While much of the discussion around the California Consumer Privacy Act (CCPA) has centered around organizations that collect personal information online, less attention has been directed to the requirements that may come into play when personal information is collected offline. We recently wrote about how CCPA applies to the restaurant industry specifically (you can read that blog here), but there is no question that many other industries and businesses really ought to be paying close attention to CCPA and how to comply with the various requirements. One of those is commercial real estate.
On a recent visit to a client’s office in the San Francisco financial district, I arrived in the lobby of a large commercial office building and headed to the security desk. As is common, I was asked for my ID, which I promptly surrendered. I am accustomed to having security personnel look at my ID and hand it back immediately, but this time, the gentleman behind the counter actually wrote down the details of my information before handing back my ID. As it happens, the process was unusually slow enough to give me time to look around for some privacy notice or reference to privacy practices – something that has become a bit of a habit for a privacy practitioner like myself, post-CCPA. Unsurprisingly, there was no privacy notice (or reference to a privacy notice) to be found – be it on the counter, the wall behind the counter, or anywhere else. I asked the security guard where I might be able to locate a privacy notice, but when he looked at me like I was speaking a foreign language, I knew better than to insist.