Data Privacy Compliance Checklist

Walk through every system capturing client PII: the CRM (Follow Up Boss, kvCORE, BoomTown), the transaction-management platform (Dotloop, SkySlope), agent inboxes, lead-gen portals (Zillow Premier, Realtor.com Connections), open-house sign-in apps (Spacio, Curb Hero), and the back-office accounting stack. Closed-transaction paper folders sitting in the office count too.

Tier 1 covers SSNs, bank account numbers, driver's-license images, and pre-approval letters with full credit detail. Tier 2 is contact info, transaction history, and showing data. Tier 1 triggers GLBA Safeguards Rule controls for any deal where the brokerage exchanges borrower data with the lender.

Verify Dotloop or SkySlope is configured for encryption at rest and that share links require recipient authentication. Personal Dropbox or unsecured Google Drive folders for closing docs are a common audit finding — confirm none are in use across the team.

MFA on email is the single biggest defense against the business email compromise pattern that hits closings. Required on Microsoft 365 or Google Workspace, the CRM, the TC platform, and any account that can authorize a wire. Spot-check a sample of agent accounts during the review.

Most state license laws require transaction file retention for 3–7 years from closing (CA: 3, FL: 5, TX: 4, NY: 3), with longer windows on trust-account records in many states. Confirm the brokerage's retention policy matches the current rule and that scheduled purges only fire after the window plus any litigation hold.

Confirm the data processing addendum is current with each major vendor: CRM, transaction platform, eSignature, lead-gen portals, and accounting. CCPA/CPRA service-provider language and SCCs for any EU lead pipeline are the items most likely to be outdated.

For every lead source pushing into the CRM, confirm written consent records exist for SMS and autodialed calls. Zillow and Realtor.com leads carry consent through the portal; sphere imports and purchased lists usually do not. TCPA settlements run $500–$1,500 per call, so this is high-leverage to get right.

Capture the request the day it arrives and start the statutory response clock — 45 days under CCPA/CPRA (extendable once by 45 more), 45 days under VCDPA, 45 under CTDPA. Capture jurisdiction up front because the verification standard and cure period differ by state.

Identity verification should be proportionate to the sensitivity of the data. For an access request covering closing files, two factors (transaction reference plus a government ID) are appropriate. Don't over-collect during verification — that's its own privacy issue.

Deliver the response in the format the consumer requested where reasonable. For access, a structured export from the CRM and TC platform plus copies of executed agency disclosures. Log what was provided in the compliance audit trail.

Triage within hours, not days. Classify the incident up front because downstream notification rules diverge — a wire fraud / business email compromise triggers FBI IC3 and the receiving bank's fraud team, while a lost laptop with closing files triggers state breach notification and direct client notice.

Reset credentials, revoke active sessions in Microsoft 365 or Google Workspace, pull the affected machine off the network, and freeze the relevant CRM accounts. Move fast — the FBI's Financial Fraud Kill Chain window for wire-fraud recovery is roughly 72 hours before funds are typically unrecoverable.

File at ic3.gov within 72 hours of detection. Include the wire amount, recipient bank routing and account numbers, the spoofed email headers, and the closing reference. The IC3 report is the basis for the FBI Recovery Asset Team's Financial Fraud Kill Chain hold request to the receiving bank.

Map the affected residents to state breach-notification statutes — California: most expedient time without unreasonable delay; Texas: 60 days; Massachusetts: as soon as practicable; Florida: 30 days. If GLBA-covered borrower data was involved, the federal Safeguards Rule notification rules also apply.

Read NAR's Window to the Law data-privacy update and the state association's compliance bulletins. Track newly effective state privacy laws (TX TDPSA, OR Consumer Privacy Act, DE PDPA) — the effective dates change which residents the brokerage owes DSAR rights to and whether sensitive-data opt-outs apply.

Annual training on PII handling, wire-fraud red flags, the verbal-verification protocol for wire instructions to a known phone number, and TCPA consent rules for SMS and autodialed calls. Capture sign-in or LMS completion records — this is the first artifact license-law audits ask for.