The evolution of big data in real estate, particularly within the multifamily sector, is a tale of transformative power and complex privacy considerations. As data generated at the property level becomes increasingly more accessible to use for decision-making and operations, multifamily professionals must carefully tread the line between data-driven innovation and legal compliance. (1)
Understanding Big Data in Multifamily Real Estate
Generally speaking, Oracle defines “big data” as data that “contains greater variety, arriving in increasing volumes and with more velocity. (2)” Big data in multifamily real estate spans a broad spectrum, from granular insights into tenant demographics and leasing patterns, to overarching trends in property maintenance and the wider rental market. (3)
Data of this magnitude and detail can reveal invaluable insights, yet its handling and use can present significant legal and reputational challenges. For multifamily property owners and managers, understanding these challenges is the first step towards creating a data-driven approach that is both ethical and legally-compliant.
Ethical Concerns in Using Big Data
The utilization of big data necessitates a firm grasp of privacy laws and a deep respect for tenants’ privacy rights. Residents, and prospective residents, must necessarily provide to apartment managers certain personally identifiable information, or “PII,” to apply for housing. Personally identifiable information is defined by the U.S. government as “Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (4)” While much PII is necessarily collected in order to provide residents with housing, and even to enhance their housing experience, the use of the data collected is an important consideration.
Ethical considerations worth reviewing are the rights of residents to have privacy of their personal information, the safety of resident data from security breaches, and the potential for collected resident data to be utilized to discriminate or provide less than equitable housing.
Legal Concerns in Using Big Data
Ethics aside, for ownership groups and management companies in the multifamily space the issue of legal risk is paramount. Guiding legislations in this context include the General Data Protection Regulation (GDPR) in Europe, as well as several state laws in the United States, including the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), Colorado’s Privacy Act (CPA) and half a dozen more. (5) These laws impose standards for businesses dealing with the personal data of residents of their respective states, covering aspects from collection and storage to usage and protection.
Any discussion of legal liability begins with a determination of whether any relevant laws apply. Privacy laws related to consumer data collection have been primarily determined by state legislatures. The challenge here for multifamily operators is the need to keep track of whether they meet the applicable thresholds in an ever growing number of states with different start dates. For instance, in California, a company is subject to CCPA if they are a for-profit entity that does business in California and meets one of the following: 1) has gross annual revenue of over $25 million; or, 2) Buys, sells, or shares the personal information of 100,000 or more California residents, households, or devices; or, 3) derives 50% or more of their annual revenue from selling California residents’ personal information. (6) Utah, Virginia, Connecticut and Colorado have similar thresholds with slight variations. (7) Only California and Virginia went into effect on January 1, 2023, whereas Connecticut and Colorado became effective on July 1, 2023, and Utah will become effective on December 31, 2023.
Adding to the complexity of tracking different state requirements and timelines are the parameters that each state has chosen for defining consumers’ rights and violations of these rights. The CCPA, for instance, gives Californians the right to know what personal data is collected, the purpose of its collection and use, and whether it will be sold or disclosed to third parties. (8) Since California’s initial release of the CCPA, significant pushback from industry has put into question practices like including employees in the pool of covered consumers and adding more onerous record keeping requirements. Virginia chose to remove many of the more controversial of California’s requirements in its privacy act, permitting companies to rely upon current business practices for tracking and monitoring. (9)
While violations of relevant state statutes can result in stiff financial penalties, so far no state has permitted consumers to sue businesses directly for violations outside of data breaches. Still, reputational risk alone for failure to comply with privacy laws for resident data makes it critical for multifamily property owners and managers to incorporate compliance into their data practices.
Legal Case Studies: The Impact of Collecting Resident Data
The consequences of potential data misuse become starkly evident when looking at real-world legal cases. In New York, a property management company was sued by five residents for allegedly using smart lock systems to collect biometric data from tenants without their explicit consent. While not delivering any legal precedent, the case drew significant attention and underscored the legal and reputational risks associated with privacy violations. (10)
In Europe the GDPR requirements have been aggressively enforced resulting in significant fines for non-compliance. A real estate company in Germany faced a 14.5M euro (nearly $16 million USD) fine under GDPR for insufficient data retention policies. (11) This enforcement actional served as a stark reminder of the global nature of data protection laws and the severe repercussions of non-compliance.
