Select Page

The legal pitfalls for companies using proptech

Share this article:

As a “player” in the brokerage, legal and tech space, I’ve consulted with numerous proptech companies at different stages of their growth over the years. One thing I’ve noticed is that many companies don’t invest in obtaining legal advice to avoid unexpected surprises, which can often have consequences that are fatal to the business model and the company itself.

I recently spoke with the McMillan LLP team, including partners Alex Bruvels and Robert C. Piasentin,  associates Kailey Sutton and Kaleigh Zimmerman and articling student Madeline Klimek about a range of issues relating to the use of technology in relation to property –

from drones to lead generation platforms. If not properly addressed, these issues could stop a company dead in its tracks.

When collecting data, what disclosures should be made? Is verbal consent permissible? And what can be collected without consent?

A key mistake that organizations may make when collecting data, both through proptech and more generally, is failing to either appreciate or truly understand the type or sensitivity of the information they are collecting. Recognizing this is important because the consent and disclosure requirements for collection of data are dependent on factors including the type of information collected and the purpose of the collection.

Private sector privacy laws, both federally and provincially, govern the rules regarding how businesses must collect and handle “personal information” in the course of their commercial activities. Such  information is often required for software, when using proptech, to function appropriately and to improve algorithms, consumer experience and product functionality.  “Personal information” includes any factual or subjective information about an identifiable individual, such as age, name, ID numbers, ethnic origin, disciplinary actions, opinions, credit records and loans. For organizations that collect personal information, it is important that they implement a privacy management program that includes the creation of a privacy policy, meeting all federal and provincial legal requirements. They must establish internal business processes that govern and provide transparency with respect to how the organization: (i) collects personal information; (ii) uses or processes the collected information; (iii) obtains appropriate consents; and (iv) retains or destroys the information.

Drone usage, for example, is becoming increasingly popular in both residential and commercial real estate for promotional purposes, as well as for construction management on active project sites. It triggers privacy concerns with respect to recorded visual and audio content. Using a drone does not insulate operators from ensuring they have necessary consents. However, if the data being collected is not personal information – for example, to take video of an office tower or commercial building – then privacy compliance is largely a matter of ensuring you are not capturing anyone’s likeness. In this context, the data is the same as taking a photo of a building.

Industry participants using modern technologies to “cold-call” potential clients – either businesses or individuals being contacted by email, text message or other electronic methods –  must ensure they have explicit consent to contact these persons ahead of time in advance, in order to comply with Canada’s Anti-Spam Legislation.

For any personal information collected, organizations are generally required to first obtain meaningful consent. Meaningful consent requires that organizations make it clear to those individuals from whom they are collecting information the nature, purpose and consequences associated with the collection and use of their personal information. In addition, consent should generally be provided expressly (the individual has explicitly stated “I consent” to the collection either through actively checking a box or specifically opting into the collection).

Understanding the purpose behind data collection is also important because certain purposes may not require consent. For example, a business can generally collect contact information of its employees without their prior consent if done for the purposes of communication in relation to their employment.

What about storing data – what are the risks and how can a company mitigate these risks?

Security breaches and the resulting information leaks are a continual and increasingly frequent risk to storing data. Malicious actors are becoming more sophisticated in their pursuit of data, especially personal information, because of the potential value people place on such information.

Depending on your location and the real risk of harm, an organization may be required to notify affected individuals of a breach or even take steps to rectify or pay damages arising from such a breach. Accordingly, potential legal, financial and reputational risks exist for any organization storing data. It needs to be taken seriously and addressed at the outset to mitigate the risk and consequences of any breach.

In the context of proptech, for example, securing against such breaches will protect a range of sensitive, proprietary and personal information, such as a person’s daily habits, interests, relationships and accounts. The details of such information stored may vary based on the type of data, permissions granted and level of anonymization.

An organization can mitigate these risks by using appropriate safeguards to protect any data collected. The sophistication of the safeguards introduced will be impacted in no small measure by the level of sensitivity of the information that is being secured. For example, health and financial information is considered highly sensitive, and therefore, will always require a high level of security including, generally, multiple protection levels.

Safeguards include physical measures, such as restricted access to offices, clean desk policies and locked cabinets, as well as appropriate technological tools, such as multi-factor authentication, encryption and appropriate cybersecurity protocols. To further mitigate against the risk of security breaches, organizations should also look to implement appropriate administrative controls. Common administrative controls include restricting employee access to personal information to those on a “need to know” basis and implementing policies that automatically destroy stale personal information after a certain period of time.

One final key measure that should always be considered is continuous and up-to-date training on privacy compliance for all employees or resources working with an organization. Even with the most sophisticated technological controls in place, data breaches can still happen when the individuals responsible for managing information fail to follow the necessary processes to keep it secure. As a result, implementing a robust training program for all employees or resources, and providing refresher training periodically, is an additional important protection measure that should not be overlooked.

What about sharing data – what can be shared with third parties? Is consent always required or are there instances where consent is implied?

Sharing data with third parties can be one of the draws for providers of proptech. However, an organization can only share such data if it has the consent of the individual about whom the information pertains. To ensure they obtain meaningful consent, the organization will need to outline the purposes behind the sharing of the collected personal information. The level of consent required will depend upon the type of information collected.

A business can generally address the issue of sharing personal information with third parties through its privacy policy. Typically, such a policy should describe what information will be collected, how it may be disclosed, the types of third parties that may receive the information and how such third parties may use the information. For example, a privacy policy may note that the name and credit information of an individual will be provided to a payment service provider to complete a transaction.  In the proptech space, this privacy policy would need to be easily accessible for anyone using the technology.

Organizations should be aware they may be responsible for any information transferred to third parties. An organization’s responsibility for the protection and security of such information does not necessarily end simply because it has transferred the information to a third party. If the organization has received the meaningful consent from an individual to transfer that information, then the organization’s risk will be materially mitigated. However, before any transfer of information, it is always prudent for an organization to assess all of the risks of transferring any collected personal information (how it will be transferred, to whom) and ensuring, though contractual or other means, third parties will provide adequate protection for any information they receive.

When looking at proptech, what do you think are the top three key liability risks associated with functionality and how can we mitigate these risks?

One liability risk is associated with over-collection and overuse of personal information. An organization needs to have secured meaningful consent from an individual before collecting, processing, using, or storing that individual’s personal information. Failure to secure such consent can result in complaints to the Office of the Privacy Commissioner of Canada and possible subsequent litigation. Mitigation of this risk can be managed through an organization being clear and transparent with respect to how its technology collects, processes or uses an individual’s personal information and where that personal information will be stored.  Incorporating pop-up functionality in the technology that will prompt a user to consent to a particular use of information, if that use is unusual, not otherwise covered or would not be anticipated by an individual, will provide the organization with a reasonable defence to any subsequent claims of a privacy breach from a user.

Another material risk with respect to the functionality of proptech is when it does not incorporate appropriate security measures to keep a user’s information safe or their activities secure while online. If, due to weak security measures, a user’s account can be hacked or information or transactional details can be intercepted by malicious actors, an organization will face significant potential legal liability and reputational damage from any such event. Implementing technology security measures that are consistent with best industry practices, including multi-factor authentication or encryption technologies, combined with appropriate training of all resources, will help mitigate an organization’s risk. In addition, ensuring that the corresponding infrastructure in any property development with which the proptech will interact is adequately robust to manage the data and transactions that will be routed through the proptech, will be important to ensure that there are no unidentified vulnerabilities.

Finally, introducing functionality into proptech is key to remaining relevant and the first choice among consumers. However, any upgrades or updates can bring with them additional risks. All software products generally have bugs. Occasionally, bugs can cause the entire software product to shut down, or specific functionality to no longer operate properly.

Understanding these risks and building redundancies into the proptech is a standard approach to try to ensure that any such bugs will not shut the proptech down. In addition, organizations should ensure that users have the opportunity to report bugs and, once reported, those organizations can provide reasonable, timely maintenance and support to minimize the extent and overall risk of any bugs in the proptech.

Share this article: