Real Estate Companies Face New Privacy Regulations and Challenges

Data Privacy Regulation & Risk Mitigation for the Real Estate Industry

by Pippa Akem
June 02, 2021

Updated June 26, 2023

In the face of expanding regulatory requirements and heightened consumer expectations, companies can no longer afford to ignore privacy issues and protecting customer data.

New privacy requirements are mandated under the California Privacy Rights Act (CPRA) as well as Europe’s General Data Protection Regulation (GDPR), and mandates may be added under similar legislation being debated in many other U.S. states.

Beyond the regulatory requirements, however, creating and demonstrating effective privacy policies and practices can pay tremendous dividends by increasing consumer trust in your company and its professionals, and helping you avoid potential privacy-related fines.


In broad terms, the CPRA grants consumers rights that include the ability to ask:

  • Whether their personal information is being collected, and why the business is collecting that data
  • Where the company is obtaining that information
  • Whether and how that data is being shared with other parties

The legislation also gives consumers the right to request that a company stop sharing any personal information related to them, as well as to delete any personal information it may be storing.

Because the California law extends privacy protections to the residents of that state, regardless of where the business is located, many companies are likely to have compliance requirements that they may not be aware of.

Similarly, the GDPR restricts how companies, regardless of location, can collect, use, store and share personal data related to customers in the European Union without their consent. Companies must disclose the data they are collecting and how they plan to use and store it and provide an ability for consumers to request the deletion of their personally identifiable data.

Any U.S. company doing business in Europe needs to be aware of, and comply with, GDPR requirements and practices.

Increasing Data Privacy Regulation and Real Estate Technology

In addition to GDPR and California’s landmark CPRA, 28 other states had adopted (or were debating) a variety of privacy-related laws as of August 2021. The growing regulatory focus on data protection is especially relevant for real estate, given the industry’s increasingly tech-reliant posture. As new technology platforms transform the real estate industry, the volume of customer and transaction data is exploding — as is the need for real estate companies to maintain effective privacy protections.

One example of the new legislation is in New York City, which passed a law restricting landlords and property managers from using data related to keyless entry cards to limited uses such as granting access to a building or a common area. Companies must only use the minimum data required to control access and must encrypt that data and follow strict guidelines for data removal, deletion and anonymization. Violations can result in regulatory fines or private litigation.

Despite privacy concerns, property management firms have legitimate reasons to collect and analyze the rich supply of data keyless card systems can offer about how facilities and amenities are being used. For instance, understanding how many people are in hallways or other common areas at different times of the day can provide insights into when heating and air-conditioning systems can be adjusted to increase efficiency.

This data, however, needs to be anonymized to ensure the keyless entry system is not tracking tenants or guests as they move around the property. It can be useful for a property manager to understand how many people are coming and going from a building or a garage in the overnight hours, but they need to store and analyze this data without tracking specifically who those people are.

Industry-Specific Privacy Risks for Real Estate

Privacy and data protection are relatively new considerations for real estate companies, despite the tremendous amount of personally identifiable consumer information they accumulate in the course of business. Depending on which sector your company is involved with, this can include personal and financial data related to investors, current and prospective tenants, property owners and other stakeholders.

The real estate industry also has some other factors that can increase privacy-related risks. For instance, the industry specializes in completing complex transactions quickly, and up until now privacy considerations haven't been major factors in this process.

In addition, many real estate firms are independently owned and have a regional focus, with many professionals mistakenly believing their firm is not large enough to trigger privacy law compliance requirements. Real estate firms also often have lean staffing levels that increase agility but can leave privacy requirements unattended.

Companies in all sectors of the industry need to meet changing consumer expectations, as well. Consumers are increasingly attuned to their privacy rights and are more willing to question the types of information companies collect and how they use it.

Common Real Estate Privacy Shortcomings

Some common privacy-related oversights within the real estate industry include:

  • Inadequate cybersecurity. Real estate professionals routinely use databases with customer, prospect and listing data. You need to ensure an unauthorized user cannot access those systems, and that the data is not being accessed for unauthorized purposes.
  • Poor data retention schedules and practices. Your company’s regulatory obligation to store information safely, and to be able to retrieve it easily, doesn’t end when a transaction closes.
  • Not having a process for responding to customer data requests. You have to be able to fulfill requests to provide, delete or stop sharing customer-related data rapidly. Failing to do so can trigger regulatory inquiries and potentially hefty fines.
  • Not having a data breach notification process. If your company experiences a data breach, you need to be able to notify the affected parties quickly and efficiently.

In addition to protecting electronic records, you have to ensure adequate protection for your physical documents. Although real estate transactions generate less paper than they used to, most companies still have large volumes of documents that need to be safeguarded against unauthorized access.

Mitigating Real Estate Data Privacy Risks

Technology has infused nearly every process in real estate sales, leasing, financing and property management. For instance, if a consumer conducts a basic property search online and enters their contact and financial information to learn more about the property or their financing options, that inquiry will likely trigger a preliminary credit analysis — and the sale of their information to local agents and lenders who have business relationships with the property-search platform.

Each company that receives the consumer’s information needs to have policies and practices to mitigate the risk of that data being accessed inappropriately and the company facing potential regulatory inquiries and fines. At a minimum, real estate companies need to understand:

  • The types of data flowing in and out of the organization
  • Who can access that data, and for what reason
  • Whether the sensitive data is encrypted while it is stored
  • How the company will respond to customer requests that it stop sharing any

Applying “privacy by design” principles as corporate policies are developed will help ensure that data is obtained only for business purposes, your company doesn’t collect data it doesn’t need, the data has appropriate privacy security controls, and that data is disposed of properly after its useful life.

Real Estate Data Storage and Retention

Real estate companies also have to be sure their data retention policies are aligned with their business needs. For example, a hotel may only need to store guest information for six to 12 months, unless the guest opts into receiving marketing campaigns. In contrast, a company managing apartment complexes will want to retain lessee data for the duration of the tenancy.

Similarly, real estate funds need to store personal and financial data about current investors but may need to archive or discard information related to former clients and former investors, in alignment with the company’s retention policy. (It’s important for funds to check with legal counsel about record retention requirements in the jurisdictions where their clients reside.)

Vendor Risks

You also need to understand the privacy practices and policies of your vendors and other business partners to ensure regulatory compliance as well as minimizing potential liability stemming from the misuse of data by a business partner.

Outsourcing is common in the real estate industry, but you can’t pass along the associated regulatory compliance requirements to your partners. Even if an organization is storing customer data on behalf of your company, for instance, you retain the ultimate liability for any breaches or other unsuitable privacy practices.

Given this risk, it’s important to discuss privacy and data security compliance when negotiating contracts with outsourcing providers, and to review their privacy and security practices on a regular basis.

Are Your Data Privacy Practices Up to Speed?

Understanding and mitigating the rapidly growing risks around privacy in the real estate industry is a critical priority to avoid potential costs and reputational damage for your business. Contact the Data Privacy experts at Armanino to learn how you can achieve regulatory compliance and manage the full spectrum of real estate privacy concerns, including Cybersecurity Consulting services to help you protect sensitive client data.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News and Insights
Unlocking Patient-Centric Care: Harnessing CRM, Data Analytics & AI
Learn how the right CRM can transform patient experiences.

September 28, 2023 | 10:00 AM - 10:30 AM PT
Data Governance: A Guide for Managing Enterprise Risk
Learn why proper data governance is a critical component of managing enterprise risk.

August 03, 2023
How the NIST Frameworks Can Benefit Your Privacy and Cybersecurity Programs
Maintain regulatory compliance, reassure stakeholders and safeguard your organization against evolving risks.

May 16, 2023