GDPR Compliance for Realtors

The European Union (“EU”) has enacted a new data privacy law, effective May 25, 2018, which protects the personal data of EU residents. The new General Data Protection Regulation (GDPR) law requires compliance by any entity that holds personal data of an EU resident, so if you own a real estate website that is used by EU visitors, there are some adjustments you will have to make to ensure that your website complies with GDPR guidelines.

How does the GDPR affect your real estate website?

Your website cannot collect or process “personal data” for an EU visitor unless affirmative consent is granted. The GDPR states that EU residents also have the right to access any personal data you have collected from them, they have the right to rectify that data (make changes or revisions), they have the right of erasure (aka the “right to be forgotten”), and more. The National Association of Realtors® has a comprehensive article on this topic which provides greater details on the rights of data subjects here:
https://www.nar.realtor/legal/general-data-protection-regulation-new-eu-data-privacy-law-may-affect-us-businesses

In the conclusion of their article about the GDPR, the National Association of Realtors® writes:

The vast majority of real estate companies and REALTOR® associations may determine that they are not subject to GDPR compliance because they do not collect or maintain personal data of EU residents. For those real estate companies and REALTOR® associations that have personal data of EU residents, and are subject to the GDPR, be sure to take steps necessary to comply.

We concur. Most of our website customers don’t ever work with international clients, and don’t have to worry about the GDPR regulations. However, if you do work with clients from the EU commerce area, or if you just want comply with GDPR guidelines to play it safe, we’ve made it as simple as possible for you.

THE QUICK SOLUTION:
Log into your admin menu, go to Settings > Visitor Registration > Enable GDPR compliance mode, and turn GDPR compliance mode ON. This will cover most of what you need, but to cover all your bases for GDPR, we recommend that you read on.

NAR’s Recommendations

From NAR, the initial steps you should take to prepare for GDPR compliance are:

  1. Conduct a Data Inventory
    Determine what personal data is in the entity’s possession, and where the personal data is located. Personal data may reside in a number of places, including spreadsheets, databases, paper files, or with third parties acting on the entity’s behalf. Once relevant data is identified, determine if there is a need to continue using the personal data and, if not, erase or remove the data from the entity’s system.
  2. Establish Process for Obtaining Consent
    Establish a process to obtain an individual’s affirmative consent to the continued processing of their personal data, as well as from individuals whose data may be collected and processed in the future. For example, an entity could use a direct communication to affected individuals or obtain the required consent through the entity’s website. Creating a pop-up box whenever an individual first visits the website that requires the individual to affirmatively consent to the collection and processing of their data is an effective way to obtain affirmative consent.
  3. Establish Process for Responding to Requests
    Establish a process for how to receive and respond to a data subject exercising their rights articulated in the GDPR.
  4. Contact Data Processors and Amend Contracts
    Address GDPR compliance by data processors acting on an entity’s behalf. Include specific language related to GDPR compliance to new contracts, and be sure to amend existing contracts to ensure the data processor’s GDPR compliance. Be sure to include a requirement that the vendor provide the entity with notice of any data breach, as well as an outline of the data processor’s plans for complying with applicable law related to such breach.

Now let’s run through each of these action items for your iHOUSE website.

1.) Conduct a Data Inventory

Let’s face it. Your website was designed to capture leads, track their activity, store that information, and then use it for marketing purposes. And that’s a good thing. It does this in a number of different ways. Let’s review:

The different ways your website may collect personal data:

  • Registration forms
  • Contact forms
  • Google analytics script
  • Any other third-party tracking scripts you may have added

Data storage locations:

  • TurboLeads CRM
  • MailChimp (if you have an account integrated)
  • Any other third-party CRMs, address books, or databases you may be using

The types of personal data that gets stored:

  • Name and contact information – and any other information they provided in a form
  • Settings and preferences, specifically about what emails they want to receive.
  • The searches and listings they looked at
  • The searches and listings they saved

The ways your website uses that personal data:

  • To send the user HouseTrack emails – about listings that match their saved searches.
  • To send the user marketing emails via MailChimp (assuming that they have opted-in and you have a MailChimp account integrated)

2.) Establish a Process for Obtaining Consent

Your website doesn’t collect personal data right away, so the popup mentioned above is not the approach we’ve chosen. Instead, permission should be obtained at the time of data collection – as checkboxes on a form.

