Data Privacy Rules Associations Should Know

You may have noticed that many websites have recently updated their privacy policies and terms of use, and that some have required you to accept the new terms in order to continue on the site. These changes are the result of the General Data Privacy Regulation, a new European Union data protection and privacy law designed to give EU residents control over their personal data collected by online businesses and website operators.

So what does this mean for your members and your REALTOR® association?

Generally speaking, if your website has visitors from the European Union—and it probably does—then this law technically applies to you. For example, if you’re using Google Analytics or a similar program to track your site visits, then you’re collecting the IP addresses of your visitors, which is considered their personal information. If any European residents have signed up for “new listing” alerts on your public MLS, then you’re holding information about them. If a former member signed up for your association newsletter years ago but has since moved to Europe, his or her personal information is still in your database.

Even though the GDPR applies only to the data of EU residents, the regulation also covers an entity that holds the data of EU residents, which is potentially your association and MLS. Consent of these individuals is required prior to your “processing” or using their data. The data privacy law is an “opt-in” regulation, the opposite of how websites have generally operated up until now. The main question in determining whether or not you have to comply hinges on whether your business targets EU residents.

How will an EU law be enforced on U.S.-based associations?

Although there certainly will be challenges to EU countries trying to use U.S. courts to enforce the regulation, right now it is too early to know how that will play out. Plus, more information is still forthcoming on how the EU will even know if you’re misusing EU residents’ information, so stay tuned to nar. realtor for new developments.

At the National Association of REALTORS®, our website developers are monitoring progress on the regulation, but have not instituted EU-style data privacy or GDPR yet.

Will the U.S. follow in the EU’s footsteps?

Although currently only EU residents have these data privacy rights, many American companies, including Facebook, Google, Twitter, and Microsoft are opting to provide many similar protections to U.S. residents, creating a new standard of data privacy in this country.

The U.S. Congress has openly criticized American tech giants, such as Facebook, for sharing the personal data of users without their consent. In April, U.S. Senators Edward J. Markey and Richard Blumenthal cosponsored a GDPR-like bill called the Consent Act, which would enforce more transparency around data that is being stored by companies, as well as enable consumers to opt out of companies selling their data. There are also proposals for new data privacy laws in many states. One in California that recently passed and goes into eff ect in 2020, gives consumers more control over and insight into the spread of their personal information online and makes it easier for consumers to sue companies after a data breach.

Now is the time to review what type of information you collect about site visitor or users, how you keep that information safe from hackers, and what third-party partners may have access.

How to obtain consent

Companies can obtain consent from site visitors to use their data in a variety of ways. One option is to use pop-up check boxes asking site visitors to signify their consent; another is to refer visitors to the technical settings page where you can also enable them to opt in to their data being used. If you go with pop-up boxes, for example (see graphics), visitors must actively confirm their consent, such as by ticking an unchecked opt-in box.

These consent methods must link to your privacy policy that describes how you will use visitors’ personal information, such as to personalize content and ads, provide social media features, track visitor preferences, analyze traffic, and support and improve the site. You must also detail what information you store on visitors, how long you store it, and how you store it. And you must provide an option for visitors to request that you delete all their personal information.

If you sell or rent lists containing individuals’ personal information—for example people who signed up on your MLS to receive market updates—you must obtain their consent prior to the transfer of their data. An individual can withdraw their consent to processing at any time.

Another issue under the GDPR is the use of data processors, which is an entity that collects or uses data on behalf of another. For associations, an example would include when the association provides its member data to RAMCO. Your association is responsible for the actions of any processors and will need to make sure that any data subject to the privacy regulations are treated appropriately. Therefore, associations subject to the privacy regulations need to identify those entities acting as data processors on their behalf and add language to their contracts that sets forth the requirements for the handling of personal data. If you provide links from your site to other sites, such as Survey Monkey or Facebook or nar.realtor, you are not responsible to the security of data that people choose to enter there.

How you apply these options to your website depends on the technology you have. If your association website is hosted on the WordPress platform, for example, there are a variety of plugins for GDPR compliance. Contact your website designer, host, or a knowledgeable IT expert to install the necessary plugins on your site.

Stay tuned to nar.realtor to learn the full impact of privacy regulations on your association.

-Finley Maxson