Inman

The real estate privacy scare

Editor’s note: Privacy and real estate are intertwined in many ways. This three-part series explores the Patriot Act and its impact on real estate companies, what the industry is doing about privacy compliance, and how realty professionals are protecting their businesses and clients. (See Part 1: Your home vitals on the Web and Part 3: Patriot Act puts a chill in real estate.)

The privacy policy at Realtor.com, a National Association of Realtors-affiliated Web site is 10 pages long if you decide to print it out. If you read it on your computer screen, that’s a lot of onscreen mouse-scrolling. But it is light reading compared with the 45-page final federal rule that stems from the federal Gramm-Leach-Bliley Act of 1999. That act applies to real estate privacy for appraisers, mortgage lenders and mortgage brokers, among others.

The list of federal and state privacy laws is, in itself, a lengthy read, and real estate associations have worked to keep members abreast of new and pending laws in the privacy arena.

But as a practical matter, enforcement of the laws is weak, and consumers often have little recourse even if there are privacy violations. In this modern economy that is increasingly linked to the collection, control and transfer of data, the privacy issue will continue to be a matter of public debate and a factor in public policy, they say.

“I don’t think there’s any question right now that privacy laws are going to become some of the more prevalent laws passed,” said Mark G. McCreary, a lawyer at Fox Rothschild in Philadelphia who is an expert on intellectual property law, Internet law and privacy law. “I think they’re overdue at this point.”

Existing privacy laws don’t offer a lot of recourse for consumers in the event their private information is released, he said. “You have to prove how you were hurt–without proving damages you don’t have much to go on,” McCreary said.

While many states have passed privacy laws, new federal legislation could give legislative teeth to these state laws, he said, especially as they related to e-commerce. In the case of junk e-mail, often referred to as spam, he said there are so many companies that don’t play by the rules and existing legislation has not been effective.

So far, there haven’t been a large number of enforcement actions taken for privacy violations, McCreary said. “It has been quite limited in scope–it has not been significant,” he said. And because of this, it’s quite possible that some companies are knowingly violating the rules and banking on the assumption that they will not get caught. He said these companies may be “ignoring the law–’Take your chances and hope you don’t get caught.'”

Is the real estate industry being responsible about protecting consumer privacy? Take a survey.

Large financial services companies, such as banking and credit firms, are most likely to abide by privacy rules, he added, as they may have the most to lose. But corporate policies are not enough to guard against privacy breaches. There have been cases where employees have stolen data from their employers for the purpose of using, selling or transferring that data. And security breaches can also come in the form of outside cyber-attacks that are aimed at gaining access to customer or employee personal information.

Linda M. Johnson, a spokeswoman for the National Association of Realtors, said the association launched a Realtor Secure certification program last year that sets standards for data security. In order to receive certification, companies must complete a self-review, select a third-party evaluator from a list and undergo a final approval and certification by the association’s Center for Realtor Technology.

Realtors’ telemarketing efforts are also subject to Do Not Call and Do Not E-mail laws, Johnson said, and the association has produced a list of questions and answers regarding these laws and produced a field guide to aid members about this anti-solicitation legislation. Our state associations have undertaken similar educational efforts to keep their members up-to-speed,” she said.

The association collects home address and home phone numbers of its more than 1 million members, but does not display this information online in any directories, Johnson said. “In addition, anti-screen-scrapping techniques have been implemented to prevent the collection of public information on our members by automated means,” she added. And the association pays two outside firms to perform security scans of its network seven times a year, she said.

“MasterCard requires NAR to pass four security scans annually in order to continue use of their services,” she said. “In addition, NAR independently has three penetrations tests performed to determine if any weaknesses exist in the network. If any are discovered, they are immediately resolved.”

The association, which has a strong lobbying arm, is now keeping a close eye on federal legislation that applies to the use of faxes, and is also following the provisions of the Fair and Accurate Credit Transactions Act that relate to affiliate sharing of consumer information for marketing purposes, Johnson added.

June Barlow, general counsel for the California Association of Realtors, said Realtors typically don’t handle the type of consumer personal information that is at the core of many privacy laws, and as a result real estate agents are largely “at the edges” of privacy legislation unless the real estate brokerages are also in the mortgage loan business. The information that is typically the subject of privacy laws is more applicable to mortgage loan companies, she said.

The California Online Privacy Protection Act, a new privacy law in California that went into effect July 1, shouldn’t have much impact for the online real estate industry, she said. “The people who are in the online world…pretty much stay on top of that,” she said, and the legislation was “not remarkable” among the hundreds of other pieces of legislation that the association tracks for its membership each year.

If the association received a consumer complaint related to privacy, Barlow said it would likely direct that complaint to the real estate broker who is the subject of the complaint. “We’re not a decision-maker in that. That is something that would be between the consumer and the broker.”

The Direct Marketing Association, a trade association that represents direct, database and interactive global marketers, and has about 4,700 member companies in the U.S. and abroad, has a committee that reviews complaints relating to consumer privacy. “We do monitor and make sure that these companies are doing what they say they are doing,” said Jordan Cohen, public policy manager and spokesman for the association.

The group opposes spam, as it muddies the “effectiveness of legitimate commercial e-mail,” said Cohen. “We support all kinds of legal action against spammers.” The group regularly communicates to members to keep them informed about privacy laws, he added. “Our advice is generally to take the most restrictive (path) when there’s a lack of clarity,” he said. The latest briefing to members, released this week, relates to the need for marketers to get up to speed in e-mail authentication technology trends so that they can continue to send marketing e-mails.

Cohen said federal laws seem to be the most effective at regulating online companies. “Everything regulating the Internet we think should be at a federal level,” he said. “E-commerce has a lot of promise,” he said, and it’s important to “allow businesses to operate in a manner that they can remain viable or even prosper.”

The association maintains its own do-not-call, do-not-e-mail and do-not-mail lists.

Peter P. Swire, a law professor at Ohio State University in Columbus, Ohio, who served as U.S. chief counselor for privacy from 1999-2001 under the Clinton Administration, said, “The rise of the Internet made privacy a concern. The rise of e-commerce made privacy a bigger concern.”

Swire said lenders, as participants in mortgage transactions, “had incentives for a long time to share customer information.”

With the spread of e-commerce, it can be difficult for consumers to track the sharing of personal information between companies, Swire said. “For customers, it’s hard to know where the data is going. Consumers’ biggest concern is that the data will be sent to unknown third-parties,” he said.

He noted that there haven’t been a lot of enforcement actions relating to privacy violations under the Gramm-Leach-Bliley Act, “Perhaps because the major players are basically complying.” The penalties for violations have the potential to “get very serious, very quickly,” and can include severe fines and even cease-and-desist orders, he said.

Those companies that choose to ignore privacy laws could face consumer and regulator wrath if they are caught, he said. “If real estate companies surprise their customers in how they use data, they run a political risk and public-relations risk. It might seem worth it to grab data and use it in a very aggressive way, but Gramm-Leach-Bliley…and other laws show that Congress will react if the industry violates customers’ expectations.”

Tomorrow: The Patriot Act: what real estate businesses need to know.

***

Send tips or a Letter to the Editor to glenn@sandbox.inman.com or call (510) 658-9252, ext. 137.