As we noted in our last post, there has been a flurry of data privacy and security activity in New York, with the State appearing poised to join California as a leader in this space.  Most recently, on April 29, 2021, the New York City Council passed the Tenant Data Privacy Act (“TDPA”), which would impose on owners of “smart access” buildings obligations related to their collection, use, safeguarding, and retention of tenant data.

Under the TDPA, a “smart access” building is one that uses electronic or computerized technology (e.g., a key fob), radio frequency identification cards, mobile phone applications, biometric information (e.g., fingerprints, voiceprints, hand or face geometry), or other digital technology to grant entry to the building, or to common areas or individual dwelling units therein.  The TDPA would require owners of smart access buildings to develop and maintain policies and procedures to address the following requirements:

1. Express Consent. Before collecting “reference data” from a tenant for use in connection with the building’s smart access system, the building owner would be required to obtain the tenant’s express consent “in writing or through a mobile application.”  “Reference data” is the data used by the system to verify that the individual seeking access is authorized to enter.  Even after obtaining consent, the owner would only be permitted to collect the minimum amount of data necessary to enable the smart access system to function effectively.

2. Privacy Policy. Building owners would also need to provide a “plain language” privacy policy to its tenants that includes certain disclosures, including disclosure of the data elements that the system collects, the third parties that data is shared with, how the data is protected, and how long it will be retained.

3. Stringent Security Safeguards. Additionally, the TDPA would require building owners to implement robust security measures and safeguards to protect the data of its tenants, guests, and other users of the smart access system.  At a minimum, these security measures would need to include data encryption, a password reset capability (if the system uses a password), and regularly updated firmware to address security vulnerabilities.

4. Data Destruction. With limited exceptions, building owners would need to destroy any “authentication data” collected through their smart access systems no later than 90 days after collection.  “Authentication data” is the data collected from the user at the point of authentication, excluding any data generated through or collected by a video or camera system used to monitor entrances, but not to grant entry.

The TDPA would impose strict limits on the categories of tenant data that building owners would be permitted to collect, generate, or utilize through their smart access systems.  Specifically, they would only be permitted to collect:

• the user’s name;

• the dwelling unit number and that of other doors or common areas to which the user has access;

• the user’s preferred method of contact;

• the user’s biometric identifier information (if the smart access system utilizes such information);

• the identification card number or any identifier associated with the physical hardware used to facilitate building entry (e.g., Bluetooth);

• passwords, passcodes, usernames and contact information used singly or in conjunction with other reference data to grant the user access;

• lease information, including move-in and, if available, move-out dates; and

• the time and method of access (but solely for security purposes).

Building owners would also be prohibited, subject to certain exceptions, from selling, leasing, or otherwise disclosing tenant data to any third parties.  Building owners that wish to engage third-party vendors to operate or facilitate use of their smart access systems would be required to first (a) provide to users the name of the vendor, the intended use of user data by the vendor, and a copy of the vendor’s privacy, and (b) obtain the users’ express written authorization to disclose the users’ data to the vendor.

Significantly, the TDPA would also create a private right of action for tenants whose data is unlawfully sold.  Such tenants would be empowered to seek either compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, along with attorneys’ fees.

Unless vetoed by the City’s Mayor, the TDPA will take effect at the end of June 2021, though building owners will be granted a grace period until January 1, 2023, to develop their compliance programs and replace or upgrade their smart access systems.  Building owners should use that time wisely, as the TDPA’s requirements will, in many instances, be a heavy lift.