Know Your Duties as Data Privacy Enforcement Ramps Up

Consumers are demanding increased transparency about how their personal information is being used. Follow these best practices when handling sensitive client data.

As more aspects of a transaction head online, real estate professionals are collecting more client information digitally, from Social Security numbers to bank account information and copies of driver’s licenses. How you collect and store that information could get you into legal trouble if you’re not careful.

Enforcement of data privacy laws have ramped up nationwide as more states enact rules. It’s critical that real estate brokerages understand how this could impact their business and how to handle sensitive information they collect, says Maame Nyamekye, associate counsel at the National Association of REALTORS®, in the latest “Window to the Law” video.

While there are no federal laws regarding data privacy that apply to real estate, more states are adopting comprehensive data privacy laws to protect consumers’ personal information. Nyamakye says these laws often grant consumers several rights:

  • To know what information a business collects on them.
  • To ask a business to delete or correct the data.
  • To know if the business is selling their information.

Almost all states have enacted rules around data breach notifications, requiring businesses to notify individuals when their personal information may have been compromised. Many states also have adopted data disposal laws that require businesses to destroy, dispose of or encrypt personal information to protect individuals’ privacy.

NAR has supported efforts to protect consumers’ sensitive personal information. The REALTOR® Code of Ethics acknowledges members’ obligation to help preserve the confidentiality of their clients’ personal information in any agency or nonagency relationship.

REALTORS® shouldn’t take their role lightly when collecting client data information, Nyamekye says. Greater enforcement increases “the likelihood that a violation of a data privacy law may be detected and pursued,” Nyamekye adds. “So, to avoid harm to your business—both financially and reputationally—it is important to ensure that your business is complying with applicable state laws.” Nyamekye notes that even if an agent is located in a state that does not have a comprehensive data privacy law, the agent can still be subject to another state’s law if they collect personal information of out-of-state clients.

In the video, Nyamekye shares some of the best practices for data privacy, including:

  • Publish and maintain a privacy policy. Explain your policy to consumers to put them at ease about how your business will manage their personal information.
  • Know the laws. Understand state laws and consumer rights regarding data security and privacy that could affect your brokerage. For example, some states have laws that require businesses to have a written information security program in place or to dispose of personal information that serves no business purpose.
  • Adopt document retention and data breach notification policies. The Federal Trade Commission shares five key principles for businesses to follow when creating a data security program: Take stock, scale down, lock it, pitch it and plan ahead.

Access NAR’s data security and privacy toolkit, which includes an example of a written data security policy, for more tips.