The Digital Advertising Accountability Program just handed Zillow Group a detailed compliance roadmap, and the real estate technology sector should be paying close attention. While this wasn’t a fine or penalty, the intervention signals something arguably more significant: privacy watchdogs are actively monitoring how PropTech giants handle consumer data—and they’re finding problems.
The Zillow Group Investigation: What Happened
In December 2025, BBB National Programs’ Digital Advertising Accountability Program (DAAP) announced the results of its routine monitoring of Zillow Group’s digital properties. What they discovered wasn’t pretty: broken links, missing privacy notices, inadequate disclosures about interest-based advertising, and location data collection concerns across Zillow, Trulia, HotPads, and StreetEasy.
The core issues centered on violations of the Digital Advertising Alliance’s Self-Regulatory Principles for online interest-based advertising. Specifically, DAAP found that Zillow Group failed to provide consistent “enhanced notice”—clear, prominent information about how third parties collect user data for targeted advertising and how consumers can opt out.
The investigation revealed broken links where privacy information should have been, missing statements acknowledging adherence to industry privacy principles, and third-party tracking technology operating without proper user notification. Most troubling, DAAP initially observed precise location data being collected in Zillow’s mobile app by third parties engaged in behavioral advertising—though this practice had ceased by the time the formal inquiry began.
To Zillow Group’s credit, the company responded comprehensively. They overhauled privacy notices across all four brands, added prominent “Ad Choices” links in website footers and mobile app settings, created direct paths to their Privacy Portal, and implemented proper disclosures about third-party tracking technologies. They also ensured app store listings link directly to privacy information, making it easier for consumers to understand data practices before downloading.
But here’s the critical question: if Zillow Group—with vast resources and sophisticated legal teams—struggled with basic privacy compliance, what does that say about the rest of the PropTech industry?
PropTech’s Growing Privacy Problem
Real estate technology sits at a dangerous intersection: massive data collection, high-stakes transactions, vulnerable consumers, and historically lax oversight. The industry handles social security numbers, financial records, precise location data, behavioral patterns, and family information. When things go wrong, they go spectacularly wrong.
The Weichert Realtors Data Disaster
In May 2022, New Jersey’s Attorney General reached a $1.2 million settlement with Weichert Realtors over three separate data breaches affecting nearly 11,000 consumers. The investigation revealed a litany of security failures: no antivirus software protecting the network, missing multi-factor authentication, misrepresented security practices, and failure to promptly notify affected consumers.
The Weichert case illustrates a troubling reality in real estate: companies handling extraordinarily sensitive financial and personal information often operate with consumer-grade security measures. The breaches weren’t sophisticated nation-state attacks—they were preventable failures resulting from basic negligence.
Video Privacy Violations Hit Major Platforms
Zillow and Redfin both face ongoing class action lawsuits over alleged violations of the Video Privacy Protection Act and California Invasion of Privacy Act. The complaints allege that both companies installed tracking pixels on their websites that capture information about which property video tours users watch, then transmit that data to third parties like Meta, Google, Microsoft, Oracle, Reddit, and Snapchat—all without valid user consent.
These lawsuits highlight an emerging privacy battleground: tracking technologies that monitor every click, scroll, and view, creating detailed behavioral profiles that users never authorized. When you tour a million-dollar waterfront property virtually, should Facebook know about it? Should that viewing behavior influence the ads you see across the internet?
The TCPA Minefield
Zillow currently faces a class action lawsuit alleging violations of the Telephone Consumer Protection Act after a plaintiff received multiple unwanted text messages about different properties directed to different names—all sent to the same phone number. If the allegations prove true, they suggest fundamental problems with Zillow’s lead generation system, where consumer consent and contact information management appear dangerously mishandled.
With the FCC’s new one-to-one consent requirements taking effect, PropTech companies that built their business models on loose lead generation practices face an existential reckoning. The days of harvesting contact information from website forms and bombarding consumers with automated messages are ending—expensively.
Why PropTech Is Particularly Vulnerable
Several factors make real estate technology especially prone to privacy violations:
The data honeypot: PropTech platforms collect everything. Financial information for mortgage prequalification, employment history, rental payment records, credit scores, family composition, lifestyle preferences, search history showing which neighborhoods interest you, behavioral patterns revealing when you’re home. It’s a complete dossier on consumers’ lives and finances.
Multiple parties, murky accountability: A typical real estate transaction involves brokers, agents, mortgage lenders, title companies, inspectors, appraisers, and various PropTech platforms. Data flows between all these parties, often through insecure channels. When a breach occurs, determining who’s responsible becomes a blame-shifting exercise.
Legacy systems meet cutting-edge tracking: Many real estate companies layer sophisticated tracking technology and AI-powered analytics onto antiquated IT infrastructure. They’ll implement advanced behavioral targeting while running critical systems on unpatched servers without basic security protocols.
