How Real Estate Technology Is Expanding Privacy and Data Protection Risks

How Real Estate Technology Is Expanding Privacy and Data Protection Risks

by Pippa Akem, Bethany Estrada
August 19, 2021

As new technology platforms transform the real estate industry, the volume of customer and transaction data is exploding — as is the need for real estate companies to maintain effective privacy protections.

Personally identifiable customer and financial data is routinely collected by companies and technology tools throughout the real estate value chain. From initial property searches to mortgage and lease applications to transaction documents, the amount of electronic data that needs to be protected is multiplying rapidly. 

As a result, real estate companies have to understand the regulatory requirements of how they obtain, use, share and store data responsibly. Below are a few scenarios for how real estate companies become responsible for the data they collect, as well as some data protection practices that help you mitigate these risks.   

Mitigating Data Risks

Technology has infused nearly every process in real estate sales, leasing, financing and property management. For instance, if a consumer conducts a basic property search online and enters their contact and financial information to learn more about the property or their financing options, that inquiry will likely trigger a preliminary credit analysis — and the sale of their information to local agents and lenders who have business relationships with the property-search platform. 

Each company that receives the consumer’s information needs to have policies and practices to mitigate the risk of that data being accessed inappropriately and the company facing potential regulatory inquiries and fines. At a minimum, real estate companies need to understand:

  • The types of data flowing in and out of the organization
  • Who can access that data, and for what reason
  • Whether the sensitive data is encrypted while it is stored
  • How the company will respond to customer requests that it stop sharing any

Applying “privacy by design” principles as corporate policies are developed will help ensure that data is obtained only for business purposes, your company doesn’t collect data it doesn’t need, the data has appropriate privacy security controls, and that data is disposed of properly after its useful life. 

If your real estate business works with technology providers, you also need to understand the provider’s practices and policies to ensure regulatory compliance as well as potential liability stemming from the misuse of data by a business partner.

Data Storage and Retention 

Real estate companies also have to be sure their data retention policies are aligned with their business needs. For example, a hotel may only need to store guest information for six to 12 months, unless the guest opts into receiving marketing campaigns. In contrast, a company managing apartment complexes will want to retain lessee data for the duration of the tenancy. 

Similarly, real estate funds need to store personal and financial data about current investors but may need to archive or discard information related to former clients and former investors, in alignment with the company’s retention policy. (It’s important for funds to check with legal counsel about record retention requirements in the jurisdictions where their clients reside.) 

Regulation Is Increasing

As of August 2021, in addition to the landmark California Consumer Privacy Act (CCPA) legislation, 28 states had adopted (or were debating) a variety of privacy-related laws. Real estate companies that have customers within the European Union also have to comply with the EU’s General Data Protection Regulation (GDPR). 

One example of the new legislation is in New York City, which passed a law restricting landlords and property managers from using data related to keyless entry cards to limited uses such as granting access to a building or a common area. Companies must only use the minimum data required to control access and must encrypt that data and follow strict guidelines for data removal, deletion and anonymization. Violations can result in regulatory fines or private litigation. 

Despite privacy concerns, property management firms have legitimate reasons to collect and analyze the rich supply of data keyless card systems can offer about how facilities and amenities are being used. For instance, understanding how many people are in hallways or other common areas at different times of the day can provide insights into when heating and air-conditioning systems can be adjusted to increase efficiency.

This data, however, needs to be anonymized to ensure the keyless entry system is not tracking tenants or guests as they move around the property. It can be useful for a property manager to understand how many people are coming and going from a building or a garage in the overnight hours, but they need to store and analyze this data without tracking specifically who those people are. 

Similarly, lease and sales agreements need to be amended to include privacy-related statements about how this data will be generated, stored and used. 

The real estate industry is being transformed by new technologies. By understanding regulatory requirements and customer expectations about data privacy and security, you can harness the potential of these emerging tools while mitigating the risk of privacy-related liabilities.

To learn more about data privacy and compliance, contact our privacy experts.


Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Bethany Estrada - Consulting | Armanino
Senior Manager
Related News and Insights
Top Risks Organizations Will Face in 2022
Understand ESG, data privacy and other key risk areas and how to avoid them.

March 29, 2022 | 11:00 AM - 12:00 PM PT
Impact of the California Privacy Rights Act on Your Organization
How will the California Privacy Rights Act (CPRA) affect your organization and the way it uses artificial intelligence?

February 23, 2022 | 10:00 AM - 11:00 AM PT
6 Microsoft SSPA Compliance Considerations for Third-Party Service Providers
To avoid lost deals, businesses providing services to Microsoft suppliers need to follow Microsoft’s data privacy rules.

November 23, 2021