In the continuing effort by New York City to protect the privacy of New Yorkers,1 on April 29, 2021, the New York City Council passed Proposed Int. No. 1760-A, a new bill that will take effect this summer unless vetoed by the City’s Mayor.  Assuming it passes into law, the “Tenant Data Privacy Act” (the “TDPA”) will provide strict limitations on landlords’ collection and use of certain data they gather from tenants who use keyless entry systems to gain access to their buildings.  As such systems are widespread in New York City, real estate companies and owners and their vendors should begin the process now of confirming which systems are covered by the TDPA and taking the steps needed to comply with the TDPA’s expansive data use restrictions and requirements.

The new restrictions apply to all “owners” of “smart access buildings” in New York City and to third parties involved with the installation, operation or support of the “smart access systems.”  “Owners” include persons or entities “directly or indirectly in control of a [Class A multiple dwelling]2.” “Smart access systems” under the TDPA are any systems, including RFID cards, biometric identifier information, mobile phone applications “or any other digital technology [used] to grant entry to a class A multiple dwelling, common areas in such multiple dwelling or to an individual dwelling unit in such multiple dwelling.”  This definition consequently appears to cover most types of residential buildings in New York City.  Building owners and their vendors should review their current buildings and access systems to determine if they are covered by the scope of the TDPA.

The TDPA prohibits the collection or use of any “reference data” without first securing their tenants’ express consent “in writing or through a mobile application” to the use of the smart access system.  “Reference data” is the information used to verify that the tenant entering the building or space is that individual.  Even with such consent, landlords may only collect the minimal amount of data necessary for the tenant to use the smart access system, and only the categories of information specifically allowed by the TDPA.  Landlords will need to ensure that their collection practices comply with what the TDPA will allow.

Owners and authorized third parties must also detail their data collection and use via “plain language” policies describing specified elements of the owners’ smart access systems, including their data retention procedures, and provide these privacy policies to tenants along with the privacy policies of the designers, developers and operators of such smart access systems.  Landlords and their vendors need to review their data collection and use practices to develop appropriate privacy policies and ensure their data collection and use practices are allowed under the TDPA.

The TDPA also requires landlords to use specified data security measures, including data encryption, and to follow strict guidelines for data removal, deletion and/or anonymization.

The TDPA also restricts what uses an owner may make of reference data.  Under the TDPA, it is unlawful for any landlord to use data collected through a smart access system for any reason other than: (1) to grant access to and monitor entrances and exits of the smart access building, including common areas such as laundry rooms, mail rooms, and the like, and (2) to grant access to dwelling units in the building. The relevant restrictions also provide for a number of other prohibitions concerning specific activities. Some of the most important prohibitions include selling, leasing or otherwise disclosing collected data to any other entity except for a third party that operates or facilitates the operation of the building’s smart access system; tracking the location of any user outside of the smart access building; tracking the relationship status of tenants and their guests; and collecting certain information for the purpose of harassing or evicting a tenant.

Notably, the TDPA creates a private right of action for a violation of the sale restrictions, permitting individuals or groups of tenants to file litigation claims against landlords for relevant violations.  Courts hearing such claims may award either compensatory damages plus punitive damages in the court’s discretion, or, at the election of the party bringing the claim, statutory damages ranging from $200 to $1000 per claimant plus punitive damages.  Regardless of the type of damages a claimant pursues, the TDPA also provides for recovery of attorneys’ fees.  Landlords should take all this into account when deciding whether to establish smart access systems and choosing its vendors.

As of the writing of this article, the TDPA has not yet been signed into law by New York City’s Mayor, but will become law unless vetoed, and will take effect sixty (60) days thereafter.  Owners have “until January 1, 2023 … to replace or upgrade such building’s smart access system to comply with the provisions of this local law.”

Owners should take steps to comply with the TDPA sooner rather than later due to the volume of new requirements the TDPA places on smart access systems.  In particular, security measures will need to be reviewed in light of the specific requirements in the TDPA.  This review should also include a review of any vendors assisting in the implementation of the smart access systems, as the TDPA’s requirements, including the security requirements, apply equally to vendors.  Owners’ contracts with their vendors may also need to be amended or updated to account for the TDPA requirements, and to address issues of liability for failing to comply with the TDPA’s requirements.  Owners should also implement, if not already in place, a standardized due diligence review of all vendors going forward, to ensure that new vendors are properly vetted regarding the TDPA’s requirements including the security requirements.

In order to understand how data is collected and used, Owners should review and map the internal and external transmission and use of tenant data within the organization and its vendors.  For companies that have not undergone this exercise before, this review frequently identifies areas of concern, and allows the development of or update to a privacy policy that accurately describes what truly is being done with tenants’ data.  But every client and business must contend with different technical and business issues. As a result, there is rarely any simple “short cut” to compliance with a detailed law like the TDPA.  Moses and Singer’s data privacy and cybersecurity attorneys, and their real estate colleagues, regularly advise on the scope and implementation of data protection, privacy and related laws, and can assist in navigating compliance obligations and avoiding complications from the significant obligations in this new legislation.