June 17, 2021

Volume XI, Number 168

Advertisement

June 16, 2021

Subscribe to Latest Legal News and Analysis

June 15, 2021

Subscribe to Latest Legal News and Analysis

June 14, 2021

Subscribe to Latest Legal News and Analysis

New York City Council Passes Tenant Data Privacy Act

On April 29, 2021, the New York City Council passed the Tenant Data Privacy Act (“TDPA”), which would regulate the collection, use, safeguarding and retention of tenant data by owners of “smart access” buildings. The TDPA has been sent to the New York City Mayor’s desk for signature.

As defined in the TDPA, a “smart access” building is one that uses keyless entry systems, including electronic or computerized technology (e.g., a key fob), RFID cards, mobile apps, biometric information or other digital technology to grant access to the building, common areas or individual dwelling units. To comply with the TDPA, owners of smart access buildings would be required to maintain policies and procedures that address the following requirements:

  • Individual consent. Building owners would be required to obtain tenants’ express consent “in writing or through a mobile [app]” before collecting certain data from tenants.

  • Privacy policy. Building owners would need to provide a “plain language” privacy policy to tenants that discloses (1) the data elements the smart access system collects; (2) the third parties the data is shared with; (3) how the data is safeguarded; and (4) how long the data will be retained.

  • Security safeguards. Building owners would be required to implement security measures to protect tenants’ data and the data of any other users of the smart access system (e.g., building guests). These security measures include encryption, a password reset capability (if a password is used by the system) and regular updates to firmware to address security vulnerabilities.

  • Data destruction. Building owners would be required to destroy certain data, such as “authentication data,” no later than 90 days after collection. “Authentication data” is data collected from the individual at the point of authentication but that is not used to grant entry.

The TDPA also would impose limits on the categories of tenant data that building owners can collect, generate or use through smart access systems. Permitted categories include: an individual’s name and preferred method of contact; lease information; dwelling unit number and what, if any, other doors or common areas the individual has access to; ID card number or any identifier associated with physical hardware used for access; reference data (e.g., usernames, passwords and contact information) used to grant the individual access; biometric identifier information, if used by the smart access system; and time and method of access. Building owners would be prohibited from selling, leasing or otherwise disclosing tenant data to third parties, subject to certain exceptions such as contracting with a third-party vendor to operate a smart access system.

The TDPA also would create a private right of action for tenants whose data is unlawfully sold. Tenants exercising the private right of action could seek compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, as well as attorney’s fees.

Unless vetoed by the mayor, the TDPA will take effect at the end of June 2021, with a grace period until January 1, 2023 for building owners to come into compliance.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 133
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement