to provide associations and MLSs with detailed compliance guidance.

Finley Maxson is a senior counsel at the National Association of REALTORS®. Contact him at 312-329-8381 or
Notice: The information on this page may not be current. The archive is a collection of content previously published on one or more NAR web properties. Archive pages are not updated and may no longer be accurate. Users must independently verify the accuracy and currency of the information found here. The National Association of REALTORS® disclaims all liability for any loss or injury resulting from the use of the information or data found on this page.