Real Estate Companies Face New Privacy Regulations and Challenges

Real Estate Companies Face New Privacy Regulations and Challenges

by Pippa Akem, Bethany Estrada
June 02, 2021

In the face of expanding regulatory requirements and heightened consumer expectations, real estate companies can no longer afford to ignore privacy issues and protecting customer data.

New privacy requirements are mandated under the California Consumer Privacy Act (CCPA) as well as Europe’s General Data Protection Regulation (GDPR), and mandates may be added under similar legislation being debated in more than 20 states.

Beyond the regulatory requirements, however, creating and demonstrating effective privacy policies and practices can pay tremendous dividends by increasing consumer trust in your company and its professionals, and helping you avoid potential privacy-related fines.


In broad terms, the CCPA grants consumers rights that include the ability to ask:

  • Whether their personal information is being collected, and why the business is collecting that data
  • Where the company is obtaining that information
  • Whether and how that data is being shared with other parties

The legislation also gives consumers the right to request that a company stop sharing any personal information related to them, as well as to delete any personal information it may be storing.

Because the California law extends privacy protections to the residents of that state, regardless of where the business is located, many real estate companies are likely to have compliance requirements that they may not be aware of.

Similarly, the GDPR restricts how companies, regardless of location, can collect, use, store and share personal data related to customers in the European Union without their consent. Companies must disclose the data they are collecting and how they plan to use and store it, and provide an ability for consumers to request the deletion of their personally identifiable data.

Any U.S. real estate company doing business in Europe needs to be aware of, and comply with, GDPR requirements and practices.

Industry Risks

Privacy and data protection are relatively new considerations for real estate companies, despite the tremendous amount of personally identifiable consumer information they accumulate in the course of business. Depending on which sector your company is involved with, this can include personal and financial data related to investors, current and prospective tenants, property owners and other stakeholders.

The real estate industry also has some other factors that can increase privacy-related risks. For instance, the industry specializes in completing complex transactions quickly, and up until now privacy considerations haven't been major factors in this process.

In addition, many real estate firms are independently owned and have a regional focus, with many professionals mistakenly believing their firm is not large enough to trigger privacy law compliance requirements. Real estate firms also often have lean staffing levels that increase agility but can leave privacy requirements unattended.

Companies in all sectors of the industry need to meet changing consumer expectations, as well. Consumers are increasingly attuned to their privacy rights and are more willing to question the types of information companies collect and how they use it.

Common Shortcomings

Some common privacy-related oversights within the real estate industry include:

  • Inadequate cybersecurity. Real estate professionals routinely use databases with customer, prospect and listing data. You need to ensure an unauthorized user cannot access those systems, and that the data is not being accessed for unauthorized purposes.
  • Poor data retention schedules and practices. Your company’s regulatory obligation to store information safely, and to be able to retrieve it easily, doesn’t end when a transaction closes.
  • Not having a process for responding to customer data requests. You have to be able to fulfill requests to provide, delete or stop sharing customer-related data rapidly. Failing to do so can trigger regulatory inquiries and potentially hefty fines.
  • Not having a data breach notification process. If your company experiences a data breach, you need to be able to notify the affected parties quickly and efficiently.

In addition to protecting electronic records, you have to ensure adequate protection for your physical documents. Although real estate transactions generate less paper than they used to, most companies still have large volumes of documents that need to be safeguarded against unauthorized access.

Vendor Risks

You also need to understand the privacy practices of your vendors and other business partners.

Outsourcing is common in the real estate industry, but you can’t pass along the associated regulatory compliance requirements to your partners. Even if an organization is storing customer data on behalf of your company, for instance, you retain the ultimate liability for any breaches or other unsuitable privacy practices.

Given this risk, it’s important to discuss privacy and data security compliance when negotiating contracts with outsourcing providers, and to review their privacy and security practices on a regular basis.

Paying attention to your privacy practices and policies, as well as those of your partners, will help you ensure you meet your expanding regulatory obligations and avoid potential costs and reputational damage from failing to protect customer privacy.

To learn more about data privacy and compliance, contact our privacy experts.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Bethany Estrada - Consulting | Armanino
Senior Manager
Related News & Insights
SaaS Market Trends
Between the uncertainty of 2022 and the highs of 2021, what will 2023 hold?

December 14, 2022 | 09:00 AM - 10:00 AM PT
Fraud: Current Trends & Hot Topics
Don’t let fraud negatively impact your organization.

December 8, 2022 | 11:00 AM - 12:00 PM PT
Year-End Tax Planning for High-Net-Worth Individuals
Optimize your tax position before December 31.

December 8, 2022 | 09:00 AM - 10:00 AM PT