At Apartment List we take our privacy obligations seriously and are committed to complying with the California Consumer Privacy Act in advance of the January 1 effective date. We’d like to support clients through their compliance journey by sharing guidelines and best practices about how to meet their own legal obligations:
- Inventory of Data Practices. Businesses should take an inventory of the categories of personal information collected, the purposes of that collection, and the companies with which it shares the information. The collection of information should be reasonably necessary and proportionate to achieve the purpose of the collection, or it should be compatible with the original purpose. At Apartment List, as part of our process of identifying ways to only receive data that is reasonably necessary to operate our business, we have been moving our clients who share move-in data in a manual format to our API approach. Our API approach provides a more secure method for transmitting personal information and allows Apartment List to purge non-matched data in a more expedient manner.
- Displaying a privacy policy at or before the point of collection. Businesses need to display a privacy policy to its California customers at or before the point of collection of information. The policy needs to disclose to consumers the categories of personal information collected (both online and offline), the sources of that collection, the uses of that information, and the third parties to whom the client shares that information. Businesses that do not have a website must make an offline privacy policy available to California consumers.
- Consumer Rights to Deletion, Know, and Portability. A California resident has the right to request from you: (1) the deletion of his/her personal information that you have collected, (2) the categories of information collected, the categories of sources, the purposes of collection, the categories of third party recipients of his/her information, and the specific pieces of personal information that you have collected on him/her, and (3) a copy of his/her personal information in a format that is easily copied and ported.
- Two Methods to Exercise Rights. Businesses must provide California consumers at least two methods for exercising their rights. Businesses must provide at a minimum a toll free telephone number to consumers, unless the business exclusively operates online, in which case an email address is sufficient. If the business operates a website, the business must also make the website available to consumers to submit requests for information (e.g., via a web form that a consumer can fill out and submit).
- Contracts with Service Providers. Businesses that share personal information of its California consumers with third parties, should evaluate which third parties are service providers. In accordance with the CCPA, the business and the service provider should enter into a written contract limiting the service provider’s uses of the personal information.
- Evaluating Security. Businesses should evaluate their security practices to ensure that they have implemented and maintained reasonable security procedures and practices that are appropriate for the type of information collected. California consumers may institute a civil action for certain security breaches.
- Do Not Sell Opt-Out Right. Businesses that “sell” personal information of California consumers have additional obligations under the CCPA, including prominently displaying a link to “Do not sell my personal information” and providing consumers the right to opt out of the sale of their personal information.
Please note, the information provided above does not constitute legal advice. You should seek professional legal advice where appropriate. To discuss how to partner with Apartment List in connection with your data and privacy practices, please contact your Client Success Manager or Sales Representative. We appreciate your continued trust and partnership with Apartment List.