Special offer

NAR Weighs in on GDPR and What it Means To You!

Real Estate Agent with The Gasset Group & Get It Done For Me Virtual Services 13253167-SA00

Here we are in the last weeks before enforcement of GDPR go into motion. NAR legal counsel has come out with their advice for every real estate agent and every broker. 


I don't like it anymore than you do. But it is here. It is part of erroneous regulations and soon this will be coming to America. 


In fact, the United States congress is already writing different bills to regulate more of the internet, more of what you can and can not do on your own websites. 


But I digress... 


I wrote the first post about GDPR and what it is here. 


Let me make this perfectly clear as per the attorneys- the GDPR is able to enforce this regulation because they are not saying United States websites have to obey. Instead, they are saying that YOU have to obey no matter where your website or company is located IF you get any EU citizens that visit your website. 


This also does not cover just EU citizens, it includes ALL economic areas in those areas, which includes Britain and Romania and many other countries. 

Then Jerry Newman asked about it again and I answered in great detail.  I read all the comments and discovered most agents don't have a clue about GDPR and really don't even care. I wish I could "not care" too. Unfortunately, there are always unintended consequences from regulations.  


But even worse, I visited a lot of the websites of those agents in the comments to discover 90% of them are not even FTC compliant! You have to be FTC compliant no matter who you are if you have a website in the United States. I will cover more of this another day.


Also, on most of the websites I visited, they were not even compliant for California resident regulations. There are two laws passed in California that contain regulations that must be on websites from owners in California or for websites outside of California but have traffic from California going to it. 


Let's get on with GDPR and how it effects you since enforcement starts on May 25. Since I wrote that post I have been to about 11 webinars from attorneys in the EU and in the United States.


You can listen to a U.S. attorney on Amy Porterfield's podcast here:



I am NOT an attorney and I don't play one on TV. This is not legal advice. Please see your attorney!


There are myths, threats, and a lot of misinformation floating around the internet and ActiveRain, etc.  


Now I will give you some opinions of some attorneys:


If you have a website here in the United States and maybe you live and work in Kansas. You are highly unlikely going to get website traffic from the EU unless you live in a town in Kansas that shares the same name as a town in the EU. In this case, you may simply BLOCK all traffic from the EU and their participating countries.


You would block ALL unknown IPs and EU IPs. You can also put a notice on your website that your website is NOT intended for citizens of the EU, in case you get an EU citizen visiting here in the United States and happens upon your website.  


But if you own a website in California, Illinois, Florida, New York, New Jersey, Washington state, and any other state that gets foreign buyers from the EU... then you need to pay attention.


I am all for the sovereignty of our nation and our laws. This has nothing to do with my views on overreach of regulators. My concern is keeping our sites safe from predator attorneys and complaints made by EU citizens.


The main change is that the GDPR is changing the internet from being an "OPT OUT" system to an "OPT IN" system.  We think of people who visit our website as visitors and we don't have an obligation to a visitor until they Opt In to listing alerts or leaving a review or a comment, or signing up for your newsletter. But GDPR covers ALL personal data which includes the IP address!! The IP address alone is considered personal data.


IF you are using Google Analytics, Market Leader, Wordpress contact forms, plugins that can see or use data, CRM cookies, etc.... if you have any of this on your website - you are now being held accountable for each IP address from the EU and their joining countries. So if you think that by having a secure website because you have SSL, that is not good enough.


The way we have always used the internet was that when we visit a website it is assumed we will be tracked, cookied, etc and that we have a privacy policy in place. But this new regulation does away with the assumption and implied consent. Now you must let people know as soon as they land on your website how you are using their data. They need to expressly give you permission to do so by clicking a button or something like that on your website.


If they fill out a form of any kind on your website, those forms must comply. 


You must be able to comply with the part of the rule that talks about the "Right to be Forgotten". You must remove all of their data through anything, your email list, your IDX list, your vendors, your paperwork, your docusign documents, etc.


You can create a gate on your website and have a box that asks it to be checked if they are from the EU. 


