Owners of New York City apartment buildings should take notice of the new Tenant Data Privacy Act (the TDPA). The TDPA will regulate the collection, use, safeguarding, and retention of tenant data by owners of “smart access” residential buildings. The new law was enacted on May 30, 2021, and will become effective at the end of June 2021. Owners of New York City residential buildings will have until January 1, 2023, to come into compliance.

New Policies Under the TDPA

The TDPA defines smart access buildings as any multiple dwelling that uses an electronic keyless entry system (e.g. a key fob), radio frequency identification cards, mobile apps, biometric information or other digital technology to access a multiple dwelling, common areas or individual units. A multiple dwelling is a residential building with at least three units.

Under the TDPA, landlords of smart access buildings will be required to do the following:

  • Obtain express consent from tenants, either in writing or through a mobile application, before collecting reference data. Smart access systems use reference data to verify that an individual is authorized to enter.
  • Provide a “plain language” privacy policy to tenants which will disclose (i) what data the smart access system will collect, (ii) which third parties the data will be shared with, (iii) how the data will be safeguarded, and (iv) the period of time the data will be retained.
  • Implement security measures to protect tenants’ data, such as encryption, password reset capability and regular updates to firmware that address security vulnerabilities.
  • Destroy authentication data no later than 90 days after collection. Authentication data is generated at the point of authentication when granting a user entry to a smart access building.
  • Limit the categories of collected data to (i) name, (ii) preferred method of contact, (iii) lease information, (iv) unit number, (v) biometric identifier information, (vi) time and method of access (only for security purposes), (vii) password and username used to grant entry and (viii) identifying information associated with the smart access hardware.

Prohibited Practices Under the TDPA

Landlords and any other entities that collect data through smart access systems will be prohibited from selling or disclosing tenant data to third parties, engaging in location tracking outside the premises, and determining the frequency of tenant and guest ingress/egress. Landlords will also be prohibited from collecting information about tenants’ use of internet services and utilities.


The TDPA creates a private right of action for tenants whose data is sold and used in violation of the TDPA. Such tenants may seek compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, as well as attorneys’ fees. Whether the law grants such rights to tenants of a cooperative remains an open question. In addition to the private right of action granted to tenants, landlords and system providers will be required to delete any data collected in violation of the TDPA.