On your contact and registration forms, there are multiple things you need to get explicit consent for, and you need to keep them separate:

  • You need consent to store a person’s data – that is, to store their name, contact info, activity, etc.
  • You need consent to use a person’s data – the main case here is to subscribe them to your marketing email list and send them email campaigns.

Additionally, under the GDPR, these checkboxes cannot start out as checked. They must start out as unchecked. When using our special GDPR mode, we take care of this for you.

We don’t attempt to get consent for generic tracking scripts like Google Analytics. These don’t collect personal data, only aggregate data (assuming that they are configured correctly). You will want to make sure that it’s properly masking the person’s IP address which the GDPR does consider to be personal data. More on that below.

3.) Establish a Process for Responding to Requests

We’ve got this part covered for you. We’re adding a link in the footer of your website for GDPR, and updating your website Terms and Privacy Policy to include instructions on this. Also, as your “data processor”, we’ll facilitate any requests that come in, inform you of what’s going on, and let you know if there’s anything you need to do.

These requests will be one of the following:

  • A person wants you to delete all of their data
    We can take care of that on the website and in TurboLeads. You will have to handle it in any other third-party CRMs, address books, or databases you may be using.
  • A person wants you to stop using their data
    This may be a simple unsubscribe request or a more comprehensive do not contact request. Again, we can take care of the email settings. If they don’t wish to be contacted at all, then you’ll need to remove them from any other third-party CRMs, address books, or databases you may be using.
  • A person wants to see the data you’ve stored for them
    We’ll take care of this. We’ll create a CSV file that contains the contact information we’ve collected, along with any other attached website activity, saved listings, and saved searches.

4.) Contact Data Processors and Amend Contracts

As your website and CRM provider, we are one of your data processors. So is Google if you have Google Analytics integrated. So is MailChimp if you have MailChimp integrated. They each have their own take on GDPR regulations.

We’re not going to require you to sign or click anything, but we have updated our terms and privacy policy to reflect our role as data processor. We’re committed to the security of our website user’s data, as well as to transparency. In the event of a data breach, we’ll let the affected users know how much of their data may have been exposed. Basically, you can rest assured that we as your data processors will be in compliance with the GDPR. We’ve got you covered!

Now that we’ve covered NAR’s recommended action items, let’s talk about Google’s role as a data processor via Google Analytics.

Google Analytics

iHOUSEweb uses Google Analytics across all customer websites for the purpose of aggregate traffic reporting. Additionally, you may have set up your own Google Analytics integration on your website.

By default, Google Analytics does not collect any Personally Identifiable Information (PII), nor do they permit you to do so (it’s a violation of their terms of service). It’s purpose is to collect aggregate data so you can see how much traffic your website is getting, how long people are staying around, how well your pages are converting, etc.

With that in mind, if you are using it “out of the box”, the default settings are generally pretty safe, but there are some things that you should do to cover your bases:

  1. Accept the Data Processing Amendment
    https://support.google.com/analytics/answer/3379636?authuser=1
    This amends your Google Analytics contract and lets you operate your account under the rules and protections of the GDPR. You’ll have to provide them a point of contact among other things.
  2. Check for these additional settings under Tracking Info:
    Setting these prevent Google from tracking an individual user’s actions across multiple sessions. Even though Google keeps the users anonymous here, this is a gray area best avoided.
    Data Retention: “Reset on new activity” should be ON
    User-Id: You should leave this feature OFF.
  3. Anonymize IP’s
    The GDPR considers IP addresses to be personal data, so it’s best to make them anonymous. Google Analytics has a setting that lets you turn this on. What it does is to zero out the last part of the IP address. You can follow Google’s instructions here to change the setting:
    https://support.google.com/analytics/answer/2905384?hl=en
    (If you need help with this, Elite Service would love to take care of this for you!)

GDPR Mode for your iHOUSE website

Navigate to your registration settings in your Admin menu to enable GDPR mode (Settings > Visitor Registration > Enable GDPR compliance mode). This setting alters your registration form to comply with the GDPR, but remember that some GDPR compliance tasks are your own responsibility. We’ll notify you when your action is required, but only you can delete a contact from your own address books, third-party CRMs, etc. If you have any questions, don’t hesitate to call us at 866-645-7700.