EDITOR'S NOTE: This article was written in September of 2004

Terrorism, computer hacking, identity theft, consumer privacy rights and legislation are directly affecting the way all businesses, including the real estate industry, gather, store and access data. My question to you is: Are we as an industry willing to institute processes which elevate the security of the consumer’s information and practices which provide some legal protection from liability?

From the risk management perspective, it is time to be ready, willing and able to conspicuously safeguard one of your most valuable assets- your information. Legal compliance as well as general safety of all client, prospect, member, employee and even vendor information is something to be added to your business processes before disaster strikes.

The moment is here whether you are aware of it or not: Privacy protection is a business imperative.

Do you do business with any California residents? How about folks in New York or New Jersey? These states are leading the struggle to protect consumer (that’s you and me too!) information. They have either enacted or are in the process of putting into law specific requirements for online privacy practices to protect consumers because there is no national standard in the United States. The bad news is that each state will have its own compliance requirements which may or may not be the same as other states. It’s a risk management migraine in the making, but it’s the way it is right now.

Even though your office is in say, Milwaukee, you cannot safely assume that Californians are not visiting your website. Can you really be sure no one who lives in San Francisco looks at your website listings while dreaming of a different lifestyle and lower mortgage payment?

The California Online Privacy Protection Act of 2003 (COPPA) was effective July 1st this year. It requires owners of commercial Internet websites or online services that collect personally identifiable information (“PII”) from California residents to conspicuously post their privacy policies on their website; identify the categories of PII collected; identify the categories of third parties with whom you share the PII; if any, describe how your website visitor can review and change their PII; describe how you will notify visitors of material changes to your privacy policy; and state the effective date of your privacy policy. In New Jersey, pending legislation adds the requirement to provide a simple online process for a visitor to consent to or limit disclosure of PII for unrelated purposes and an obligation to maintain confidentiality, security and data integrity procedures. The California law opens up website operators to civil suits when they fail to comply with their own privacy policies. The New Jersey legislation says violations are $7,500.00 for a first offensive and up to $15,000.00 for subsequent offenses. They are serious.

Even if you already have a privacy policy, it is worth little if you do not comply with the law and have well-developed practices in place that match your stated policy, a.k.a. putting your procedures where your policy is. A good place to start navigating the implications of these new online privacy laws is to sit down with everyone in your organization who deals with client, prospect or consumer data. Find out what your actual current practices are and then implement the particular privacy protocols and best business practices model into your organization.

Darity Wesley is CEO and Legal Counsel for Privacy Solutions, Inc. a San Diego based consulting firm. Her team of Privacy Gurus® work with you to create policies and procedures to establish the expectation of privacy for your members, clients, customers, prospects, affiliates, associates, employees and vendors. You can reach her at (619)670-9462 or Darity@privacygurus.com