Scarinci Hollenbeck, LLC, LLCScarinci Hollenbeck, LLC, LLC

Firm Insights

What Do Landlords Need to Know About the New York City Tenant Data Privacy Act?

Author: Scarinci Hollenbeck, LLC

Date: August 2, 2021

Key Contacts

Back
What Do Landlords Need to Know About the New York City Tenant Data Privacy Act?

Biometric data privacy laws continue to grow at both the state and local level...

Biometric data privacy laws continue to grow at both the state and local level. New York City landlords are the latest to be impacted. Under the New York City Tenant Data Privacy Act (TDPA), owners of multi-family dwellings that utilize keyless entry systems, including but not limited to key fobs, biometric identifiers, and electronic technologies, must provide tenants with a data retention and privacy policy.

Key Provisions of the New York City Tenant Data Privacy Act

The TDPA will impact all owners/landlords of Class A multiple dwellings that use smart access systems. Under the TDPA, a “smart access” building is defined as one that uses keyless entry systems, including electronic or computerized technology, RFID cards, mobile apps, biometric information or other digital technology to grant access to the building, common areas, or individual dwelling units.

Restrictions on Data Collection and Use

The TDPA establishes restrictions on the collection and use of data collected from smart access systems. An owner of a smart access building or third party may not collect reference data from a user for use in a smart access system except where such user has expressly consented, in writing or through a mobile application, to the use of such smart access building’s smart access system. After obtaining consent, owners may collect only the minimum amount of authentication data and reference data necessary to enable the use of the smart access system, and may not collect additional biometric identifier information from any users.

The term “authentication data” means the data generated or collected at the point of authentication in connection with granting a user entry to a smart access building, common area or dwelling unit through the building’s smart access system. It does not include data generated through or collected by a video or camera system that is used to monitor entrances but not grant entry. Meanwhile, “reference data” is defined as the information against which authentication data is verified at the point of authentication by a smart access system in order to grant a user entry to a smart access building, dwelling unit of such building or a common area of such building.

The TDPA further provides that smart access system may only collect, generate or utilize the following information:

  • The user’s name;
  • The dwelling unit number and other doors or common areas to which the user has access using the smart access system;
  • The user’s preferred method of contact;
  • The user’s biometric identifier information;
  • The identification card number or any identifier associated with the physical hardware used to facilitate building entry, including radio frequency identification card, Bluetooth, or other similar technical protocols;
  • Passwords, passcodes, usernames, and contact information used singly or in conjunction with other reference data to grant a user entry to a smart access building, dwelling unit, or common area through the smart access system, or to access any online tools used to manage user accounts related to such building;
  • Lease information, including move-in and, if available, move-out dates; and
  • The time and method of access, solely for security purposes.

The TDPA also requires that any data collected be removed, anonymized, or destroyed within a given time, generally no later than 90 days after such data has been collected or generated, except for authentication data that is retained in an anonymized format.

The TDPA also provides that any information that an owner of a multiple dwelling collects about a tenant’s use of gas, electricity or any other utility must be limited to the tenant’s total monthly usage, unless otherwise required by law. The new law also makes it unlawful for an owner of a multiple dwelling to collect any information about a tenant’s use of internet service. When internet service is provided directly from an owner to tenants, the landlord may collect such information if it is aggregated and anonymized, or necessary for billing purposes.

The TDPA restricts the sharing of any data collected with third parties. It also makes it unlawful for an owner of a smart access building to: track the location of any user of a smart access system outside of the building; use a smart access system to deliberately collect information on or track the relationship status of tenants and their guests; utilize data collected through a smart access system for any purpose other than to grant access to and monitor entrances and exits to the smart access building, common areas, and dwelling units; use a smart access system to limit the time of entry into the building by any user except as requested by a tenant; require a tenant to use a smart access system to gain entry to such tenant’s dwelling unit; and use any information collected through a smart access system to harass or evict a tenant.

Privacy Policy Requirements

The owner of a smart access building must provide tenants with privacy policy, written in plain language, that describes, at a minimum, the following information:

  • The data elements to be collected by the smart access system;
  • The names of any entities or third parties the owner will share such data elements with, and the privacy policies of any such entities or third parties;
  • The protocols and safeguards the owner will provide for protecting such data elements;
  • The retention schedule of such data;
  • The protocols the owner will follow to address any suspected or actual unauthorized access to or disclosure of such data elements, including notification of users;
  • Guidelines for permanently destroying or anonymizing such data or removing such data from the smart access system; and
  • The process used to add and remove persons who have provided written consent on a temporary basis to the smart access system.

Mandatory Security Safeguards

A smart access system must implement stringent security measures and safeguards to protect the security and data of tenants, guests and other individuals in smart access buildings. Under the TDPA, these security measures and safeguards must, at a minimum, include data encryption, the ability of the user to change the password if the system uses a password and firmware that is regularly updated to enable the remediation of any security or vulnerability issues.

