Woman with virtual logo of a smart home showing how ensure IoT devices in smart houses are compliant to CCPA

A New Firewall – Multifamily Data Privacy and Security in the Age of Smart

In the wake of increased and intensified data breaches, legislators are moving to protect their constituents. On June 28, 2018, California passed the most comprehensive consumer privacy law in the United States today, the California Consumer Privacy Act of 2018 (CCPA). The law went into effect January 1 of 2020 and anticipated enforceability is July 1 of this year. It has similarities to the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018 and expanded a prior set of guidelines and directives granting individuals certain rights with respect to their personal data. Of note, six states began pursuing comparable legislation in 2019 and several other states are already pursuing a variety of tangential legislation. It is likely that CCPA will further demand for a federal privacy act.

What is CCPA and to whom does it apply?

The CCPA is a comprehensive data protection law that expands and defines the rights of consumers and requirements of businesses, as well as per incident fines per legal action by consumers, with damages awarded directly to the consumer (as opposed to prior laws that paid out to organizations or the government). This is likely to incentivize a greater awareness in and activity by California residents and fast-follow states. CCPA aims to protect a broad swath of “personal information” with a minimum standard of responsibility and governance by corporations. California consumers have the right to know which categories of personal information a business has collected about them and whether a business has sold any personal information or disclosed it to third parties. CCPA applies to nearly all for-profit companies doing business in California at any relative scale. And while actual enforcement will elucidate the future for Plaintiffs and Defendants alike, any good Plaintiff’s attorney will include every possible Defendant party. This is definitely an opportunity for real estate owners and operators, as well as their PropTech partners, to invest in an ounce of prevention to avoid future pain.

What is PropTech?

PropTech is the convergence of emerging and connected technologies, both software and hardware, with commercial and residential real estate assets. It is in effect, the digital transformation of our real estate and their ecosystems (think Smart Cities). PropTech touches construction (sometimes ConTech), buying, selling, leasing, renting, and managing real estate and all of the work that goes with each, all as an endeavor to maximize net operating income through efficiencies and automation. Given the broad and deep reach of these technologies, it is worthwhile to pause and consider the massive amounts of data collected and utilized in each, especially with more than 2,000 PropTech companies in the US alone.

The impact on Smart Apartments

No exception to the massive amounts of data garnered and ostensibly utilized to optimize operations are Smart Apartments, which can include any number of connected devices supported by software in units and possibly in common areas. Smart Apartments are being installed in both new developments and retrofitted into existing buildings, and not without a bit of controversy. An estimated quarter of new developments in the United States included some form of smart device with related software in 2019. That number is expected to rise in 2020. Additionally, as new developments rapidly compete with existing multifamily stock, the retrofit opportunities rise with the attempt to differentiate to recruit and retain residents, all leading to more devices and more data.

Most widely adopted by owners and operators in multifamily are “fixture” devices that usually stay with the building, think electronic access systems, including exterior access points like gates and garages, entry access like vestibules, common area access points for amenities, and unit door locks. This data collection alone is making plenty of consumers more than a little concerned. Add to that thermostats, lighting, hot water heaters and various sensors, not to mention voice recognition and cameras, and one can easily anticipate the consumer’s trepidation.

Applied to Smart Apartments, CCPA has far reaching ramifications. Owners and operators, integrated software providers of property management systems (PMS), software and hardware providers and hybrids thereof, are all liable at minimal business thresholds. CCPA applies to all personal information that relates to, describes, is capable of being associated with, or could reasonably be linked, indirectly or directly, with a consumer or household, sometimes referred to as PII (personally identifiable information).

The data delivered from the devices referenced herein and to the parties above most certainly applies. California consumers have the right to request erasure and deletion of data collected from the consumer at each level of collection (but not collected from third-parties). Some exceptions exist, a few of which directly align with the stated intent of smart apartment providers, for instance, detecting security incidents.

Additionally, companies are required to inform consumers as to the categories and purposes of information collected at or before collection and give consumers the right to receive their information upon request. While consumers have a right to opt out of having their data sold, CCPA does not go so far as to allow the opt out of collection. For smart apartment providers, these shouldn’t create onerous burdens, as end user license agreements, terms of service, and privacy agreements are made available in app opt-in. To best serve wary residents, multiple opt-out options (some required by CCPA) and darkened data for occupied units are absolute necessities, if a step beyond.

Can Data Privacy exist without Data Security? Not for long.

Finally, there can be no guarantee of data privacy without data security. While CCPA includes a duty to implement and maintain reasonable security procedures and practices, owners and operators should push providers on details. California is in the early stages of grappling with the challenges of our intensely connected world with SB-327 as well, a bill that requires manufacturers of connected devices to equip those devices with “reasonable security features.” This should be regarded by PropTech companies as an arbiter of legislation to come and expand, and not an endpoint.

Recommended steps for owners and operators include requesting geographically relevant policies, which ideally are applied ubiquitously regardless of the geography. Requesting SOC2 (Service Organization Controls) compliance reports and assessments makes certain that service providers are protecting and ensuring the accuracy of their clients’ information. The five areas that SOC 2 focuses on, or Trust Services Criteria, are Privacy, Security, Availability, Processing Integrity, and Confidentiality and is helpful if the owner or operator is capable of digesting those reports meaningfully. Also important to data security assessments are a security overview walkthrough, penetration testing results (with redacted exact vulnerabilities), and static code review results. These are starting standards and while yet to be enacted by legislatures, can provide that ounce of prevention to owners and operators today, before an incident occurs. The bad actor scenarios of single-family stories on the nightly news become 300x greater per building under the wrong multifamily circumstances.

Increasing #privacy concerns on the amount of data collected by smart apartments such as thermostats, lighting and various sensors. #respectdataClick to Post

Wise PropTech companies will note Jumpshot’s downfall and act minimally in absolute compliance and with transparency with regards to their data usage and sale and optimally negate a plan that includes selling data as part of their valuation strategy. The wise real estate owners and operators investing in the companies or the technology will know, or learn, the difference.