U.S. Real Estate Blogs and Websites Should Comply with GDPR by May 25

Introduction

Very little publicity exists in the U.S. about a new European law taking effect on May 25, 2018 known as "GDPR". Sadly, this law applies to every business-oriented app, blog, and website in the world collecting personal information from European users.

The purpose for this law is to protect EU residents from online data breaches of their personal information. It requires the EU user's consent to the collection of his/her personal information and the safeguarding of that information.

Look no further than Facebook’s current Scandal involving users’ data breaches of their personal data as an example of the need for this protection.

Who Warns U.S. Real Estate Agents about GDPR?

The only U.S. Real Estate industry publication warning real estate companies and their agents has been:

Inman (the U.S. real estate information service) last month asked:

“Is your real estate brokerage ready for the General Data Protection Regulation?”

And answered that question with:

“Two-thirds of real estate firms aren't ready, are you?”

In this article, Inman warned,

“If your real estate agency has any dealings with any individuals in Europe” you must comply with GDPR.

The upcoming European Union (EU) law known as GDPR may require your real estate blog and website to comply by May 25 or face heavy penalties. Like a 20 million Euro fine for every violation. Today, that’s $25 million dollars.

How could the EU force U.S. Real Estate Agents to Obey their Laws?

In 2016 for the first time in history, the 28 member EU countries created a law forcing worldwide business apps, blogs, and websites to obey GDPR or face fines so huge that most businesses will go bankrupt.

This new EU law called the General Data Protection Regulation (GDPR) provides global data protection for all EU residents (those legally residing in the EU).

Enforcing Foreign Judgments

The enforcement of foreign court judgments by other countries is a legal specialization. Wikipedia explains it Here.

In addition, the majority of U.S. states accept the Uniform Foreign Money Judgments Recognition Act (UFMJRA). The UFMJRA creates a system for U.S. state courts allowing enforcement of foreign civil court judgements seeking money damages from U.S. citizens.

U.S. Businesses Warned About GDPR

Not until 2018 have warnings about GDPR affecting U.S. businesses sprung.

Last January, the Baker Donelson law firm with 22 offices in 10 states asked:

“So You Think GDPR Does Not Apply to American Companies? Think Again”.

Then, other established U.S. business publications began warning every American business about GDPR:

Computer Weekly crying GDPR fines may affect almost 80% of US firms

Inc.com declared Fifty-Two Percent Of US Businesses Are Affected

Business.com answered How GDPR Will Affect U.S. Businesses

How GDPR affects Real Estate Agents

All it takes is one EU resident to visit a real estate blog or website anywhere in the world and provide personal information.

If a EU resident looking to relocate to the U.S. views your blog or website and becomes a “user” by supplying any type of personal information, the GDPR applies.

EU buyers and renters looking to move to the U.S. often Google local real estate offices and agents to see what is available.

Personal information under GDPR means anything which can identify the EU resident. This includes: full name, or home or business address, or phone number, or email address, or computer IP address.

Your blog or website probably asks for personal information in order to communicate regarding future listings, rentals, office space, or to sign up for app or email notices or a newsletter.

Even a One Person Blog

GDPR applies to anyone in business including a one person business which are called “sole traders” in the GDPR law.

Be Prepared for Future EU Visitors

The only way to know that someone in the EU visited your site and signed up for a newsletter or an email or app alert of future listings or rentals is after the signup.

Then it is too late. The EU visitor became a user by providing personal information which triggers GDPR without you knowing about it in advance.

Protect yourself from unknown EU users by complying with GDPR requirements by May 25.



What GDPR Requires

In a Nutshell: The most important GDPR requirement is that every EU user affirmatively “consents” to your site collecting his/her personal information (data), how you use the data, who you share it with, how the data is processed, and stored.

Consent must be obtained before collecting any personal information (data)!

Where To Get More Information About GDPR

The best information about laws comes from experienced, licensed lawyers.

I found a British website able to explain the most important facts about GDPR in English written by EU lawyers. Basic questions are answered like:

What is the GDPR?

Which businesses are affected by GDPR?

What are the GDPR Penalties?

What type of documentation will be necessary on your site?

CLICK HERE to visit this British website to learn more about the GDPR.

