Data Privacy Compliance Checklist

Walk through every system capturing client PII: the CRM (Follow Up Boss, kvCORE, BoomTown), the transaction-management platform (Dotloop, SkySlope), agent inboxes, lead-gen portals (Zillow Premier, Realtor.com Connections), open-house sign-in apps (Spacio, Curb Hero), and the back-office accounting stack. Closed-transaction paper folders sitting in the office count too.

Tier 1 covers SSNs, bank account numbers, driver's-license images, and pre-approval letters with full credit detail. Tier 2 is contact info, transaction history, and showing data. Tier 1 triggers GLBA Safeguards Rule controls for any deal where the brokerage exchanges borrower data with the lender.

Document every data exit: lender package handoff, title and escrow file delivery, MLS uploads, syndication to Zillow / Realtor.com / Redfin, photographer asset transfers, and TC hand-offs. Each flow needs a written basis — the listing agreement, buyer-rep agreement, or a vendor DPA.

Verify Dotloop or SkySlope is configured for encryption at rest and that share links require recipient authentication. Personal Dropbox or unsecured Google Drive folders for closing docs are a common audit finding — confirm none are in use across the team.

MFA on email is the single biggest defense against the business email compromise pattern that hits closings. Required on Microsoft 365 or Google Workspace, the CRM, the TC platform, and any account that can authorize a wire. Spot-check a sample of agent accounts during the review.

Most state license laws require transaction file retention for 3–7 years from closing (CA: 3, FL: 5, TX: 4, NY: 3), with longer windows on trust-account records in many states. Confirm the brokerage's retention policy matches the current rule and that scheduled purges only fire after the window plus any litigation hold.

Pull the user list from CRM, TC platform, MLS, ShowingTime, and the eSignature account. Remove departed agents — a recurring gap is an agent who left two quarters ago still holding CRM read access. Document the change log for the broker file.

Confirm the data processing addendum is current with each major vendor: CRM, transaction platform, eSignature, lead-gen portals, and accounting. CCPA/CPRA service-provider language and SCCs for any EU lead pipeline are the items most likely to be outdated.

For every lead source pushing into the CRM, confirm written consent records exist for SMS and autodialed calls. Zillow and Realtor.com leads carry consent through the portal; sphere imports and purchased lists usually do not. TCPA settlements run $500–$1,500 per call, so this is high-leverage to get right.

Confirm the MLS data license terms (IDX, VOW) and syndication preferences for each active listing. A seller who requested no Zillow syndication but had it auto-pushed is a recurring complaint — verify the opt-out flag is honored on every quiet listing.

Capture the request the day it arrives and start the statutory response clock — 45 days under CCPA/CPRA (extendable once by 45 more), 45 days under VCDPA, 45 under CTDPA. Capture jurisdiction up front because the verification standard and cure period differ by state.

Identity verification should be proportionate to the sensitivity of the data. For an access request covering closing files, two factors (transaction reference plus a government ID) are appropriate. Don't over-collect during verification — that's its own privacy issue.

Deliver the response in the format the consumer requested where reasonable. For access, a structured export from the CRM and TC platform plus copies of executed agency disclosures. Log what was provided in the compliance audit trail.

Run the deletion across CRM, TC platform, email archive, marketing tools, and any third-party processors. Honor statutory retention exceptions — closed-transaction files under state license law typically cannot be deleted before the retention window expires. Document what was kept and the legal basis.

Triage within hours, not days. Classify the incident up front because downstream notification rules diverge — a wire fraud / business email compromise triggers FBI IC3 and the receiving bank's fraud team, while a lost laptop with closing files triggers state breach notification and direct client notice.

Reset credentials, revoke active sessions in Microsoft 365 or Google Workspace, pull the affected machine off the network, and freeze the relevant CRM accounts. Move fast — the FBI's Financial Fraud Kill Chain window for wire-fraud recovery is roughly 72 hours before funds are typically unrecoverable.

File at ic3.gov within 72 hours of detection. Include the wire amount, recipient bank routing and account numbers, the spoofed email headers, and the closing reference. The IC3 report is the basis for the FBI Recovery Asset Team's Financial Fraud Kill Chain hold request to the receiving bank.

Map the affected residents to state breach-notification statutes — California: most expedient time without unreasonable delay; Texas: 60 days; Massachusetts: as soon as practicable; Florida: 30 days. If GLBA-covered borrower data was involved, the federal Safeguards Rule notification rules also apply.

The notification letter covers the date and nature of the incident, what data was involved, what's been done, and credit-monitoring or identity-protection services where required. Coordinate the language with the brokerage attorney and the E&O cyber-rider carrier before sending — most carriers require approval as a condition of coverage.

Read NAR's Window to the Law data-privacy update and the state association's compliance bulletins. Track newly effective state privacy laws (TX TDPSA, OR Consumer Privacy Act, DE PDPA) — the effective dates change which residents the brokerage owes DSAR rights to and whether sensitive-data opt-outs apply.

Annual training on PII handling, wire-fraud red flags, the verbal-verification protocol for wire instructions to a known phone number, and TCPA consent rules for SMS and autodialed calls. Capture sign-in or LMS completion records — this is the first artifact license-law audits ask for.

The designated REALTOR or broker-in-charge signs off, captures any open items as follow-ups for next quarter, and files the audit packet in the brokerage compliance binder. State commissions can request the binder during random audits with little notice, so the artifact needs to stand on its own.