CCPA and What It Means for Multifamily

CCPA is here. Here’s what you need to know.

As marketers, designers, and developers in the multifamily industry, there are so many acronyms that we have to be familiar with. ADA, EHO, SSL, GDPR, WCAG... the list seems endless. At Jonah, we jokingly call this never ending, ever growing list of letters the “acronym monster” and it can honestly be overwhelming.

Well, the monster just grew by one more acronym: CCPA.

Don’t worry, Jonah’s got your back. Here’s what you need to know about CCPA and what you should do next.


What is CCPA?

There’s a good chance that your inbox has been swamped with dozens of “Privacy Policy Update” emails over the last few weeks. This is because of a new set of consumer protection and privacy laws, recently implemented by the California state legislature, called CCPA.

The California Consumer Protection Act, as the name implies, is a set of laws aimed at protecting the digital privacy of California residents and consumers. It is in many ways similar to the GDPR legislation that the EU implemented in mid-2018. While there is a lot of overlap in the two sets of regulation, CCPA is different from GDPR in at least one very important regard—its location.


Who does it affect?

Theoretically, CCPA only affects businesses that meet the following criteria:

Any company with revenues in excess of $25 million per year
Any company that makes at least 50% of its annual revenue from selling consumers’ data


But, when you dig into the details, the potential pool of affected companies gets much larger. This is because of two important factors:

Parent Companies Count

Smaller, subsidiary companies that may not meet the requirements of CCPA may still be on the hook if they have organizations that they roll up to or parent companies that DO meet the CCPA criteria.

It’s California

With a GDP of around $3.0 trillion, California is not only the largest economy in the United States (more than twice the size of Texas at #2), but is the fifth largest economy in the world, ahead of even India. Additionally, California has a population in excess of 39.5 million people. That’s a lot of money and a whole bunch of people. The truth is, it’s remarkably difficult to find a company that doesn’t, at some point, come into contact with someone in California.


But what if I don’t have any properties in California?

Unfortunately, it doesn’t really matter if you don’t have any properties in California. Who is visiting your websites and where they’re looking at them from is what matters. Let’s say you only operate communities in New England. Now imagine a potential resident is being transferred by her company from San Francisco to New York. You may not have any properties in California, but you do in New York and she’s looking at them for her move. You’re now affected. Imagine that the same person is looking for the same apartment for the same reason but she’s already IN New York. She’s still a California resident (and therefore covered under CCPA) but you have no way of knowing that since the visit will be coming from a New York IP address. 

The unfortunate fact of the matter is you have no way of knowing for sure whether or not you’re affected by CCPA so it’s best to act as though you are… at least until you talk to your attorneys.


When do I have to be CCPA compliant?

Right now. CCPA is already in effect as of January 1, 2020, and the penalties for violation are potentially pretty severe. While the penalty language is somewhat unclear at the moment, one interpretation is that companies found to be in CCPA violation could be on the hook for $7,500 per person violated. The time to get CCPA compliant is now.


So, what do we do?

  1. Talk to your attorney right now! They should be able to help you understand which parts of CCPA affect you and what you need to do to come into compliance with the law. They’re probably going to ask to review your privacy policy, so have that ready to give to them.

  2. Update your privacy policy. There are several changes to the standard website privacy policy that may need to be made right away. Your lawyer should be able to provide you with the proper language to include.

  3. Review your data policy. As we discussed, it’s likely that you or your parent company are affected by CCPA. Even if you don’t think you are, now is the time to review your data policy and data security procedures. Many more states have similar bills in process right now. It’s best to be prepared.

  4. Get a data privacy and management process in place. CCPA has a fairly intense set of requirements for how a company interacts with consumers, what steps need to be taken, and what timeframe a company has to complete those steps. You will most likely have to create new processes and procedures in order to comply with the requirements of CCPA. At minimum you need a “who do we talk to if…” process figured out in the event that a consumer contacts you with a CCPA request.

  5. Talk to Jonah. If you’re one of our clients, your websites are ready for CCPA compliance! We’ve developed a specific set of tools that you need in order to update your website to be CCPA compliant. But, while we can give you the tools, we can’t do it for you. You have to talk to your lawyers and get a process in place. 


TL;DR Takeaways:

  • CCPA is in effect right now.

  • Almost anyone who does business in the US is affected on some level.

  • If you haven’t already, you need to talk to your attorney about CCPA right now.

  • Talk with Jonah to get your website CCPA compliant.



The fact is that our understanding of CCPA and how it affects both consumers and companies is still evolving. Luckily, the multifamily industry has the NAA on our side, and their lawyers are working hard to untangle the legal ramifications and requirements of this legislation for our industry. Here are a few articles they’ve published regarding CCPA and privacy regulations: