Privacy
323.APARTMENTS takes resident personal identity information very seriously. Any staff member who views (and processes) your rental application form is a real estate broker and has submitted his/her fingerprints to the DOJ (Department of Justice) and the FBI (Federal Bureau of Investigation) as a licensing requirement of the Bureau of Real Estate.
323.APARTMENTS does not accept hardcopy application forms nor application forms sent via email.
- Hardcopy application forms are not accepted if other methods are available to the applicant. Hardcopy applications may be physically misplaced, lost, or even compromised. Under special circumstances when hardcopies are accepted, they are scanned and the original paper is shredded with a Level 6 / P-7 DOD (Department of Defense) crosscut paper shredder which meets NSA/CSS Specification 02-01 for High Security Crosscut Paper Shredders.
- Email application forms are never accepted. Applications sent via regular email are not secure and may be intercepted by man-in-the-middle attacks or compromised by viruses, trojans and other malicious technology.
- 323.APARTMENTS does not allow applicants to transmit any keyboard-typed personal data (except applicant name) on web-based application forms. This protocol specifically eliminates vulnerabilities to keyloggers, and databases that store digital ASCII characters into separate fields which can subsequently be searched for sensitive information. This vulnerability is most common with banks and healthcare providers.
- 323.APARTMENTS mitigates many vulnerabilities by using end-to-end encryption between all client-server connections. Furthermore, rental application forms are housed on Amazon AWS web servers, which also provide service to the CIA, Netflix, Expedia, Pinterest, Amazon.com, Pfizer, Dow Jones and other major enterprises.
- Pursuant to the Information Practices Act of 1977, no disclosure of personal information will be made unless permissible under California Civil Code Article 6 Section 1798.24. Resident personal information is never released for marketing purposes.
In addition to the collection of personal information for credit checks, the 323.APARTMENTS website is also compliant with the California Online Privacy Protection Act (CalOPPA) which went into effect in 2004. It is the first state law in the United States to require commercial websites and online services to post a privacy policy. It was amended in 2013 to require new privacy disclosures regarding tracking of online visits. CalOPPA applies to any person or company in the United States whose website collects personally identifiable information from California consumers. CalOPPA requires the website to feature a conspicuous privacy policy stating exactly what information is collected and with whom it is shared; it also requires the operator of the website or online service to comply with the site’s privacy policy. Those who fail to do so are at risk of civil litigation under the state’s Unfair Competition Law. The 323.APARTMENTS website collects user IP addresses for anyone who (a) logs into the support area to submit maintenance requests or (b) submit any online form. Time-based expiring cookies are used in the support area of the website in an effort to maintain persistent user credentials for user convenience. Cookie information includes the user's email, password, IP, and browser details.
Who does CalOPPA apply to?
CalOPPA applies to any person or entity that owns or operates a commercial website or online service that “collects and maintains personally identifiable information from a consumer residing in California who uses or visits” said website or online service. CalOPPA does not apply to Internet service providers or similar entities that transmit or store personally identifiable information for a third party. In 2012, the California Attorney General’s Office specifically applied CalOPPA to mobile applications for smartphones and tablets that collect personally identifiable information. Hundreds of apps providers were notified that they were in violation of CalOPPA, and they were given 30 days to submit compliance plans or face fines of up to $2,500 for each time their app was downloaded. In this vein, 323.APARTMENTS support area users are preregistered and have executed consent signatures regarding the use of their personally identifiable information within the website.
What is “personally identifiable information”?
As legally defined, “personally identifiable information” refers to details collected on the Internet about an individual consumer, including an individual’s first and last name, a physical street address, an email address, a telephone number, a Social Security number, or any other information that permits a specific individual to be contacted physically or online. The term extends to details such as a person’s birthday, height, weight or hair color that are collected online and stored by an operator in personally identifiable form.
What is required under CalOPPA?
The operator of a commercial website or online service must conspicuously post a privacy policy on its website. According to CalOPPA, conspicuously posting a privacy policy means:
- The privacy policy is shown on the website’s homepage; or
- A link – via an icon that contains the word “privacy” – appears on the homepage and directly takes consumers to the privacy policy. In this instance, the icon must be in a color different from the homepage’s background; or
- The privacy policy is linked to the homepage via a hypertext link that contains the word “privacy,” is written in capital letters equal to or greater in size than the surrounding text; is displayed in a type, font or color that contrasts with the surrounding text of the same size; or is otherwise distinguishable from surrounding text on the homepage.
To be considered in compliance with CalOPPA, the website’s privacy policy must contain the following:
- A list of the categories of personally identifiable information the operator collects;
- A list of the categories of third parties with whom the operator may share such personally identifiable information;
- A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information as collected by the operator;
- A description of the process by which the operator notifies consumers of material changes to the operator’s privacy policy; and
- The effective date of the privacy policy.
AB 370 Requires New Privacy Disclosures
Assembly Bill 370 (Muratsuchi), signed into law in 2013, amended CalOPPA to require new privacy policy disclosures for websites and online services’ tracking of visitors, defined in the legislative analysis of the bill as “the monitoring of an individual across multiple websites to build a profile of behavior and interests.”
AB 370 was in part driven by the advent of “Do Not Track” computer coding, which can signal websites when visitors indicate they prefer not to be monitored. AB 370 is intended to bring greater transparency and consumer scrutiny to website practices, but it does not limit tracking. As the bill’s author, Assembly Member Al Muratsuchi (D-Torrance) explained, “This bill would increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps. AB 370 will allow consumers to learn from a website’s privacy policy whether or not that website honors a Do Not Track signal. This will allow the consumer to make an informed decision about their use of the website or service.” Under AB 370, privacy policies for websites or online services used by California residents (includes mobile apps for smartphones and tablets) are required to:
- Disclose how a business’s website or online service responds to Do Not Track signals from Web browsers.
- Disclose whether third parties may collect visitors’ personally identifiable information on a business’s website or online service.
- Provide “a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”
What are the consequences of noncompliance?
CalOPPA does not contain enforcement provisions. It is expected, however, that CalOPPA will be enforced through California’s Unfair Competition Law (UCL), which is located at Business and Professions Code §§ 17200-17209. Under the UCL the California Attorney General’s Office, district attorneys, and some city and county attorneys can file suit against businesses for acts of “unfair competition,” which are considered to be any act involving business that violates California law. As a result, violations of CalOPPA may be considered violations of the UCL. Government officials bringing suit for violations of CalOPPA may seek civil penalties and equitable relief under the UCL. In addition, the UCL provides that private plaintiffs may assert private claims for violations of CalOPPA under the UCL. Operators who violate CalOPPA may also be susceptible to actions by the Federal Trade Commission, which may bring enforcement action against businesses whose posted privacy policy is deceptive – that is, where a business fails to comply with its posted privacy policy.