GDPR overview: European residents' new rights

  • The "right to be forgotten," which allows EU residents to ask that their personal data be removed from online depositories. This means you need to know how to locate data you store about web visitors and customers – including passively collected data like cookies and IP addresses used for analytics – and how to delete it.
  • The "right of access" dictates that businesses must confirm whether they store data about a particular consumer if that consumer asks.
  • The "right of rectification" gives consumers the ability to review their data and request corrections if the data is wrong.
  • The "restriction of processing" allows consumers to give you permission to store data, but they can ask businesses not to use it in any way.
  • The "right to data portability" allows consumers to request to see the data you have on them without asking for it to be deleted.



The NAR legal counsel says: http://realtormag.realtor.org/daily-news/2018/04/25/how-comply-new-data-security-rules



Here is the video from NAR on GDPR compliance:









Posted by

Never miss an important post- follow me on my ActiveRain Blog 

In real estate we service Utah County, Salt Lake County, Wasatch County, Tooele County. This includes many towns and cities. Some of which are: Provo, Orem, Salt Lake City, Draper, Springville, Spanish Fork, Payson, Lehi, American Fork, Vineyard, Saratoga Springs, Eagle Mountain, Pleasant Grove, and more. 

Katerina Gasset is a real estate agent who is also a digital marketing strategist, website designer and consultant for real estate brokerages, agents, entrepreneurs and small business owners. She is also the owner of Get It Done For Me Virtual Services. 

Katerina is a Certified AI Marketing Specialist. She can help you with ChatGPT, Content at Scale, Neuronwriter, prompting, and many other AI tools. 

She develops products and online courses to empower real estate agents to reach their marketing, SEO, social media and branding goals. Katerina Gasset is a blogger, author, podcaster, and keynote speaker.  

Text Katerina with your name + number to work with her:



Kate McQueen
Realty Associates Texas - Cypress, TX
Tailored service for your real estate needs!

It will be interesting to see what happens in DC this week.  Fortunately, my website platform is the Houston Association of Realtors, and they will have to ensure the platform is compliant.  This will be particulary difficult for agents that specialize in international transactions and clients.  The Houston area is a prime relocation city for home buyers coming from abroad.

May 15, 2018 10:01 AM
Katerina Gasset

Yes, the HAR will have to be totally compliant, they are a bigger company which are the ones that the EU will be looking at first. It matters. And yes, you can't block EU visitors since you have too many foreign buyers going to Houston. I know the area well. Nestor was a realtor there for 5 years too. Just make sure your template subsite of theirs is controlled by them and that they are the controller, not you. That you are not even a processor. If you are either the controller or the processer, than this applies to you individually too. So if you collect ANY leads, this applies to you. This does not mean just the internet, this is off line too. 

May 15, 2018 02:08 PM
Anna "Banana" Kruchten
HomeSmart Real Estate - Phoenix, AZ

I'm agree with Liz and Bill Spear on this issue.....it sounds ridiculous that they can sue people outside of their country and jurisdicition just because we don't follow their laws. I highly doubt it would go the other way.....just saying.

May 15, 2018 10:50 AM
Katerina Gasset

Isn't it ironic that the U.S. wants our laws and judgments to be upheld in other countries ( extraditions, etc), and the U.S. does not have clean hands. The IRS forced their hand on foreign banks and told them that they had to do special reporting of expats. This leads to more expenses for the banks, so the unintended consequence was that banks like Deutch Bank made a policy to NOT open accounts for expats and to close current expats bank accounts. This really hurt expats ability to even pay their bills overseas. Some of these people were even working for U.S. companies. This did not go too well over there. There has always been since before WW1 a lot of meddling. So It does not surprise me that the EU wants the same afford. 

But people sue other people all over the world in international courts, which I Don't see how that is even constitutional. 

Here I found this on a legal site: ":....have clients that are trying to protect their rights in Florida, when they are living in Russia. Nowadays, even depositions can be taking using Skype or other available means and Interrogatories stamped by the U.S. Embassy..."

I think they would hire an attorney here but the GDPR has legal language about enforcing the regulations on any website or company anywhere in the world ( except of course some middle east or african countries). 

But any foreigner can file a law suit in a U.S. court. 

(GDPR), the new rules place heavy fines for violations — up to €20 million or 4 percent of global revenues, whichever is higher. 

How does an EU regulator fine a U.S. company under an EU law that has no analogue in the U.S.? 


Simple: They do it with authority, jurisprudence, and the aid of international law. 







