NYC Enacts Law Protecting Tenant Data Privacy | Practical Law

NYC Enacts Law Protecting Tenant Data Privacy | Practical Law

The New York City Council passed the Tenant Data Privacy Act (TDPA) requiring multi-family landlords to protect the information it obtains from tenants using smart access (keyless entry) systems to enter their apartments or building common areas. The TDPA will limit how landlords can collect, use, retain, and disclose tenant data obtained from smart access systems. Landlords must obtain tenant consent to use smart technology for access and provide tenants with a written privacy policy.

NYC Enacts Law Protecting Tenant Data Privacy

Practical Law Legal Update w-031-2359 (Approx. 5 pages)

NYC Enacts Law Protecting Tenant Data Privacy

by Practical Law Real Estate
Published on 03 Jun 2021New York, USA (National/Federal)
The New York City Council passed the Tenant Data Privacy Act (TDPA) requiring multi-family landlords to protect the information it obtains from tenants using smart access (keyless entry) systems to enter their apartments or building common areas. The TDPA will limit how landlords can collect, use, retain, and disclose tenant data obtained from smart access systems. Landlords must obtain tenant consent to use smart technology for access and provide tenants with a written privacy policy.
On May 30, 2021, the New York City Council enacted the Tenant Data Privacy Act (TDPA) without the signature of Mayor Bill de Blasio. The TDPA requires the owners of Class A multifamily dwellings with smart access systems to protect the personal information of occupants by providing tenants with a privacy policy, limiting the right to collect and retain data from smart access systems and from tenants' usage of utilities and internet services, and creating a private right of action for violations. The TDPA becomes effective 60 days after becoming law (July 29, 2021), except that owners of an existing smart access building are not liable for violations until January 1, 2023.

Key Elements of the TDPA

Scope

The TDPA applies to all existing and new NYC Class A multiple dwellings with smart access systems. "Smart access" is any kind of keyless entry for the dwelling unit or common areas (such as lobbies, mail or laundry rooms, gyms) using:
  • Digital, electronic, or computerized technology, like a key fob.
  • Radio frequency identification (RFID) cards.
  • Mobile phone applications.
  • Biometric identifier information, like a fingerprint or retinal scan.
Protected information under the TDPA includes:
  • Authentication data used at the point of entry to grant a user (including authorized guests of the tenant) access to the dwelling unit or common areas. Security camera footage is not included unless it is used to grant entry.
  • Reference data which is used to verify the user's authentication data for access purposes.
  • Tenant utilities records.
  • Tenant's use of internet service.

Privacy Policies and Consent

A landlord or third-party smart access system operator may collect only the minimum amount of authentication and reference data necessary to operate the system as outlined in the TDPA. A landlord may not collect any user reference data without the user's express consent, in writing or by mobile application. To provide informed consent, the landlord must supply tenants with a written privacy policy in "plain language" that contains the minimum information required by law. The landlord must also supply the privacy policies of the smart access system developer and current operator.

Protecting Data

Under the TDPA, landlords must implement stringent security measures and safeguards to protect the security and data of tenants and other occupants in smart access buildings. These protections include:
  • Data encryption.
  • The user's ability to change a password for password-protected systems.
  • Regularly updated firmware to enable system fixes.

Using Collected Data

Smart access data can only be used to grant and monitor access and may not be used to:
  • Track a user's:
    • location outside the building;
    • frequency and time of system use; or
    • relationship status.
  • Collect information about a minor without the express consent of a parent or guardian.
  • Harass or evict a tenant.
The landlord or any third-party may not sell, lease, or disclose the collected data except in narrow circumstances, such as complying with a subpoena or cooperating with an ongoing law enforcement investigation.

Retaining and Destroying Data

In most circumstances, the TDPA requires a landlord to destroy or anonymize:
  • Authentication data within 90 days of being generated or collected.
  • Reference data within 90 days after the tenant permanently vacates or withdraws consent for the data's collection.

Private Right of Action

If any information is sold in violation of the TDPA, a lawful occupant of a dwelling unit or an occupant group as a class may seek compensatory and punitive damages, or statutory damages ranging from $200 to $100 per occupant, plus attorneys' fees and costs. This remedy is in addition any common law remedy or code violation penalties but does not excuse the tenant from paying rent or any other charges due to the landlord.

Practical Implications

Although landlords have an 18-month grace period before enforcement begins, they should begin working with counsel and smart access vendors to understand and implement the new requirements.
The TDPA furthers a national trend in personal data privacy legislation. Landlords and multifamily apartment owners in other jurisdictions, especially those with a high rental population, should consider:
  • Developing privacy policies for tenants.
  • Securing consent from tenants to use keyless entry systems.
  • Proactively protecting tenant personal information.