New York City Council passes tenant privacy law

On April 29, 2021, New York City Council passed the Tenant Data Privacy Act (“TDPA”), which regulates the collection, use, security and storage of tenant data by owners of buildings with “intelligent access”. The TDPA was sent to the New York Mayor’s desk for signature.

As defined in the TDPA, a “Smart Access” building uses keyless entry systems, including electronic or computerized technology (e.g. a key fob), RFID cards, mobile apps, biometric information or other digital technology, to provide access to the Buildings, common rooms or individual residential units. To comply with the TDPA, owners of buildings with smart access would need to adhere to policies and procedures that meet the following requirements:

  • Individual approval. Building owners would have to obtain the express consent of the tenants “in writing or via a mobile phone” [app]”Before certain data is collected from tenants.
  • Privacy Policy. Building owners would need to provide tenants with a “plain language” privacy policy that (1) discloses the data elements that the smart access system collects; (2) the third parties with whom the data is shared; (3) how the data is protected; and (4) how long the data will be retained.
  • Safety precautions. Building owners would have to take security measures to protect the data of the tenants and the data of other users of the smart access system (e.B. Building guests). These security measures include encryption, a password reset feature (if the system uses a password), and regular firmware updates to close security loopholes.
  • Data destruction. Building owners would need to have certain data, such as: B. Destroy “authentication data” no later than 90 days after collection. “Authentication Data” is data that was collected from the individual at the time of authentication, but that is not used to grant access.

The TDPA would also restrict the categories of tenant data that building owners can collect, generate, or use through intelligent access systems. Allowed categories are: name of a person and preferred method of contact; Leasing information; Number of the dwelling unit and, if applicable, other doors or common areas to which the person has access; ID card number or an identifier associated with the physical hardware used for access; Reference data (e.g. usernames, passwords and contact information) used to grant individual access; biometric identification information, if used by the smart access system; as well as the time and type of access. Builders are prohibited from selling, leasing or otherwise disclosing tenant data to third parties, subject to certain exceptions, e.g. B. the contract with a third party provider for the operation of a smart access system.

The TDPA would also create a private right of action for tenants whose data is illegally sold. Tenants exercising their private right to sue may claim damages or statutory damages from $ 200 to $ 1,000 per renter, plus legal fees.

If the mayor does not veto, the TDPA will come into force at the end of June 2021 with a grace period until January 1, 2023, so that the building owners can comply with the regulations.

Comments are closed.