May 15, 2018 02:25 PM
Mike McCann Nebraska Land Broker
Mike McCann - Broker, Mach1 Realty Farm & Commercial Land Broker-Auctioneer Serving Nebraska - Kearney, NE
Farm & Commercial Property For Sale 308-627-3700

I am...not fazed...by anything coming from anywhere. I do not collect data...and I am confident that my career will be long over before they waste their time trying to get any money out of me.  Of course...I always relish a good scrap now and then...so if it is sooner than later...bring it on...I may be a small company...but that does mean I can't pull a David out of my hat versus Goliath...been doing it all of my life.  relax...and have a bottle of wine....maybe we should all get together at Endre's!

May 15, 2018 11:09 AM
Katerina Gasset

Yes, it may be awhile before they come after the little guys. I am sure there are plenty of big deep pockets to keep them busy for a while. :) Plus they will give you chance to change your website before they fine you. 

May 15, 2018 02:27 PM
Nick Vandekar, 610-203-4543
Realty ONE Group Advocates 484-237-2055 - Downingtown, PA
Selling the Main Line & Chester County

Love Endre Barath, Jr.'s advice. Have to check m,y website provider and hoster to see if they are abiding by these rules.

May 15, 2018 01:03 PM
Katerina Gasset

Nick & Trudy Vandekar, 610-203-4543  Remember that you are the controller and your website provider and host are vendors or processors and do so technically under your direction. You are the one ultimately responsible for every IP that visits your website. So much for personal responsibity of individuals - seems to be the way the world keeps moving. 

May 15, 2018 02:30 PM
Katerina Gasset
The Gasset Group & Get It Done For Me Virtual Services - Provo, UT
Amplify Your Real Estate & Life Dreams!

I have a few more updates based on comments. Here is a site I found that does a very good job with their privacy page: 


This gives you an idea of how in depth this goes. 

Also, even if your website technically belongs to your MLS, Market Leader, Commissions Inc, the realtor association, etc. 

 This does not absolve you of GDPR. 

GDPR includes off line marketing and online marketing, It includes your leads. If your broker sends you a lead via your email, you are not bound by GDPR. No matter what, if you have any contact with other people as leads - or customers- or subscribers or buyers---- you are bound by GDPR. 

May 15, 2018 02:11 PM
Diana Dahlberg
1 Month Realty - Pleasant Prairie, WI
Real Estate in Kenosha, WI since 1994 262-308-3563

I feel like this is totally above my pay-grade.  I'm a little fish in this big ocean ... and am not even sure if EU is an issue for me. Ugh ... 

May 15, 2018 05:53 PM
Katerina Gasset

Don't ignore it for long. Start making small steps towards compliance. The bigger point is that the U.S. congress is already working on something for U.S. UGH!!!!

May 15, 2018 09:52 PM
Gabriel Gross
RealBird, Inc - Redwood City, CA
More leads, more exposure, more $s with RealBird

Don't forget about dual citizens (U.S.+ EU)  they are also protected under GDPR. Which makes it tricky for you because how would you find out.

Which makes me fear that a new breed of predatory attorneys may emerge to profit from this legislation.

And I would be curious, why did NAR wait till April 25, just 1 month before the deadline to come out with their opinions?

May 15, 2018 06:01 PM
Katerina Gasset

Gabriel Gross  Thank you for adding this. You are right! I am most concerned with predatory attorneys. Also, it covers more than just the EU, even countries like Romania are covered. 

NAR was too busy designing an ugly new logo that they ended up scrapping after the feedback they received over how  terrrible it was. hehehe 

May 15, 2018 09:52 PM
Jocelyn Ucedo

I was just thinking about this as well. You may have people just searching online for non compliant websites to start some drama!

May 29, 2018 02:50 PM
Victoria CB Trees
Victoria CB Trees Real Estate Services - Chiloquin, OR
Principal Broker

Great post!  I can see it now... a whole new avenue for "ambulance chasers" to hold us up for our measly earnings even if our web host stores info without our knowledge.  Sigh.

May 15, 2018 06:18 PM
Katerina Gasset

Victoria CB Trees I can see the nasty threatening letters already! It is the thing I worry the most about. Just like what happened with the Patent scalpers. 

May 15, 2018 09:50 PM
Fred Griffin Florida Real Estate
Fred Griffin Real Estate - Tallahassee, FL
Licensed Florida Real Estate Broker

 Thanks for the link to https://www.agorapulse.com/privacy-policy .  That is very comprehensive.