GDPR Harsh Fines

As the screenshot above shows, the GDPR can fine violators up to 20 Million Euros (about $25 million dollars) or 4% of your annual global income.

These fines can bankrupt any small business.

Besides the fines, the individual EU users can file lawsuits seeking money damages for every violation. These class action lawsuits can be very expensive.

U.S. Laws

In addition to including GDPR to your site’s Privacy Policy, it must also comply with U.S. Privacy laws.

U.S. laws regarding online Privacy and Children are the California Online Privacy Protection Act (CalOPPA) and the U.S. federal Children's Online Privacy Protection Rule (COPPA).

CalOPPA requires every website (no matter of location) to provide a Privacy Policy for California users.

COPPA protects U.S. children under 13 by requiring every site to provide a specific Privacy Policy consented to by the child’s parents or legal guardians before collecting personal information.

Ethical Considerations

The National Association of REALTORS® (NAR) Code of Ethics states in Article 1 that "representing a buyer, seller, landlord, tenant, or other client as an agent, REALTORS® pledge themselves to protect and promote the interests of their client.”

Its Standard of Practice 1 - 2 states that the duties of the Code of Ethics includes all real estate related activities conducted "electronically".

Its Standard of Practice 1 - 9 states:

“The obligation of REALTORS® to preserve confidential information (as defined by state law) provided by their clients in the course of any agency relationship or non-agency relationship…”

While only NAR members must follow its Code of Ethics, real estate agents in general should be mindful of ethical requirements in the industry.

REALTORS® must protect the interests of their clients including preserving their confidential information "electronically".

Does a EU law designed to protect EU users' online private information worldwide come under NAR's Code of Ethics?

What You can do about GDPR before May 25

Update your site’s Privacy Policy to comply with GDPR requirements.

• Obtain Affirmative Consent from all users since you won’t know which ones are EU residents. Besides, this is a good policy anyway under U.S. laws.

• Update your site’s Privacy Policy to include GDPR, CalOPPA and COPPA laws.

What Documentation is Required by GDPR?

The type of required documents for GDPR compliance are best explained in EU websites.

This EU web page explaining GDPR documentation also provides the reasons for them when you scroll down.

CLICK HERE to learn about required GDPR documentation.

Where to find a GDPR Privacy Policy

While some EU sites provide free GDPR Privacy Policy samples, you must change them and add information to fit your site’s business purposes. You get what you pay for. Some of these free policies are just partial samples and not fully compliant with GDPR. In addition, they later explain the free sample must be updated and offer an expensive GDPR complying Privacy Policy.

Since the GDPR is a EU law and not a U.S. law, U.S. lawyers may not be qualified to provide you with a GDPR compliant Privacy Policy.

Several EU law firms offer GDPR Privacy Policies, but at a high price around $2,000 USD.

Private EU companies using EU lawyers offer GDPR Privacy Policies for less around $500 USD.

I found one EU English speaking company using two EU lawyers and an American attorney to create a U.S. (CalOPPA and COPPA laws) with GDPR compliant Privacy Policy for around $200 USD.

However, I can’t provide you with links here due to Bigger Pockets policy.

Replace Your Privacy Policy to comply with GDPR and U.S. Laws

If you want a GDPR Privacy Policy to replace the one you have, it is better to get one that complies with U.S. laws and EU laws for your complete legal protection.

This must include CalOPPA and COPPA along with GDPR in one Privacy Policy for your blog or website.

Conclusion

The title above recommends that every real estate blog and website "should" comply with GDPR by May 25.

It is only my recommendation.

Bear in mind, the current Facebook Data Breach Scandal along with the rights of everyone concerning the collection and use of their personal information when they purchase products or sign up for services online.

A State of California law requires every website to include a Privacy Policy informing citizens of California of their online privacy rights.

Now, the EU wants to protect online privacy of all their residents worldwide.

It's your decision.

Contact Me for Free

I can answer your questions free of any charges regarding the GDPR and a compliant Privacy Policy.

However, I am prohibited from leaving any links or my email address here.

Contact me through the Bigger Pockets message system.

Steven Rich, MBA

Copyright © 2018 – Steven Rich, MBA