High-value targets: Real estate transactions involve substantial sums of money, making them attractive to sophisticated cybercriminals. Wire fraud schemes targeting real estate closings resulted in $221.4 million in losses in 2019 alone, with criminals increasingly targeting the technology platforms facilitating these transactions.
Regulatory fragmentation: PropTech companies must navigate a patchwork of federal laws like the Gramm-Leach-Bliley Act (for financial services), state privacy laws like CCPA/CPRA, GDPR for international users, TCPA for communications, VPPA for video content, and industry-specific regulations. Many companies simply can’t keep up.
Cultural disconnect: PropTech founders often come from pure tech backgrounds where “move fast and break things” was the ethos. Real estate, however, is a heavily regulated industry where breaking things means exposing consumers’ most sensitive information and violating fiduciary duties.
The Regulatory Tightening on PropTech for Privacy Violations
Privacy regulators are getting more aggressive with PropTech:
Multi-million dollar settlements are becoming routine: Meta paid $1.4 billion to Texas for biometric privacy violations. T-Mobile settled for $500 million after multiple breaches. Marriott paid $52 million for a data security failure. These massive penalties signal that data mishandling carries real financial consequences.
State attorneys general are hunting: Beyond federal enforcement, state AGs are actively pursuing PropTech companies. California, New York, Texas, and other states have dedicated privacy enforcement units specifically targeting technology companies that mishandle consumer data.
Class action plaintiffs are organized: The PropTech sector faces an avalanche of privacy class actions. Video tracking, biometric data, TCPA violations, VPPA claims—plaintiffs’ attorneys have identified PropTech as a target-rich environment and are filing coordinated nationwide campaigns.
Industry self-regulation is strengthening: Organizations like DAAP are conducting proactive monitoring rather than waiting for complaints. As the Zillow Group case demonstrates, companies can expect privacy watchdogs to scrutinize their practices even without consumer complaints triggering investigations.
What PropTech Companies Must Do Now To Be Compliant
The Zillow Group compliance intervention should serve as a blueprint for the entire industry:
Audit every digital property: Don’t assume your privacy notices are working. Click every link. Test every opt-out mechanism. Verify that privacy information is accessible on every platform—desktop, mobile web, iOS app, Android app. Broken links and missing disclosures are compliance failures, not minor technical issues.
Map your data flows: Document exactly what data you collect, from whom, for what purpose, where it’s stored, who has access, which third parties receive it, and what they do with it. If you can’t diagram your data flows, you can’t protect consumer privacy or comply with privacy regulations.
Get your notices right: Privacy policies aren’t just boilerplate legal documents. They’re binding commitments about how you handle consumer information. Your notices must be accurate, accessible, clear, and comprehensive. If you’re sharing data with 15 third-party advertisers, disclose all 15. If you’re collecting location data, explain why and how consumers can opt out.
Implement technical controls: Privacy compliance isn’t just paperwork. You need actual technology controlling data access: encryption, multi-factor authentication, access logging, data minimization protocols, automated deletion, breach detection systems, and secure development practices.
Train your entire organization: Privacy violations often result from employees who don’t understand the rules. Sales teams offering to share lead data with partners, developers implementing tracking pixels without legal review, customer service representatives accessing information they don’t need—these are the daily decisions that create liability.
Conduct regular compliance reviews: Privacy regulations evolve constantly. The controls that satisfied CCPA in 2020 may not meet CPRA requirements in 2025. Schedule quarterly compliance audits and adjust your practices based on regulatory developments and industry best practices.
Plan for incidents: Despite your best efforts, breaches and compliance failures will occur. Have an incident response plan detailing who does what when things go wrong, templates for required notifications, relationships with forensic investigators, communication strategies for affected consumers, and protocols for regulatory reporting.
The Broader Message
The Zillow Group case wasn’t punitive—it was corrective. DAAP worked collaboratively with the company to achieve compliance. But make no mistake: this cooperation came because Zillow Group responded properly to the inquiry, invested resources in remediation, and demonstrated genuine commitment to fixing the problems.
Companies that ignore privacy watchdogs, delay remediation, or treat compliance as optional face far harsher consequences. The FTC, state attorneys general, and private plaintiffs don’t offer collaborative solutions—they file enforcement actions seeking maximum penalties.
PropTech is at an inflection point. The industry can either embrace privacy compliance as a competitive advantage and trust-building opportunity, or continue treating consumer data cavalierly until regulatory hammers force painful changes. Companies making the right choice now will be positioned for sustainable growth. Those waiting for enforcement actions will face expensive retrofits while defending class action lawsuits and navigating government investigations.
The message from the Zillow Group case is clear: privacy watchdogs are watching, consumers are noticing, and the era of loose PropTech privacy practices is ending. The only question is whether companies will adapt proactively or learn these lessons through enforcement actions and settlements.
If you’re a PropTech company and would like a free privacy audit to see what risks you book a demo with one of our privacy and compliance experts today