In another significant case, Patel v. Facebook Inc., the Ninth Circuit in California ruled that Facebook users could sue the company over its use of facial recognition technology. (12) Facebook settled in 2020 with a $550 million payout to Illinois residents who were subject to the company’s violation of the Illinois Biometric Information Privacy Act (IPBPA). While this case didn’t directly involve multifamily property management, it highlights the growing scrutiny around collecting personal data and its potential implications for owners and managers in multifamily settings.
Best Practices for Multifamily Owners and Managers
Multifamily owners and managers can navigate these legalities through the adoption of key best practices for resident data. First, they should discuss and implement a plan around informed consent from tenants before collecting and using their data. This requires clear and comprehensive communication about data practices, as stipulated under laws like CCPA and GDPR.
Maintaining updated privacy policies that reflect changes to an owner or operator’s use of data can also address the potential for liability. Google updated its privacy policy on July 1, 2023, inserting a key clause that changes how it collects data from its users for the development of its artificial intelligence (AI) tools. The updated privacy policy allows use of publicly accessible information in AI creation, which means anything posted online will now become part of the company’s AI products. (13) Recent lawsuits by artists and public figures are challenging the use of their work that appears in the public domain to train large language models (LLMs) as copyright infringement.(14) The status of these cases adds to the uncertainty around the monetization of public data. For added safety, multifamily operators may consider employing techniques such as data anonymization and encryption to safeguard tenant data from the risk of security breaches.
At a minimum, multifamily owners should try to stay abreast of technological advancements and continuously update their data handling protocols accordingly. For instance, as smart home technologies become increasingly prevalent in multifamily settings, owners must be mindful of the legal considerations related to biometric data.
The Future of Big Data and Privacy in Multifamily Real Estate
Looking towards the future, it’s clear that big data will continue to be a driving force in multifamily real estate, further underscoring the relevance of related legal concerns. It’s therefore crucial for multifamily operators to stay updated with evolving data protection laws, technological advancements, and tenant expectations.
To this end, it’s worth noting the proposal of new privacy laws such as those in Oklahoma, New York and Massachusetts, which indicate a trend towards “opt-in” requirements for companies to sell consumers’ data as well as other significant consumer data protections. (15) Navigating this dynamic landscape will require a commitment to continuous monitoring and adaptation.
Conclusion
Navigating the intersection of big data and legal considerations in multifamily real estate is a challenging yet vital task. As multifamily professionals harness big data to fuel their performance and enhance operations, they must ensure strict legal compliance to protect tenant rights and their own business interests. This delicate balance, while complex to achieve, is the linchpin of secure, compliant, and sustainable communities.
(2) “What is Big Data?,” Oracle.com (2023).
(4) “Which States Have Consumer Data Privacy Laws,” Bloomberg, June 24, 2023.
(5) Glossary: Personally Identifiable Information, CSRC.nist.gov.
(6) “States’ long-awaited data privacy laws are going into effect,” Axios, Jan 2023.
(7) California Legislature. (2018). California Consumer Privacy Act. CA.gov.
(8) Utah Legislature. (2022). Utah Consumer Protection Act. Utah requires $25 million in revenue and: (1) controls or processes personal data of 100,000 or more consumers; or (2) derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Colorado Legislature. (2021). Colorado Privacy Act. coag.gov. Colorado law applies as well to for-profit and non-profits who process the personal data of more than 100,000 individuals in any calendar year; or derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.
Virginia Legislature. (2023). Consumer Data Protection Act. Virginia applies to entities who control the personal data of at least 100,000 consumers in a calendar year or at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.
Connecticut Legislature. (2022). Connecticut Data Privacy Act. portal.ct.gov. Connecticut applies to companies who control or process the personal data of at least (1) 100,000 Connecticut consumers (excluding data processed solely for processing payment transactions); or (2) 25,000 Connecticut consumers and derive over 25% of their gross revenue from the sale of personal data.
(12) Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019).
(13) “Google could use public data for AI training, according to new policy,” Mashable, July 4, 2023.
We invite you to subscribe to our newsletter for updates and industry news.