MAR Legal Hotline

Notes from the MAR Legal Hotline: General Data Protection Regulation

Q.   I’ve heard about something called GDPR and that I should update my website; what is this and how does it impact me?

A.   The GDPR, short for the General Data Protection Regulation, governs how websites and businesses treat data that belongs to residents of the European Union, regardless of citizenship.  This regulation applies to businesses and organizations around the globe, not just members of the EU.  The GDPR requires an affirmative “opt in” to allow companies to collect website user’s personal data, rather than the traditional “opt out” we have all become accustomed to.  The goal of the GDPR is to give back control of personal data to individuals by granting the following rights:

  • The right to be informed that data is being collected and how it is being used;
  • The right to object;
  • The right to access that data;
  • The right to change the data; and
  • The right to have the data erased.

These changes likely mean that the “Terms of Use’ on most websites will need to be updated to explain what data is being collected on the site and how to request that your information be forgotten.  Additionally, in order to obtain the “opt in” or affirmative consent required by the GDPR, a pop-up box or “lightbox” feature can be used with a box or button for the user to click prior to proceeding to use the site.  Furthermore, the GDPR requires notification within 72 hours of a breach to authorities in each country where users are affected.

While it would seem like these regulations wouldn’t apply to the typical real estate agent her in the United States, it is strongly advised to implement these updates as the potential fines for a breach of confidentiality are significant – up to $20 million Euros or 4% of the company’s annual global income; whichever is greater.  The GDPR applies to the collection of the following information:  name, phone number, address, email address, IP address, cookie identifiers, location data, genetic information, mental/psychological information, economic information, cultural information, and any information pertaining to a person.  If you have a website with IDX, a newsletter sign up form, a listing request form, a “contact us” form, or any place where a user inputs their information on your website, you need to make sure you are GDPR compliant.

These regulations under the GDPR became effective May 25, 2018, and while the GDPR may not apply to all real estate businesses, we recommend you peak with your website vendor to discuss what data is collected and whether you should update your website to become compliant with these rules.  It is also recommended that you speak with your insurance company to determine whether you would be covered in the event of a breach.

For more information please see:

The information and services provided through the Massachusetts Association of REALTORS is intended for informational purposes and does not constitute legal advise, nor does it establish an attorney-client relationship.  The MAR, by providing this service, assumes no actual or implied responsibility for any improper use of responses to questions through this service.  The MAR will not be legally responsible for any potential misrepresentations or errors made by providing this service.  For more information regarding these topics authorized callers should contact the MAR Legal hotline at 800-370-5342 or email at