January 2020

Bricks and Mortar... and Personal Data

Personal information is a rich tool enabling businesses to understand and drive loyalty and behavior, personalize customer experience and differentiate their brands.

The digital era and the arrival of big data (such as the ‘Internet of Things’) now offer real estate businesses unprecedented insight into tenant and customer habits and preferences, allowing them to leverage this information and tailor their strategy accordingly. As a result, the real estate industry – residential, corporate and commercial – is dealing with more personal data today than ever before.

Real estate focused technological innovations, known as “PropTech”, are rapidly driving the industry forward, giving rise to new business models and systems for streamlining property services. At the same time, partnerships between real estate, technology and data businesses offer exciting ways to amass and leverage personal data, creating compelling opportunities in the process.

Such opportunities do not go unchecked – witness the sweeping privacy laws introduced by the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). In essence, the more global the company and the more data collected, the greater the risk of noncompliance with data privacy laws. The GDPR is the prime driver of similar laws being adopted in other jurisdictions.

EU Privacy Framework: The GDPR

Eighteen months into the GDPR, some businesses are only now realizing the implications and requirements of the regulation. The real estate sector is no exception.

Inevitably, information being held, including personal data, presents challenges and obstacles for landlords and developers who are vulnerable to regulatory and legal challenges in relation to GDPR compliance. The stakes are high – if your business does not comply, it could be fined up to 4% of group annual worldwide turnover or €20 million, whichever is higher. A striking feature of the GDPR is its extraterritorial application. So, U.S.-based landlords and funds with EU property assets will need to assess their exposure.

There have already been a number of eye-popping fines levied since the GDPR came into force in May 2018. The real estate industry took particular notice when the Berlin Commissioner for Data Protection (Berlin DPA) hit Deutsche Wohnen SE, a German property company, with a €14.5 million fine for violating the GDPR. This is the largest GDPR fine issued, to date, by a German data protection authority and was a critical indicator that regulators would pursue the real estate sector as actively as they do Big Tech. The fine followed two audits, carried out by the Berlin DPA, in June 2017 and March 2019, that revealed improper data storage and retention. The audits also revealed that personal data that was no longer required for business purposes was being stored in Deutsche Wohnen’s archives and inadequate security measures had been adopted by the company to safeguard the data.

The EU data protection authorities are paying close attention to how real estate is using personal data and so assessing exposure to the GDPR and GDPR-compliance should be at the top of your business agenda.

U.S. Privacy Framework

Unlike the EU, the U.S. has no equivalent national privacy law. However, several states have effectively established national requirements (notably, California – privacy policies; Massachusetts – information security policies; Illinois, Texas and Washington – prior consent for biometrics). All 50 states now have prescriptive data breach notification laws.

The U.S. also lacks a national data protection authority. Instead, the U.S. Federal Trade Commission (FTC) aggressively exercises its broad consumer protection powers under Section 5 of the FTC Act to protect individuals from deceptive or unfair privacy practices. The FTC’s enforcement actions, reports and best practices offer guidance about what it considers to be a “reasonable” privacy or cybersecurity practice. Therefore, the real estate industry should be familiar with these generally-applicable decrees, reports and best practices.

California Consumer Privacy Act (CCPA)

California’s landmark privacy law went into effect on January 1, 2020, granting expansive consumer privacy protections through new data privacy rights similar (but by no means identical) to those granted by the GDPR. Given the size and nature of the California market, the CCPA has a global reach.

The CCPA protects personal information, broadly defined as information that can identify, relates to or can reasonably be associated with a California resident or household. The CCPA applies to any company doing business in California (whether or not located in California) that either (a) earns more than $25 million in revenue; or (b) collects and controls the processing of personal information from 50,000 or more Californians; or (c) gets at least half of its revenue from selling the personal information of California residents.

In a first for the United States, the CCPA grants consumers many new data privacy rights, including rights involving their information and the right to opt out of the “Sale” (the sharing of personal data in exchange for money or other valuable consideration) of their personal information, rights of access, and deletion; and the right to be free from “discrimination” for exercising the rights granted to consumers by CCPA. Several of these rights could significantly alter current business models including in the real estate industry, potentially impeding intracompany sharing and other data sharing with third parties.

What's the Impact in The Real Estate Sector?

Both the CCPA and GDPR significantly impact downstream uses and sharing of personal data, including for marketing of real estate assets, property transactions, and buyers’ integration of data assets associated with one or more newly acquired properties. Real estate businesses will need to evaluate whether new contracts with service providers will need to include the mandatory data processing terms; privacy policies will have to be updated to ensure the business’ processing activities are accurately described and include all necessary information on data processing; technology will need to be updated and staff trained to ensure the security of personal data. Essentially, the unrestrained commercialization of personal data is at an end.

Personal data is broadly defined. Generally, any data relating to a living individual will come within scope. Different parts of the real estate sector will collect and process personal data to varying degrees; for example, residential landlords and hotel operators will have copious datasets compared to landlords of buildings leased for commercial purposes. Nevertheless, every business processes personal data at some level, and advanced technology even gives commercial landlords the means to acquire personal data of building users. Consequently, personal data will likely be deemed to include the following type of information:

  • revenue information in connection with individuals, such as account details, email addresses, and purchase habits;
  • security information, which may also include details relating to car parking access such as license plate numbers;
  • personal information passed on to property managers and leasing agents (such as contact details);
  • energy usage information relating to individual tenants, which is used to assess energy efficiency;
  • personal information relating to tenants, such as contact details, details of key-holders including location data involving individuals (and guest) movement within properties, emergency contacts and account details;
  • statistics and data relating to occupancy and building use by the individuals who live in the building;
  • personal information contained in marketing databases (such as contact details of individual); and
  • IP addresses relating to individuals using WiFi in buildings.

