While much of the discussion around the California Consumer Privacy Act (CCPA) has centered around organizations that collect personal information online, less attention has been directed to the requirements that may come into play when personal information is collected offline. We recently wrote about how CCPA applies to the restaurant industry specifically (you can read that blog here), but there is no question that many other industries and businesses really ought to be paying close attention to CCPA and how to comply with the various requirements. One of those is commercial real estate.
On a recent visit to a client’s office in the San Francisco financial district, I arrived in the lobby of a large commercial office building and headed to the security desk. As is common, I was asked for my ID, which I promptly surrendered. I am accustomed to having security personnel look at my ID and hand it back immediately, but this time, the gentleman behind the counter actually wrote down the details of my information before handing back my ID. As it happens, the process was unusually slow enough to give me time to look around for some privacy notice or reference to privacy practices – something that has become a bit of a habit for a privacy practitioner like myself, post-CCPA. Unsurprisingly, there was no privacy notice (or reference to a privacy notice) to be found – be it on the counter, the wall behind the counter, or anywhere else. I asked the security guard where I might be able to locate a privacy notice, but when he looked at me like I was speaking a foreign language, I knew better than to insist.
As I made my way to the elevator, I quickly did some math and concluded that the owner of (or company managing) this massive commercial building must surely be subject to CCPA. What’s more, I had just handed over the details of my California ID, yet had no idea whatsoever what company was collecting it, how my information would be secured, how long it would be retained, and to whom it might potentially be disclosed. Granted, the security guard had transcribed my ID details by hand, but how are those handwritten logs stored and where? And who’s to say this information isn’t then entered into a computer system at the end of each business day? I arrived for my meeting and quickly turned my attention elsewhere, but this occurrence made me realize just how personal information that is collected offline has been overlooked in all of the CCPA frenzy.
While the commercial real estate company (or property manager) at the center of my story may otherwise have taken steps to comply with CCPA, one glaring detail was clearly overlooked: transparency and notice at the time of collection of my personal information. To be clear, CCPA requires more than a well-drafted privacy policy: it requires a covered business to provide consumers with clear and effective notice of its privacy practices at or before the time of collection. Further, such notice must be visible or accessible where consumers will see it before any personal information is collected. Thus, at a minimum, the commercial real estate company – or the security company to which it may have outsourced on-premise security, as the case may be – must provide a notice of privacy practices, even for data collected offline, in some conspicuous manner at or before collection. This could potentially take the form of a conspicuous reference to an online privacy notice (e.g., on a sign in the lobby). In addition, the security attendant should be capable of answering relevant questions or directing visitors appropriately, if asked.
Security obligations should also be top of mind. The fact that the personal information in this instance was collected offline makes this requirement no less applicable. In fact, this is a key point because CCPA grants consumers a limited private right of action combined with statutory damages against the unauthorized access and exfiltration, theft, or disclosure of certain types of personal information, including the right to seek statutory damages. While this new cause of action represents a significant change in existing cybersecurity litigation, it is by no means an unlimited right (nor is it automatic). However, it will come into play in connection with certain breaches of more “sensitive” types of personal information that are not encrypted or redacted – and this includes government-issued IDs. In other words, in addition to providing notice to individuals at the time of collection about how the personal information will be used, the property management company should review its security policies and procedures to ensure that the personal information it collects when people stroll into the lobby is reasonably secured.
What are the risks of failing to do so? This depends, but they could include (a) worst case scenario, a security breach that “fits the bill” and ends in a class action lawsuit, or (b) best case scenario, a complaint to the California Attorney General. Until enforcement of CCPA begins in July 2020, or until a major class action lawsuit is filed for a security breach under CCPA’s private right of action, nobody has much visibility on how things will play out. The California Attorney General does not have unlimited resources, so this will be interesting. In the meantime, for some high-level points on how to address the offline collection of personal information, I would again refer you back to our last blog post. Although geared toward the restaurant industry, it touches on some of the questions that come up for many brick and mortar companies dealing with data collected offline.
Leaving aside the offline collection of personal information at the point of entry, there are plenty other forms of data collected “online” in the real estate space, and those too should be regularly re-evaluated. Commercial real estate increasingly means “smart buildings”. A 2016 Deloitte report predicted that the new mantra in commercial real estate would be location, information, analytics. In a recent 2020 outlook report, Deloitte points out that the industry has evolved even further and that “the most successful commercial real estate companies could follow the mantra: location, experience, analytics.” Commercial (and some residential) buildings today are fraught with IoT-connected devices, sensors and myriad technology-assisted mechanisms or devices designed to measure and control entry/egress, monitor the use of certain spaces or provide various usage metrics (just to name a few). As buildings get smarter, the data footprint increases. What’s more, many of these technologies also control other aspects such as HVAC, lighting and WiFi, which can trigger security issues. As we know from Target’s massive data breach linked to a third-party HVAC vendor in 2013 (and many other high-profile data breaches since then), poor security practices and vendor management can lead to massive data security incidents.
____________________________________________________________________________________________________________________________
Bottom line? If your organization collects or handles personal information (and/or relies on service providers to do so), privacy should be front and center. As technology merges with every aspect of operating a building, privacy and security practices should be regularly assessed to ensure compliance with applicable laws, beginning with CCPA. In fact, we can’t stress this enough for all types of companies: the more quickly they address privacy and security in their day-to-day operations, the better equipped they will be to face the oncoming onslaught of broader and stronger privacy and security laws.