May 15, 2018 07:16 PM
Katerina Gasset

You are welcome Fred Griffin 

May 15, 2018 09:49 PM
Kimo Jarrett
Cyber Properties - Huntington Beach, CA
Pro Lifestyle Solutions

GDPR according to my resource applies to any business that collects, stores or processes the information of EU residents, regardless of whether that business is geographically located only in the U.S. or anywhere outside of the EU. Seems like the solution regarding a website is simply not collect, store or process the information of EU residents, which could be easily programmed with country phone code or address and opt-in disclaimer for anyone residing in the EU, don't you agree? 

May 15, 2018 07:59 PM
Katerina Gasset

Kimo Jarrett I wish it were that simple, but it is not. The issue is that there are people who block their IP addresses All EU IP addresses are now considered private data. How ignorant and what a burden that is on small business owners. The other thing is that it protects the EU citizens no matter what country they are in. So while blocking them is a start for agents in states that rarely get traffic from the EU, it won't help for those already living here. 

May 15, 2018 09:49 PM
Nathan Gesner
American West Realty and Management - Cody, WY
Broker / Property Manager

Every time a new regulation is created, an attorney gets his horns...I mean, wings. This will have the greatest impact on the small people just trying to make an honest living.

May 15, 2018 09:37 PM
Katerina Gasset

Nathan Gesner  So true!!! I can not stand the way they make a mess of everything. They write laws that we need to hire more attorneys for to disect, etc. So sick of it! 

BTW- I just noticed (sorry for my not noticing before) you are in Cody! What a great town that is!!! Not as wonderful as Jackson Hole which is Heaven on earth :) but still, I love visiting Cody! 

May 15, 2018 09:46 PM
Debbie Gartner
The Flooring Girl - White Plains, NY
The Flooring Girl & Blog Stylist -Dynamo Marketers

This is such a pain in the butt, and there are soooo many confused bloggers and people out there (as well as conflicting info).  I agree w/ Bill's comment, but while I find this ultra annoying, I'm doing my best to adapt.  I listened to Amy Porterfield's webinar last week and I have to say it was the clearest thing I seen out there.


This week is implementation week for me.  Last week I deleted EU/unknown contacts (I haven't been using my email list for a year and a half anyway - long story), so that wasn't a loss.  Trying to adapt all my email list/opt-in forms/lead magnets.  Tried to do yesterday and ran into some technical issues, but hopefully I will get this figured out by Sunday as I need to move on and work on other business items.  Oh, and the privacy policy.


There's also something w/ GA that I think may need to be done.  Not sure what it is.  It pops up every time I'm in GA, so need to figure that out, too.  Or, if you know what I should do within GA, let me know.  (obviosly I need to include within Privacy policy).

May 16, 2018 04:47 AM
Katerina Gasset

Debbie Gartner  I know, a royal pain. And I will be last minute on getting it done. 

I know about Califonia's but not GA. 

I think you are on the right track. Too bad it takes away from generating leads, etc. :( 

May 16, 2018 01:57 PM
Jerry Newman
Brown Realty, 210-789-4216, - San Antonio, TX
Texas REALTOR, San Antonio Military Relocation

Hi Katrina. Thanks for the Mention and your very detailed information on GDPR. It certainly has to be a concern for all real estate agents who have websites and blogs on the Internet. I am looking at my websites from Market Leader and Superlative, and all my blog sites too. What is your recommendation for our Active Rain site?

May 16, 2018 05:39 AM
Katerina Gasset

Jerry Newman You are welcome. Market leader has a pretty good privacy policy but still lacking a few things, which remember, they are in Canada not the EU. ActiveRain will have to change out their privacy page and terms and disclose that they are collecting data. Our own personal blogs on AR - are a bit different. But we are still liable if some lead emails us through the AR system. 

May 16, 2018 02:05 PM
Jerry Newman

Working on your suggestions, Karterina. I need a form for my other blogs and websites. 

May 17, 2018 07:56 AM
Gary L. Waters Broker Associate, Bucci Realty
Bucci Realty, Inc. - Melbourne, FL
Eighteen Years Experience in Brevard County

This is the kind of stuff that makes me glad to be retiring from real estate effective July 1, 2018 and becoming only a referral agent!