Although different terminologies are used, both the CCPA and the GDPR distinguish between “controllers” (“businesses” under the CCPA) and “processors” (“service providers” under the CCPA). A controller ultimately dictates how and why personal data is processed, whereas the processor (or service provider) acts on the controller’s behalf. The CCPA has a third designation, not embodied in the GDPR, known as a “Third Party.” Entities in the commercial real estate sector may fall into this category which would restrict onward sharing of personal data, particularly since the sharing of personal data by Third Parties, who tend to be invisible to consumers, was a prime target of the drafters of the CCPA.

Landlords, real estate funds and developers will typically be considered controllers (businesses) as they will determine the purposes and means of the personal data they collect regarding individuals connected to their properties.

Vendors which, when performing services have access to personal data on behalf of a landlord or developer, will often be classified as processors (service providers under the CCPA). As an example, technology providers offering building entry technology or SaaS based services would typically be “processors” acting on behalf of a landlord who is a “controller.” Likewise, hotel managers and other operators of operating assets will usually be processors. The GDPR imposes obligations on both controllers and processors, so it is important for any business operating in the real estate sector to review its data protection obligations and responsibilities. The CCPA imposes direct legal obligations on businesses and significantly limits service providers’ use of individual consumer data.

Building Compliance

Businesses must understand their CCPA and GDPR obligations and processes, and identify any gaps in compliance. A data mapping exercise of existing personal data and unnecessary data storing equipment, files and documents is essential to ensuring compliance. The data mapping exercise can pinpoint where personal data is being collected, shared, transferred and stored.

Once the exercise is completed, it is crucial to ensure appropriate policies and procedures are in place for the proper handling and disclosure of personal data. For example, some of these may include maintaining internal records; ensuring appropriate technical and organizational measures are in place to safeguard personal data and monitor risk across the business; retaining data only for as long as it is required and then deleting from all systems; ensuring appropriate due diligence is carried out on any provider who has access to personal data; agreeing to appropriate data processing terms with third parties; carrying out risk assessments for any “high risk” processing and assigning roles and responsibilities; and, importantly, understanding what statutory exceptions might be leveraged to allow companies to fully utilize data rich assets. As data and business practices change, the initial data “map” should be re-examined and updated as warranted.

In addition to the above, organizations must begin training their staff on the ins and outs of CCPA and GDPR. This should include all personnel - from contractors and facilities managers to senior management and support staff. Training should not only provide an outline of the requirements, but also the establishment of the appropriate policies and procedures to achieve full compliance, including an assessment of how employees share information, the shortcuts they take and the human errors which are likely to expose the organization to non-compliance.

Simply educating staff will likely not be enough. The GDPR, for example, has introduced the statutory role of a Data Protection Officer (DPO), and any organization that engages systematic monitoring of individuals will be legally required designate a DPO.

Don't Let The Authorities Come Knocking On Your Door

The Berlin DPA fine in the Deutsche Wohnen matter is a sober reminder for real estate businesses that they should properly assess their data processing practices and implement suitable measures throughout the entire company to ensure the necessary safeguards are in place to protect personal data. While the CCPA is yet untested, we expect the California Attorney General to be aggressive in enforcement, and the private plaintiffs’ bar to be very active given the new private right of action granted to consumers who experience data breaches.

Even businesses not currently subject to either regime cannot afford to be complacent. No business wants the reputational damage that accompanies lackadaisical compliance practices and data abuses. Moreover, data protection regulation is spreading rapidly under consumer pressure to recognize and protect individual privacy rights in the age of innovation and technology. At some point the rest of the U.S. will catch up with Europe and California.

Goodwin’s GDPR + CCPA teams include Gretchen ScottJackie Klosek, Curtis McCluskey, Alex Moyer and William Stern

Goodwin is among the first, if not the first, AmLaw 50 firm to establish a privacy and cybersecurity practice. Our global team and practitioners are highly ranked in Chambers and Legal 500 and offer a fully integrated, multi-disciplinary approach to clients’ data protection needs. We are uniquely positioned to provide innovative solutions to help guide clients through the collection, use, processing and protection of their most sensitive information. Among our senior lawyers are a former Chief Privacy Officer of the U.S. Department of Homeland Security in the Obama Administration, several former federal prosecutors, and multiple GDPR, CCPA, FTC, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.

Goodwin’s Real Estate Industry group has offered clients unparalleled experience and expertise in the Real Estate industry for over 50 years. Our vast experience includes sophisticated equity and debt investment transactions, private and public fund raising, real estate M&A, large- scale development and expertise in the REIT, private investment fund, and hospitality and leisure industries. With more than 150 attorneys across the U.S., Europe and Asia focusing solely on the real estate industry, we work with owners, managers, operators, developers, lenders and investors – helping them acquire, develop, finance, manage, lease and sell real estate assets.