GDPR for Real Estate Marketing & IDX CRM

As Real Estate professionals using IDX and CRM marketing systems, you may well have heard of the term GDPR (General Data Protection Regulation) – it’s a hot topic across the web right now, especially with all the data-breaches we keep hearing about!

Simply put, the European Union’s General Data Protection Regulation (GDPR) is a data privacy law that gives European citizens the right to control their personal data.

It takes effect on May 25 2018, and will have broad reaching effect, impacting us all – even in the USA.

What is GDPR?

GDPR stands for the General Data Protection Regulation. It’s a privacy law that was approved on April 14, 2016, by the European Commission to protect the rights of all EU citizens (28 member states) and their personal data.

If you suffer from insomnia and fancy reading the office documentation you can find 11 chapters and 99 articles at, or see the Wikipedia entry.

The GDPR delivers new privacy protections for individuals:

  1. Right to rectification: Individuals can ask that their information be updated or corrected.
  2. Right to be forgotten: Individuals can ask that their information be permanently deleted.
  3. Right of portability: Individuals can ask to have their information transferred to another organization.
  4. Right to object: Individuals may seek to prohibit certain uses of their personal data.
  5. Right of access: Individuals have the right to know what personal data that’s been collected about them and how it’s being used.

Who is Affected by GDPR?

If you aspire to sell second homes or properties to individuals in any of the 28 European Union member countries (UK – yes even after Brexit!, Germany, Italy etc), then GDPR legislation affects you. Specifically, Agents and Brokers that “use” marketing services, (referred to as “data controllers”), as well as service providers such as Blue Fire Group – aka My Buying Buddy (referred to as “data processors”).

What is a Data Processor?

Blue Fire Group (My Buying Buddy) is a processor and is responsible for processing personal data on behalf of a “controller”.

What is a Data Controller?

Agents and Brokers (users of the My Buying Buddy IDX CRM suite) are controllers who determine the purposes and means of processing personal data.

As a controller, you must ensure your contracts with processors comply with the GDPR.

GDPR Has Teeth

The EU regulators can impose fines of up to $24 million US Dollars or 4% of your global turnover for non-compliance.

Don’t panic. At this stage, a move towards compliance is the most constructive action we can all take!

The Impact of GDPR on IDX / CRM Real Estate Marketing

The only lawful basis that gives you the right to market to an individual is one of consent.

The best way of explaining the impact of the GDPR is to give you some tangible examples:

1. Opt In

This is probably the most important concept which means that as marketers, the only lawful basis that gives you the right to market to someone under the GDPR will be if they give you consent.

Most of us are used to the idea of allowing people to Opt Out. But the GDPR requires that options for signing up for your drip campaigns and newsletters must be OPT IN. What this means is that you cannot add people to your drip campaigns automatically without their permission.

2. No pre-checked boxes

You cannot have pre-checked boxes to Opt In to mailings, these must be initially unchecked so the person can explicitly check the box.

3. Granular Opt In

If you collect phone, address, and other info, you must explicitly gain consent to contact people via these methods with checkboxes for each, e.g. “May we contact you by __ Phone   __Email __ Direct Mail.”

4. Data use

You are required to be explicit about what you are going to do with a person’s information, i.e. you can’t collect their information under one pretense and then use it for another.

5. Get Verifiable Consent From Leads

You must get verifiable explicit consent (they have to opt-in) from users who wish to use your services… like your IDX / CRM Registration and Lead Capture forms and any other lead generation tool or product that collects personal information. As the data controller, the burden of proof to show that you have verifiable consent is on you – so make sure that any service you use (e.g. My Buying Buddy) supports you in this.

6. Opt Out

People need to be able to easily opt out of all emails.

7. Website Privacy and Cookie Policy Update

Your website should have a privacy policy that covers all the ways in which you collect and store data.

If you are interested, this online service can help generate GDPR Privacy and Cookie Policy.

8  Website Cookies

If you use cookies on your website, that are NOT used specifically for the operation of your website or application (e.g. For marketing purposes such as Google Analytics), you need to disclose these cookies to your website visitors. Under the GDPR your cookie policy should include:

  • Display of Cookie Policy on your site
  • Get explicit consent from site visitors for installing tracking cookies
  • Only install tracking cookies only once you’ve received consent, not before.

9. Your Technology Must be GDPR Compliant

For most Agents and Brokers, GDPR compliance issues will mainly lie with your technology vendors (e.g. Blue Fire Group / My Buying Buddy) that handle lead information for you. You will need to make it clear on websites as to who those vendors are, with links to the vendor’s privacy policies.

If you have a WordPress website there are a number of GDPR Compliance Plugins that can help you get set up to be compliant.

What is Blue Fire Group Doing to Ensure GDPR Compliance?

Blue Fire Group is taking GDPR seriously and we are working on finalizing our compliance. First of all, we are updating our Terms of Service, Privacy Policy and other policies to ensure that we can address any requests made by our customers related to their expanded individual rights and privacy protections set out above, under the GDPR.

Blue Fire Group and My Buying Buddy IDX CRM in particular already complies with many of the GDPR requirements.

In addition, in our role as Data Processor, we are working on other compliance items including the following, which we will have in place shortly:

Updated Privacy and Cookie Policies

Blue Fire Group is updating its Privacy policy, adding a new Cookie Policy and updating our Terms of Service.

We’ll also be looking at ways to assist all our customers with the display of Privacy and Cookie Policies and Terms of Use on their websites.

My Buying Buddy Cookies

In terms of the cookies that are used by My Buying Buddy widgets in your website, much of these are seen as intrinsically part of the application and do not contain any Personally Identifiable Identification (PII). In turn, these cookies don’t need any additional disclosures outside of what you’ll need for the rest of the cookies on your website.

Opt In – On Lead-Capture and Registration Forms

We will implement methods to add opt-in checkboxes to indicate acceptance and consent and acceptance of the privacy policy, cookie policy, and terms of use, along with links to each of these policies.

Deleting Leads

When a lead it is deleted, all records will be removed from our servers.

Lead Self-Deletion

We will implement a method that allows Leads to cancel their My Buying Buddy registration and delete all their information completely themselves.


Although GDPR is a European initiative, we are all obliged to take serious notice. After all, there are many Europeans who want to buy a second home in the USA – and if they use your website then GDPR applies to you.

This article is not meant to provide legal advice. If you are in the EU or target or serve people in the EU, then it would be wise to have a lawyer review what you need to do.

Blue Fire Group will be assisting you, our customers with GDPR. We will be implementing methods over the coming days and weeks to make this easier for you.

Leave a Reply

Your email address will not be published. Required fields are marked *