May 16, 2018 06:51 AM
Katerina Gasset

I hear ya!!!!!! Gary L. Waters, Broker Owner, Waters Realty of Brevard, LLC 

May 16, 2018 01:57 PM
John Wiley
Fort Myers, FL
Lee County, FL, ECO Broker, GRI, SRES,GREEN,PSA

I am so glad someone has finally posted some relevant information on GDPR.

I have been reading about this for several weeks and there has been little discussion about it.

There is a lot of work that needs to be done so that we know we are protected.

The Ostrich approach will not protect.

Thanks for getting a discussion going.

I hope we will all continue to share as new information emerges.

May 16, 2018 08:52 AM
Katerina Gasset

Thank you John Wiley There is a lot of work to do! YIKES! and I am behind! 

May 16, 2018 02:07 PM
Nancy Hilburn
CJR Tri-Lakes, REALTORS - Branson, MO

This is a great article and I appreciate your efforts in helping us be informed, but it was lacking in one area.  Since this is the first I've heard of GDPR, it would've been nice if you had somewhere in this article spelled out what that stood for.  I Googled it and found it is General Data Protection Regulation plus EU stands for European Union.  Please don't use abbreviations and just assume everyone reading your info knows what it is.  Spell it out the first time it's used, then use the abbreviation!  Thanks!

May 16, 2018 09:21 AM
Katerina Gasset

I did not spell it out since it really did not matter to me what it stands for. Regulation is regulation no matter how they want to name it. Sorry about that. Nancy Hilburn 

May 16, 2018 01:59 PM
Anna Hatridge
R Gilliam Real Estate LLC - Farmington, MO
Missouri Realtor with R Gilliam Real Estate LLC

Wow, 2018 is going to be an exciting year indeed.  Just when I think I have a handle on the online arena everything changes! 

May 16, 2018 09:50 AM
Katerina Gasset

Anna Hatridge  Fred is right, we all figured we had a good 20 years from the 1990's before the internet would become regulated. Not fun at all. 

May 16, 2018 02:07 PM
Sheri Sperry - MCNE®
Coldwell Banker Realty - Sedona, AZ
(928) 274-7355 ~ YOUR Solutions REALTOR®

Hi Katerina Gasset - I read your first article when it posted. The next day I sent it to the people who run my website and got no help from them. 

I realize this dramatically affects your business but I do appreciate you making us aware of it. 

BTW - My daughter-in-law sells on Etsy and has found that traffic has dropped from 100's of clicks a day to about 3 clicks a day.  I told her what I think was happening. She does not sell anything across the pond but her sales have dropped probably because of an algorithm change.

May 16, 2018 12:56 PM
Katerina Gasset

Sheri Sperry - MCNE® Which algorithm change, the one Etsy is doing or the one Google is doing? I think that is so sad! I am so upet! This is precisely what hurts the small solopreneurs and moms trying to just make a little extra at home, etc. It is so annoying. I think her traffic dropped because of the changes to the data collecting. While it only applies to EU citizens, companies like Etsy are not going to separate the EU citizens from the rest of their traffic, so they are getting rid of a lot of search terms and search signals for keywords. So terrible! It does not hurt a private party it actually is beneficial to them since we are then only serving up the things they specifically are searching for. 

May 16, 2018 02:02 PM
M.C. Dwyer
Melody Russell Team at eXp Realty of California, Inc. - Felton, CA
MC Dwyer-Santa Cruz Mountains Property Specialist

ug.   saw the NAR video.    so ridiculous.   thanks for shedding more light on a dumb task on which all of us entrepreneurs have to spend our precious time, energy and money.

May 17, 2018 09:06 AM
Katerina Gasset

So agree! M.C. Dwyer 

May 19, 2018 09:38 PM
Jocelyn Ucedo
Punta Cana Lifestyle Real Estate - Punta Cana, DR
Punta Cana Golf & Beach Resort Properties

My real estate website is with Point2, I have written about this and have not received an answer. If they are not GDPR compliant what can we add to our website? We have no access to modify the lead capture.

May 29, 2018 02:52 PM
Katerina Gasset

And this is a problem when you are at their mercy. 

Since they are a Canadian company they may not be adhearing to the regulations. They have their own in Canada. 

I would create a policy page on your point 2 site at least. 

Check my other featured post that has some more info on it. 

May 29, 2018 06:46 PM