What Do Landlords Need to Know About the New York City Tenant Data Privacy Act?

Biometric data privacy laws continue to grow at both the state and local level...

Biometric data privacy laws continue to grow at both the state and local level. New York City landlords are the latest to be impacted. Under the New York City Tenant Data Privacy Act (TDPA), owners of multi-family dwellings that utilize keyless entry systems, including but not limited to key fobs, biometric identifiers, and electronic technologies, must provide tenants with a data retention and privacy policy.

Key Provisions of the New York City Tenant Data Privacy Act

The TDPA will impact all owners/landlords of Class A multiple dwellings that use smart access systems. Under the TDPA, a “smart access” building is defined as one that uses keyless entry systems, including electronic or computerized technology, RFID cards, mobile apps, biometric information or other digital technology to grant access to the building, common areas, or individual dwelling units.

Restrictions on Data Collection and Use

The TDPA establishes restrictions on the collection and use of data collected from smart access systems. An owner of a smart access building or third party may not collect reference data from a user for use in a smart access system except where such user has expressly consented, in writing or through a mobile application, to the use of such smart access building’s smart access system. After obtaining consent, owners may collect only the minimum amount of authentication data and reference data necessary to enable the use of the smart access system, and may not collect additional biometric identifier information from any users.

The term “authentication data” means the data generated or collected at the point of authentication in connection with granting a user entry to a smart access building, common area or dwelling unit through the building’s smart access system. It does not include data generated through or collected by a video or camera system that is used to monitor entrances but not grant entry. Meanwhile, “reference data” is defined as the information against which authentication data is verified at the point of authentication by a smart access system in order to grant a user entry to a smart access building, dwelling unit of such building or a common area of such building.

The TDPA further provides that smart access system may only collect, generate or utilize the following information:

• The user’s name;
• The dwelling unit number and other doors or common areas to which the user has access using the smart access system;
• The user’s preferred method of contact;
• The user’s biometric identifier information;
• The identification card number or any identifier associated with the physical hardware used to facilitate building entry, including radio frequency identification card, Bluetooth, or other similar technical protocols;
• Passwords, passcodes, usernames, and contact information used singly or in conjunction with other reference data to grant a user entry to a smart access building, dwelling unit, or common area through the smart access system, or to access any online tools used to manage user accounts related to such building;
• Lease information, including move-in and, if available, move-out dates; and
• The time and method of access, solely for security purposes.

The TDPA also requires that any data collected be removed, anonymized, or destroyed within a given time, generally no later than 90 days after such data has been collected or generated, except for authentication data that is retained in an anonymized format.

The TDPA also provides that any information that an owner of a multiple dwelling collects about a tenant’s use of gas, electricity or any other utility must be limited to the tenant’s total monthly usage, unless otherwise required by law. The new law also makes it unlawful for an owner of a multiple dwelling to collect any information about a tenant’s use of internet service. When internet service is provided directly from an owner to tenants, the landlord may collect such information if it is aggregated and anonymized, or necessary for billing purposes.

The TDPA restricts the sharing of any data collected with third parties. It also makes it unlawful for an owner of a smart access building to: track the location of any user of a smart access system outside of the building; use a smart access system to deliberately collect information on or track the relationship status of tenants and their guests; utilize data collected through a smart access system for any purpose other than to grant access to and monitor entrances and exits to the smart access building, common areas, and dwelling units; use a smart access system to limit the time of entry into the building by any user except as requested by a tenant; require a tenant to use a smart access system to gain entry to such tenant’s dwelling unit; and use any information collected through a smart access system to harass or evict a tenant.

Privacy Policy Requirements

The owner of a smart access building must provide tenants with privacy policy, written in plain language, that describes, at a minimum, the following information:

• The data elements to be collected by the smart access system;
• The names of any entities or third parties the owner will share such data elements with, and the privacy policies of any such entities or third parties;
• The protocols and safeguards the owner will provide for protecting such data elements;
• The retention schedule of such data;
• The protocols the owner will follow to address any suspected or actual unauthorized access to or disclosure of such data elements, including notification of users;
• Guidelines for permanently destroying or anonymizing such data or removing such data from the smart access system; and
• The process used to add and remove persons who have provided written consent on a temporary basis to the smart access system.

Mandatory Security Safeguards

A smart access system must implement stringent security measures and safeguards to protect the security and data of tenants, guests and other individuals in smart access buildings. Under the TDPA, these security measures and safeguards must, at a minimum, include data encryption, the ability of the user to change the password if the system uses a password and firmware that is regularly updated to enable the remediation of any security or vulnerability issues.

Enforcement

The Tenant Data Privacy Act establishes a private right of action for the unlawful sale of data collected through a smart access system covered by the law. Tenants are entitled to seek compensatory damages or statutory damages ranging from $200 to $1,000, as well as attorney’s fees.

The TDPA takes effect 60 days after it was signed into law on July 29, 2021. However, owners are not liable for a violation of the law until January 1, 2023.

Key Takeaway

The TDPA is the country’s first standalone law to regulate the collection and retention of data from tenants living in “smart access” buildings. It also adds to the growing patchwork of biometric privacy regulations with which businesses must contend.

Although owners of smart access buildings in New York City have until 2023 to come into full compliance with the law, it is always advisable to be proactive. We also encourage landlords outside of New York City to monitor legal developments in this rapidly evolving area of law as it is very likely that similar laws will be enacted elsewhere.

If you have questions, please contact us

If you have any questions or if you would like to discuss the matter further, please contact me, Thomas Herndon, Jr., or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.