Here we are in the last weeks before enforcement of GDPR go into motion. NAR legal counsel has come out with their advice for every real estate agent and every broker.
I don't like it anymore than you do. But it is here. It is part of erroneous regulations and soon this will be coming to America.
In fact, the United States congress is already writing different bills to regulate more of the internet, more of what you can and can not do on your own websites.
But I digress...
I wrote the first post about GDPR and what it is here.
Let me make this perfectly clear as per the attorneys- the GDPR is able to enforce this regulation because they are not saying United States websites have to obey. Instead, they are saying that YOU have to obey no matter where your website or company is located IF you get any EU citizens that visit your website.
This also does not cover just EU citizens, it includes ALL economic areas in those areas, which includes Britain and Romania and many other countries.
Then Jerry Newman asked about it again and I answered in great detail. I read all the comments and discovered most agents don't have a clue about GDPR and really don't even care. I wish I could "not care" too. Unfortunately, there are always unintended consequences from regulations.
But even worse, I visited a lot of the websites of those agents in the comments to discover 90% of them are not even FTC compliant! You have to be FTC compliant no matter who you are if you have a website in the United States. I will cover more of this another day.
Also, on most of the websites I visited, they were not even compliant for California resident regulations. There are two laws passed in California that contain regulations that must be on websites from owners in California or for websites outside of California but have traffic from California going to it.
Let's get on with GDPR and how it effects you since enforcement starts on May 25. Since I wrote that post I have been to about 11 webinars from attorneys in the EU and in the United States.
You can listen to a U.S. attorney on Amy Porterfield's podcast here:
I am NOT an attorney and I don't play one on TV. This is not legal advice. Please see your attorney!
There are myths, threats, and a lot of misinformation floating around the internet and ActiveRain, etc.
Now I will give you some opinions of some attorneys:
If you have a website here in the United States and maybe you live and work in Kansas. You are highly unlikely going to get website traffic from the EU unless you live in a town in Kansas that shares the same name as a town in the EU. In this case, you may simply BLOCK all traffic from the EU and their participating countries.
You would block ALL unknown IPs and EU IPs. You can also put a notice on your website that your website is NOT intended for citizens of the EU, in case you get an EU citizen visiting here in the United States and happens upon your website.
But if you own a website in California, Illinois, Florida, New York, New Jersey, Washington state, and any other state that gets foreign buyers from the EU... then you need to pay attention.
I am all for the sovereignty of our nation and our laws. This has nothing to do with my views on overreach of regulators. My concern is keeping our sites safe from predator attorneys and complaints made by EU citizens.
The main change is that the GDPR is changing the internet from being an "OPT OUT" system to an "OPT IN" system. We think of people who visit our website as visitors and we don't have an obligation to a visitor until they Opt In to listing alerts or leaving a review or a comment, or signing up for your newsletter. But GDPR covers ALL personal data which includes the IP address!! The IP address alone is considered personal data.
IF you are using Google Analytics, Market Leader, Wordpress contact forms, plugins that can see or use data, CRM cookies, etc.... if you have any of this on your website - you are now being held accountable for each IP address from the EU and their joining countries. So if you think that by having a secure website because you have SSL, that is not good enough.
If they fill out a form of any kind on your website, those forms must comply.
You must be able to comply with the part of the rule that talks about the "Right to be Forgotten". You must remove all of their data through anything, your email list, your IDX list, your vendors, your paperwork, your docusign documents, etc.
You can create a gate on your website and have a box that asks it to be checked if they are from the EU.
GDPR overview: European residents' new rights
- The "right to be forgotten," which allows EU residents to ask that their personal data be removed from online depositories. This means you need to know how to locate data you store about web visitors and customers – including passively collected data like cookies and IP addresses used for analytics – and how to delete it.
- The "right of access" dictates that businesses must confirm whether they store data about a particular consumer if that consumer asks.
- The "right of rectification" gives consumers the ability to review their data and request corrections if the data is wrong.
- The "restriction of processing" allows consumers to give you permission to store data, but they can ask businesses not to use it in any way.
- The "right to data portability" allows consumers to request to see the data you have on them without asking for it to be deleted.
The NAR legal counsel says: http://realtormag.realtor.org/daily-news/2018/04/25/how-comply-new-data-security-rules
Here is the video from NAR on GDPR compliance: