GDPR for Real Estate Marketing & IDX CRM
As Real Estate professionals using IDX and CRM marketing systems, you may well have heard of the term GDPR (General Data Protection Regulation) – it’s a hot topic across the web right now, especially with all the data-breaches we keep hearing about!
Simply put, the European Union’s General Data Protection Regulation (GDPR) is a data privacy law that gives European citizens the right to control their personal data.
It takes effect on May 25 2018, and will have broad reaching effect, impacting us all – even in the USA.
What is GDPR?
GDPR stands for the General Data Protection Regulation. It’s a privacy law that was approved on April 14, 2016, by the European Commission to protect the rights of all EU citizens (28 member states) and their personal data.
The GDPR delivers new privacy protections for individuals:
- Right to rectification: Individuals can ask that their information be updated or corrected.
- Right to be forgotten: Individuals can ask that their information be permanently deleted.
- Right of portability: Individuals can ask to have their information transferred to another organization.
- Right to object: Individuals may seek to prohibit certain uses of their personal data.
- Right of access: Individuals have the right to know what personal data that’s been collected about them and how it’s being used.
Who is Affected by GDPR?
If you aspire to sell second homes or properties to individuals in any of the 28 European Union member countries (UK – yes even after Brexit!, Germany, Italy etc), then GDPR legislation affects you. Specifically, Agents and Brokers that “use” marketing services, (referred to as “data controllers”), as well as service providers such as Blue Fire Group – aka My Buying Buddy (referred to as “data processors”).
What is a Data Processor?
Blue Fire Group (My Buying Buddy) is a processor and is responsible for processing personal data on behalf of a “controller”.
What is a Data Controller?
Agents and Brokers (users of the My Buying Buddy IDX CRM suite) are controllers who determine the purposes and means of processing personal data.
As a controller, you must ensure your contracts with processors comply with the GDPR.
GDPR Has Teeth
The EU regulators can impose fines of up to $24 million US Dollars or 4% of your global turnover for non-compliance.
Don’t panic. At this stage, a move towards compliance is the most constructive action we can all take!
The Impact of GDPR on IDX / CRM Real Estate Marketing
The only lawful basis that gives you the right to market to an individual is one of consent.
The best way of explaining the impact of the GDPR is to give you some tangible examples:
1. Opt In
This is probably the most important concept which means that as marketers, the only lawful basis that gives you the right to market to someone under the GDPR will be if they give you consent.
Most of us are used to the idea of allowing people to Opt Out. But the GDPR requires that options for signing up for your drip campaigns and newsletters must be OPT IN. What this means is that you cannot add people to your drip campaigns automatically without their permission.
2. No pre-checked boxes
You cannot have pre-checked boxes to Opt In to mailings, these must be initially unchecked so the person can explicitly check the box.
3. Granular Opt In
If you collect phone, address, and other info, you must explicitly gain consent to contact people via these methods with checkboxes for each, e.g. “May we contact you by __ Phone __Email __ Direct Mail.”
4. Data use
You are required to be explicit about what you are going to do with a person’s information, i.e. you can’t collect their information under one pretense and then use it for another.
5. Get Verifiable Consent From Leads
You must get verifiable explicit consent (they have to opt-in) from users who wish to use your services… like your IDX / CRM Registration and Lead Capture forms and any other lead generation tool or product that collects personal information. As the data controller, the burden of proof to show that you have verifiable consent is on you – so make sure that any service you use (e.g. My Buying Buddy) supports you in this.
6. Opt Out
People need to be able to easily opt out of all emails.
8 Website Cookies
- Get explicit consent from site visitors for installing tracking cookies
- Only install tracking cookies only once you’ve received consent, not before.
9. Your Technology Must be GDPR Compliant
For most Agents and Brokers, GDPR compliance issues will mainly lie with your technology vendors (e.g. Blue Fire Group / My Buying Buddy) that handle lead information for you. You will need to make it clear on websites as to who those vendors are, with links to the vendor’s privacy policies.
If you have a WordPress website there are a number of GDPR Compliance Plugins that can help you get set up to be compliant.
What is Blue Fire Group Doing to Ensure GDPR Compliance?
Blue Fire Group and My Buying Buddy IDX CRM in particular already complies with many of the GDPR requirements.
In addition, in our role as Data Processor, we are working on other compliance items including the following, which we will have in place shortly:
Updated Privacy and Cookie Policies
My Buying Buddy Cookies
In terms of the cookies that are used by My Buying Buddy widgets in your website, much of these are seen as intrinsically part of the application and do not contain any Personally Identifiable Identification (PII). In turn, these cookies don’t need any additional disclosures outside of what you’ll need for the rest of the cookies on your website.
Opt In – On Lead-Capture and Registration Forms
When a lead it is deleted, all records will be removed from our servers.
We will implement a method that allows Leads to cancel their My Buying Buddy registration and delete all their information completely themselves.
Although GDPR is a European initiative, we are all obliged to take serious notice. After all, there are many Europeans who want to buy a second home in the USA – and if they use your website then GDPR applies to you.
This article is not meant to provide legal advice. If you are in the EU or target or serve people in the EU, then it would be wise to have a lawyer review what you need to do.
Blue Fire Group will be assisting you, our customers with GDPR. We will be implementing methods over the coming days and weeks to make this easier for you.