Privacy & Information Security Law Blog

On April 29, 2021, the New York City Council passed the Tenant Data Privacy Act (“TDPA”), which would regulate the collection, use, safeguarding and retention of tenant data by owners of “smart access” buildings. The TDPA has been sent to the New York City Mayor’s desk for signature.

As defined in the TDPA, a “smart access” building is one that uses keyless entry systems, including electronic or computerized technology (e.g., a key fob), RFID cards, mobile apps, biometric information or other digital technology to grant access to the building, common areas or individual dwelling units. To comply with the TDPA, owners of smart access buildings would be required to maintain policies and procedures that address the following requirements:

• Individual consent. Building owners would be required to obtain tenants’ express consent “in writing or through a mobile [app]” before collecting certain data from tenants.
• Privacy policy. Building owners would need to provide a “plain language” privacy policy to tenants that discloses (1) the data elements the smart access system collects; (2) the third parties the data is shared with; (3) how the data is safeguarded; and (4) how long the data will be retained.
• Security safeguards. Building owners would be required to implement security measures to protect tenants’ data and the data of any other users of the smart access system (e.g., building guests). These security measures include encryption, a password reset capability (if a password is used by the system) and regular updates to firmware to address security vulnerabilities.
• Data destruction. Building owners would be required to destroy certain data, such as “authentication data,” no later than 90 days after collection. “Authentication data” is data collected from the individual at the point of authentication but that is not used to grant entry.

The TDPA also would impose limits on the categories of tenant data that building owners can collect, generate or use through smart access systems. Permitted categories include: an individual’s name and preferred method of contact; lease information; dwelling unit number and what, if any, other doors or common areas the individual has access to; ID card number or any identifier associated with physical hardware used for access; reference data (e.g., usernames, passwords and contact information) used to grant the individual access; biometric identifier information, if used by the smart access system; and time and method of access. Building owners would be prohibited from selling, leasing or otherwise disclosing tenant data to third parties, subject to certain exceptions such as contracting with a third-party vendor to operate a smart access system.

The TDPA also would create a private right of action for tenants whose data is unlawfully sold. Tenants exercising the private right of action could seek compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, as well as attorney’s fees.

Unless vetoed by the mayor, the TDPA will take effect at the end of June 2021, with a grace period until January 1, 2023 for building owners to come into compliance.