2023 Q4 Compliance Update

NAVIGATING DATA SUBJECT ACCESS REQUESTS

In this recurring blog series, Entrata will review the latest compliance information for you to help ensure you are in the loop and don’t fall out of compliance and are prepared for upcoming deadlines. However it is important to note, the information contained herein is general in nature and is not intended to provide, or be a substitute for, legal analysis, legal advice, or consultation with appropriate legal counsel. You should not act or rely on information contained in this document without seeking appropriate professional advice.

As the data privacy regulation sphere continues to grow in the U.S., businesses are seeing more states adopting data privacy legislation, with many already in effect (California, Colorado, Virginia, and Connecticut) or quickly approaching their effective dates (Utah, Texas, Oregon, Montana, and Florida). With so many changes in such a new space, Entrata understands the importance of staying up to date and educated in the data privacy landscape, with a relevant topic in the multifamily housing industry being Data Subject Access Requests (“DSAR”). Through state privacy regulation, end users (i.e., past, future, and prospective residents) are being granted consumer rights that allow them to have control and visibility over the personal information that they share with businesses. These businesses must now comply with ensuring consumer rights, by reviewing and processing DSARs. It’s important to understand the role our clients, and Entrata, play in this process in order to have a better understanding of this process. Entrata has created a workflow to assist our clients with the DSAR process. In addition, this article will address some key questions and topics that often come up.

Defining the important terms of data privacy regulation is important. The defined terms differ from state to state and, although definitions may vary slightly, the general concept of controller and processor is used throughout this article. Entrata clients are considered controllers of a consumer’s personal data. This means that a tenant/end user agrees to provide their personal data to an Entrata client and an Entrata client is responsible for obtaining consent for the processing from that end user. Additionally, Entrata is a processor in terms of data privacy regulations. As a processor, Entrata processes personal information on behalf of a controller. Any action Entrata takes regarding personal data is on behalf of and at the direction of the controller.

Entrata’s role as a processor affects our role in the DSAR process. Though the data subject access request landscape is still evolving, Entrata has kept a close eye on these changes to keep up to date on the best way to handle these requests while also making the process seamless for our clients. Here’s what you need to know about Entrata’s role in handling data subject access requests, and how Entrata is working to improve the process.

Requests submitted by an end user go directly to you, the client.

Because of Entrata’s client’s role as a data controller, all requests from a consumer must be directed towards clients and not Entrata. Processors (Entrata) are not permitted to act on these requests on behalf of a client because a processor does not ultimately control the data. To help clients fulfill these requests, Entrata has created a Privacy Dashboard within the Entrata Privacy Management tab/section on the Dashboard for permission-enabled client users to review, submit, and take action to finalize these requests. This dashboard can be accessed by clicking the Approvals tab and selecting Privacy Management.

Please note that if a client has their own channels for end users to submit DSARs, they can turn Entrata’s DSAR process off through a specific property, then completing the following steps: Properties > General > Policies > Privacy Requests > Edit.

Requests are viewable in a client’s Privacy Management tab located on the dashboard.

All types of DSARs are viewable under the Privacy Management tab on a client’s dashboard, the Privacy Management tab. For assistance in navigating this workflow, please see the detailed instructions on how to navigate to your Privacy Management tab and review any pending requests, via our article in the Entrata Help Center: Creating and Managing Data Privacy Requests. This can be accessed through Knowledge Base > Entrata Setup > Dashboard > “Creating and Managing Privacy Requests (Admin).

Types of Data Subject Access Requests.

Consumers have been granted several rights through data privacy laws around the country, mainly being: right to access, right to know, right to delete, right to correct, and right to portability. Currently, the two most common requests made by end users are right to delete, and right to know. On the privacy dashboard, three options will populate: deletion requests, information requests, and other.

Deletion requests involve the permanent anonymization of an end user’s personal information. This means an individual is requesting all personal information on file to be permanently and irreversibly removed from the Entrata environment. If a client chooses to move forward with this type of request and instructs Entrata’s data privacy team to remove the data, this will permanently remove all personal data associated with that individual housed in the Entrata environment. After the deletion has occurred historical reports will merely show a record of tenancy if the individual was a previous tenant, but no personal information will be associated with that record. Additionally, all associated documents and voice recordings will also be permanently deleted from the environment.

Information requests involve the collection of an end user’s personal data. This individual is requesting to see what personal information the client currently has on file. For this type of request, clients have the ability to view this information directly on the dashboard via a .csv file. The .csv file will be accessible on the privacy dashboard after the request has been submitted to Entrata and the Entrata Privacy team has collected the user's personal data.

“Other” requests may vary depending on which consumer rights the end user is exercising. Examples of other requests are right to data portability, right to rectification, and right to withdraw consent, to name a few. These should be handled on a case-by-case basis.

Working with Entrata’s data privacy team.

Most of the DSARs that require communication between Entrata’s data privacy team and our clients concern the deletion requests. Once the designated admin tasked with reviewing the DSARs from the client’s side has finished an initial review of a request and is ready to permanently delete that record, they will then select the option to "Send to Entrata”. Once this option is selected, the request will populate on Entrata’s compliance dashboard for the Entrata data privacy team to begin their review.

Upon receiving a deletion request the Entrata privacy team will reach out to the client’s Entrata representative to contact the client and confirm that 1) the request is valid and 2) assure that the client understands that deletion requests are permanent and cannot be undone once they have been confirmed. Entrata has put this process in place as a safeguard to protect against accidentally deleting data that may still be needed or never intended to delete in the first place.

Once the Entrata privacy team receives the final affirmation to move forward, they will then initiate an automated script that will complete the deletion of personal information for that individual. An email confirming that request has been completed will be forwarded to the client’s Entrata representative, who will then forward to the client for their records.

If, however, the client alerts the Entrata representative that they would not like to move forward with the deletion request, the Entrata representative will pass that on to the data privacy team, who will then deny the request. These denials do not affect the requestor’s personal information on file in any way, and nothing will be lost for the client.

Current state activity data privacy.

As of December 2023, the states with data privacy regulations in effect are California (CCPA, CPRA), Colorado (CPA), Connecticut (CTDPA), and Virginia (VCDPA). Utah’s Consumer Privacy Act (UCPA) will go into effect December 31, 2023. Clients with properties in these states should be vigilant and discerning when receiving DSARs.

Additional states have also passed their own data privacy laws going into effect in the coming years. By mid-2024, Texas, Oregon, and Montana will have active data privacy laws with similar requirements regarding DSARs. By 2026 Iowa, Delaware, Indiana, and Tennessee will have active data privacy laws in effect as well.

Entrata strongly encourages clients to seek advice from their own privacy counsel regarding the handling of DSARs as well as additional requirements based on states where user data is being collected.

The Future of Data Privacy in the US.

Although no federal law has been passed in the United States as of December 2023, there are areas of data privacy that are governed by federal law. Examples of these areas are health (HIPAA), finance (GLBA), or data collected from children (COPPA). Unlike what Europe and the United Kingdom have done with the GDPR and UK GDPR, the US has not implemented a comprehensive privacy law. However, there have been several bills introduced in both the US house and senate such as the Online Privacy Act of 2023 and the Data Care Act of 2023. Neither bill has been passed as of December 2023.

Entrata’s privacy team is closely monitoring all state and Federal consumer/individual privacy bills and will adjust current processes to meet these regulatory needs as they arise.

Entrata is here to help.

If you have any questions regarding what has been discussed in this article or Entrata’s data privacy practices in general, please contact your Entrata representative or the Entrata support team and we will be happy to assist.