As California begins to fully implement and enforce the California Consumer Privacy Act (CCPA), multifamily firms of all sizes are figuring out how best to comply. The CCPA, which officially took effect Jan. 1, is a consumer data privacy law that governs how organizations collect, maintain, and process data about individuals. Given how much data apartment firms use and hold, our industry is on the front lines of compliance. The CCPA is unique because of its broad scope and national ramifications. Just because you don’t operate in California doesn’t mean you get a free pass. In the absence of a federal privacy standard, the CCPA is being looked at as a de facto national model for how other states should regulate consumer privacy and data security. As a baseline, companies will be required to comply based on their business activities rather than their corporate address. Whether or not your firm must comply comes down to how much consumer personal information your company collects, your firm’s overall gross revenue, and your company’s reach.
Although the CCPA is a first-of-its-kind law in the United States, it’s indicative of a growing trend for more regulated consumer data protections and why the industry is pushing for a strong federal privacy and security standard that prevents a complex and duplicative patchwork of different state laws from emerging. Apartment firms must remain vigilant to a constantly evolving legal and security landscape to ensure that they are operating within the bounds of existing and future laws governing consumer privacy and data security.
A Call for More Clarity
Figuring out what compliance looks like has been challenging, as data privacy is a still-evolving area of the law. Although companies could see penalties for CCPA noncompliance as early as July 1, details of how the CCPA is to be implemented are still in the works and enforcement protocols are still being ironed out.
In recent months, the industry has voiced concerns over the lack of clarity surrounding implementation and enforcement. In a win for the industry, California attorney general Xavier Becerra incorporated some of the industry’s requests in the updated guidance released in February.
For example, the attorney general updated language outlining how requests to access or delete household information is handled. Apartment owners and operators rightly pointed out concerns with potential troublesome circumstances emerging from ex-roommates or ex-partners becoming privy to private information by having the “household right” to know or delete personal information on all members of that household. Agreeing with the industry, the attorney general now says a business should not delete personal data or respond to a "Right to Know" request unless a household has a password-protected account or each member of the household signs onto the request.
However, not all the industry’s suggestions were incorporated into the updates, which means the law still remains a challenge for many companies to implement. And for companies that don’t comply, this lack of clarity could translate into dollars lost. Come July 1, the attorney general could begin enforcing civil penalties in the amount of $2,500 per violation. In addition, the law allows for a private right of action—on both an individual and classwide basis for data security breaches that harm a consumer.
Steps Toward Compliance
Despite the continued questions about the CCPA and the potential for additional changes to its enforcement rules, apartment firms are still required to comply. Even firms and service providers without a physical presence in California should evaluate their need to comply given the unique nature of the law especially because, for better or worse, it serves as the template for other states. The CCPA includes a broad definition of what constitutes personal information and provides consumers the right to know what personal information is being collected or sold, the right to opt out of sale of their data, and the right to ask that their information be deleted. Each company is unique in what data it collects and how it manages said data.
As the multifamily industry grapples with what’s next, NMHC suggests firms work with internal legal and technology teams to ensure a thorough understanding of your data processes. As you evaluate what’s next, it’s important to consider the following:
1. Understand the nature and types of data maintained across the organization: This exercise—sometimes referred to as “data mapping”—requires a deep dive into the organization’s data practices across all business lines.
2. Understand third-party relationships: As important as it is to understand what data the organization maintains, it is equally critical to understand how the information is shared—and clearly delineate whose liable for the handling and security of that data.
3. Determine the applicability and approach for potential varying standards: Once the organization has a comprehensive understanding of its data processing practices, the company will then be in a better position to begin assessing (through legal counsel) which privacy requirements may apply and any corresponding obligations or exceptions.
4. Consider technical and operation requirements or challenges: The practical effect of many new requirements can directly impact the viability of certain technical solutions. Challenges are likely most prevalent in implementing procedures to address individuals’ requests to exercise their rights.
5. Ensure disclosures are complete and accurate: The demand for greater transparency, along with the potential for increased liability, means it is even more important for companies to ensure their data processing disclosures are accurate.
6. Regularly assess applicability of requirements: As the privacy landscape is rapidly evolving, it is important to regularly monitor and assess both updates to the legal requirements as well as changes to existing business operations that may impact obligations and ensure practices and procedures are updated as appropriate.
There are a lot of unknowns related to the ever changing data privacy regulatory landscape. If for no other reason, the financial risk posed by privacy and security breaches demand strong data practices and protections by apartment firms. Companies that proactively account for privacy and security considerations will be better positioned to adapt business practices as new requirements continue to develop.
