By Anita Clark
General Data Protection Regulation (GDPR) is the talk of the internet. Attorneys in the European Union and the United States are being bombarded with questions about the GDPR.
Companies and website owners are scrambling as the deadline is fast approaching to have the regulation in effect, which includes your websites and all your systems, such as DocuSign documents, any cloud storage you are using that has any personal data of any citizen of the EU.
I would love to be the bearer of glad tidings and tell you that real estate agents are exempt from the enforcement of this regulation. But that’s just not the case. While GDPR has already been around for a couple of years, it’s the May 25 deadline that has everyone paying attention because this is when the enforcement and fines begin.
The fines are steep, scary, and worthy of attention: $20 million Euros or 4 percent of a company’s annual global income. (Learn more in REALTOR® Magazine’s article and video.)
How in the world would the EU regulatory commission be able to enforce such fines on U.S. citizens, including real estate professions who own websites, real estate companies, REALTOR® organizations, and others? Check out more information about GDPR here. EU regulators can fine U.S. companies for violating GDPR and they will do it with the help of U.S. authorities. They do it by international law, jurisprudence, and authority.
What is this GDPR and what does it have to do with each of us?
It is an EU regulation that governs the privacy and data of EU citizens no matter where they are living and it includes other countries in the European economic area. The regulations require total transparency of what private data is collected. For example, in the United States we consider social security numbers, bank information, and things like that highly private.
GDPR is turning opt-out policy protocols on their head. According to GDPR, websites and other online platforms must now be opt-in. This means, express consent must be given prior by a visitor from the EU on your website through a terms of use page or pop-up window. Private data of EU citizens includes, name, phone numbers, addresses, email addresses, and even IP addresses and cookie identifiers. We have never presumed that IP addresses are private data in the past.
But GDPR goes even further. It includes:
- Any information pertaining to a person
- Location data
- Genetic
- Mental
- Economic
- Social identity
- Physiological
- Cultural
Here is a infographic from i-SCOOP:
What does all this mean to us in the United States who own websites or receive leads from online sources?
If you own a website and have an IDX on your website, or have a newsletter sign up form, a listing alerts sign up from, a contact us form, a what is my home’s value form, or a free offer of any kind, you will need to make some changes to the way you are handling the data of EU citizens. If you track any data on your website with Google analytics, Facebook pixels, any tracking data of any kind, you must get permission to track EU citizens.
I am not an attorney so please seek legal advice on what exactly you need to be adding or deleting from your website and forms, etc.
It is not enough to rely on your IDX vendors or website providers if you have templated websites. You are considered the controller and the IDX company is considered the processor. You, as the controller have the ultimate responsibility over the private data of your website visitors. So it’s not enough to just call your hosting company and IDX provider and CRM companies and then lean on them for their part. You are the sole responsible person for private data including all the ones I listed above on your website, in your CRM, on your personal email list, on your text on your mobile phones.
This includes their “right to be forgotten” which also is included in the GDPR. The right to be forgotten means that any EU citizen can request their private data be deleted completely and fully from all online and offline places and things and files, etc.
Now, what to do with all this information?
If you get buyers from foreign countries in Europe or any country where EU citizens may be, you will need to add changes to your privacy policy and your forms on your websites and any other correspondence on the internet at the point of entry and throughout the process.
- Make sure that your privacy page is visible from your homepage on your website.
- Have a pop-up on your homepage that opens when your visitor arrives that lets them know about your cookies and tracking, and asks for express permission.
- Have your “right to forget” form on your privacy page.
- Make sure the boxes to check on your opt-in forms is very clear and that the visitor is giving permission.
Those of you who are local real estate agents with no internet traffic from EU citizens would likely fly under the radar. I have heard EU attorneys state that the GDPR governing body will likely give you a change to fix what is wrong if some EU citizen makes a privacy claim against you.
However, it is highly recommended to start making your websites comply now if you have not yet done so. This is the advice of EU attorneys and United States attorneys, included the legal counsel of the National Association of REALTORS®.
Anita Clark is a residential real estate agent with Coldwell Banker SSK, REALTORS®, in Houston County, Ga. She is from Coventry, England, is a retired military spouse, and has been assisting buyers, investors, and sellers in middle Georgia since 2007. Connect with Anita on Facebook, Google+, LinkedIn, Twitter, Pinterest, YouTube, or on her Warner Robins GA Real Estate Blog.