New data privacy and security concerns arise as multi-unit residential buildings implement new technologies to manage access, strengthen security, regulate compliance with internal policies and legal requirements, and improve the resident experience, and New York City and other jurisdictions are attempting to address them.

Examples of data privacy and security risks in this area abound. For instance, many newer (or newly updated) residential buildings utilize “smart access” systems to identify and grant access to residents and guests based on their biometric identifiers (e.g., fingerprints or facial geometry) or their possession of a key card or fob. Although these systems are convenient for residents and building management, condominium and cooperative boards, property owners, and property management companies must be mindful of the data privacy and security-related concerns that may arise in the jurisdictions in which the properties are located.

New York City has passed the Tenant Data Privacy Act, imposing rigorous data privacy and security obligations on the owners of “smart access” buildings. Additionally, a growing number of jurisdictions have laws on their books regulating the collection and use of biometric information. For instance, Portland (Oregon) and Baltimore County have passed laws banning the use of facial recognition technology. Further, a number of states, including California, Illinois, New York, Texas, and Washington, regulate the collection and use of biometric information more broadly. Biometric information also qualifies as personally identifiable information under the data breach notification and reasonable safeguard laws in many states.

Condominium and cooperative boards, property owners, property management companies, and others should regularly consider the potential data privacy and security risks when installing and authorizing residents to use new technologies that collect and utilize resident data.

Key considerations:

1. What data is being collected?

2. Is notice and/or consent required in connection with such collection?

3. Is the data being stored and, if so, for how long, for what purpose, and have appropriate data security safeguards been implemented?

4. Have internal policies been implemented, and training provided, to ensure proper management of the data?

5. Is the data shared with third parties and, if so, are appropriate contractual protections in place?

As organizations like condominium and cooperative boards, property owners, and property management companies collect more and more data from their residents, it is critical to take proactive steps to assess their compliance with applicable data privacy and security laws.