General Data Protection Regulation (GDPR) is the talk of the internet. Attorneys in the European Union and the United States are being bombarded with questions about the GDPR.
Companies and website owners are scrambling as the deadline is fast approaching to have the regulation in effect, which includes your websites and all your systems, such as DocuSign documents, any cloud storage you are using that has any personal data of any citizen of the EU.
I would love to be the bearer of glad tidings and tell you that real estate agents are exempt from the enforcement of this regulation. But that’s just not the case. While GDPR has already been around for a couple of years, it’s the May 25 deadline that has everyone paying attention because this is when the enforcement and fines begin.
How in the world would the EU regulatory commission be able to enforce such fines on U.S. citizens, including real estate professions who own websites, real estate companies, REALTOR® organizations, and others? Check out more information about GDPR here. EU regulators can fine U.S. companies for violating GDPR and they will do it with the help of U.S. authorities. They do it by international law, jurisprudence, and authority.
What is this GDPR and what does it have to do with each of us?
It is an EU regulation that governs the privacy and data of EU citizens no matter where they are living and it includes other countries in the European economic area. The regulations require total transparency of what private data is collected. For example, in the United States we consider social security numbers, bank information, and things like that highly private.
What does all this mean to us in the United States who own websites or receive leads from online sources?
If you own a website and have an IDX on your website, or have a newsletter sign up form, a listing alerts sign up from, a contact us form, a what is my home’s value form, or a free offer of any kind, you will need to make some changes to the way you are handling the data of EU citizens. If you track any data on your website with Google analytics, Facebook pixels, any tracking data of any kind, you must get permission to track EU citizens.
I am not an attorney so please seek legal advice on what exactly you need to be adding or deleting from your website and forms, etc.
It is not enough to rely on your IDX vendors or website providers if you have templated websites. You are considered the controller and the IDX company is considered the processor. You, as the controller have the ultimate responsibility over the private data of your website visitors. So it’s not enough to just call your hosting company and IDX provider and CRM companies and then lean on them for their part. You are the sole responsible person for private data including all the ones I listed above on your website, in your CRM, on your personal email list, on your text on your mobile phones.
This includes their “right to be forgotten” which also is included in the GDPR. The right to be forgotten means that any EU citizen can request their private data be deleted completely and fully from all online and offline places and things and files, etc.
Now, what to do with all this information?
Make sure that your privacy page is visible from your homepage on your website.
Have a pop-up on your homepage that opens when your visitor arrives that lets them know about your cookies and tracking, and asks for express permission.
Have your “right to forget” form on your privacy page.
Make sure the boxes to check on your opt-in forms is very clear and that the visitor is giving permission.
Those of you who are local real estate agents with no internet traffic from EU citizens would likely fly under the radar. I have heard EU attorneys state that the GDPR governing body will likely give you a change to fix what is wrong if some EU citizen makes a privacy claim against you.