Enforcement

The Tenant Data Privacy Act establishes a private right of action for the unlawful sale of data collected through a smart access system covered by the law. Tenants are entitled to seek compensatory damages or statutory damages ranging from $200 to $1,000, as well as attorney’s fees.

The TDPA takes effect 60 days after it was signed into law on July 29, 2021. However, owners are not liable for a violation of the law until January 1, 2023.

Key Takeaway

The TDPA is the country’s first standalone law to regulate the collection and retention of data from tenants living in “smart access” buildings. It also adds to the growing patchwork of biometric privacy regulations with which businesses must contend.

Although owners of smart access buildings in New York City have until 2023 to come into full compliance with the law, it is always advisable to be proactive. We also encourage landlords outside of New York City to monitor legal developments in this rapidly evolving area of law as it is very likely that similar laws will be enacted elsewhere.

If you have questions, please contact us

If you have any questions or if you would like to discuss the matter further, please contact me, Thomas Herndon, Jr., or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Scarinci Hollenbeck, LLC, LLC

Related Posts

See all
What to Do If You Are Impacted by a Retailer Bankruptcy Part 2 post image

What to Do If You Are Impacted by a Retailer Bankruptcy Part 2

Over the past year, brick-and-mortar stores have closed their doors at a record pace. Fluctuating consumer preferences, the rise of online shopping platforms, and ongoing economic uncertainty continue to put pressure on the retail industry. When a retailer seeks bankruptcy protection, a myriad of other businesses are often impacted. Whether you are a supplier, customer, […]

Author: Brian D. Spector

Link to post with title - "What to Do If You Are Impacted by a Retailer Bankruptcy Part 2"
The Current Administration's Proposals for the Financial Services and Banking Industries Will Affect Your Business post image

The Current Administration's Proposals for the Financial Services and Banking Industries Will Affect Your Business

Since his inauguration two months ago, Donald Trump’s administration and the Congress it controls have indicated important upcoming policy changes. These changes will impact financial services policies and priorities. The changes will particularly affect cryptocurrency, as well as banking rules and regulations. Key Regulatory Changes in Cryptocurrency For example, in the burgeoning cryptocurrency business environment, […]

Author: Dan Brecher

Link to post with title - "The Current Administration's Proposals for the Financial Services and Banking Industries Will Affect Your Business"
Tips for Commercial Landlords Impacted by Wave of Retailer Bankruptcies Part 1 post image

Tips for Commercial Landlords Impacted by Wave of Retailer Bankruptcies Part 1

The retail sector has experienced a wave of bankruptcy filings over the last year. Brick-and-mortar businesses in financial distress include big-name brands like Big Lots, Party City, The Container Store, and Vitamin Shoppe. When large retailers seek bankruptcy protection, they are not the only businesses impacted. Landlords can be particularly hard hit. While commercial landlords […]

Author: Brian D. Spector

Link to post with title - "Tips for Commercial Landlords Impacted by Wave of Retailer Bankruptcies Part 1"
How Understanding Bankruptcy Trends Can Benefit Your Business post image

How Understanding Bankruptcy Trends Can Benefit Your Business

The bankruptcy legal landscape presents both challenges and opportunities for businesses navigating financial distress. Understanding current bankruptcy trends can help businesses make more informed and strategic decisions. Corporate Bankruptcy Filings Trending Upwards Bankruptcy filings continued to trend upwards in 2024. According to statistics released by the Administrative Office of the U.S. Courts, personal and business […]

Author: Brian D. Spector

Link to post with title - "How Understanding Bankruptcy Trends Can Benefit Your Business"
SEC Takes Actions Against Issuers for Failure to File Form D post image

SEC Takes Actions Against Issuers for Failure to File Form D

In December, the U.S. Securities and Exchange Commission (SEC) announced charges against two privately held companies for failing to file a Form D notice, which is generally utilized for exempt securities offerings. Here, the SEC’s enforcement sends a strong message: compliance with regulatory requirements is not optional and failure to comply can have significant consequences. […]

Author: Kenneth C. Oh

Link to post with title - "SEC Takes Actions Against Issuers for Failure to File Form D"
Redefining Labor Relations: NLRB's Pivot from Abruzzo’s Memoranda post image

Redefining Labor Relations: NLRB's Pivot from Abruzzo’s Memoranda

On February 14, 2025, the Office of General Counsel (OGC) of the National Labor Relations Board (NLRB) under Acting General Counsel William B. Cowen issued Memorandum 25-05, “New Process for More Efficient, Effective, Accessible and Transparent Case handling.” The Memorandum rescinds nearly all of the Memoranda issued by his direct predecessor, Jennifer Abruzzo, setting the […]

Author: Matthew F. Mimnaugh

Link to post with title - "Redefining Labor Relations: NLRB's Pivot from Abruzzo’s Memoranda"

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Sign up to get the latest from our attorneys!

Explore What Matters Most to You.

Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.

Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.

Let`s get in touch!

* The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.

Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!

Please select a category(s) below: