1. Introduction

New York City enacted a new law regarding tenants' personal data privacy, on May 28, 2021. The Tenant Data Privacy Act (herein "TDPA") which has been in effect since June 1, 2021. regulates and determines the circumstances how and in which conditions personal data can be processed, which measures must be taken, under which circumstances personal data can be disclosed, and so on. In this study, TDPA will be examined briefly.

2. Class A Multiple Dwelling and Smart Access System

TDPA imposes obligations on the condition that multiple dwellings which use smart access system. Smart access system means "any system that uses electronic or computerized technology, a radio frequency identification card, a mobile phone application, biometric identifier information, or any other digital technology in order to grant entry to a class A multiple dwelling1, common areas in such multiple dwelling or to an individual dwelling unit in such multiple dwelling". As can be understood, these dwellings use a keyless entry system and accordingly process personal data. TDPA aims to prevent possible ill-usage of tenant's personal data. For this reason, TDPA uses the term tenant or user instead of data subject, and the owner or third party instead of data controller.

3. Reference Data and Authentication Data

TDPA also brings new data terms. Regarding the way of processing in the smart access systems, TDPA explains "authentication data" and "reference data". "Authentication data", according to TDPA, is "the data generated or collected at the point of authentication in connection with granting a user entry to the building" and the other areas, and "reference data" means the data that verifies authentication data at the point of authentication to grant a user entry. These terms are not specific categories of personal data, instead, they are related to the way smart access system works.

4. Personal Data Categories

According to TDPA, owners or third parties may not collect personal data from any user without the consent of the user2. Moreover, owners and third parties may only collect minimum data concerning the purpose. For smart access system, personal data categories may be processed are also limited. In this respect, smart access system may collect user's name, parts of dwelling where the user has access to entry, the contact method of the user, biometric identifier information in the case that smart access system utilizes, identifier, information used singly or in conjunction with other reference data, lease information, time and method of access provided that it is used for only security purposes.

5. Retention Period

As might be expected, TDPA also puts a time limit in terms of data processing. Reference data must be removed or anonymized3 no longer than 90 days after the tenant has permanently vacated the building; for any user, no longer than 90 days, after access has expired or consent has been withdrawn. Even though there are different circumstances in terms of removal time, TDPA adopts 90 days maximum time frame to remove or anonymize reference data. Likewise, authentication data also must be removed or anonymized no later than 90 days after data has been collected. For reference data that is collected only for the operation of the smart access system, TDPA does not use the terms removal or anonymization, in that case, reference data must be destroyed no later than 90 days after permanent vacating or withdrawal.

6. Exceptions

Although the owner or a third party has an obligation to remove, anonymize or destroy, in some instances TDPA adopts exceptions. Data which is;

  1. necessary to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for that activity,
  2. necessary to fix and identify errors that impair existing functionality,
  3. protected speech under the constitution,
  4. necessary to comply with other obligations, is not required to be destroyed.

7. Prohibitions

TDPA also expresses unlawful and prohibited cases for owners and third parties who collect data. To give few examples from prohibitions, according to section 26-3003;

  1. to sell, lease, disclose personal data to another person4,
  2. to use any information collected through a smart access system to harass or evict a tenant to use smart access system to collect the reference data of minor5 without consent of minor's parents or legal guardian, are prohibited,
  3. to use a smart access system to deliberately collect information on or track the relationship status of tenants and their guests,
  4. to require a tenant to use a smart access system to gain entry, are prohibited.

8. Biometric Identifier

TDPA allows a smart access system to use biometric identifiers. In section 26-3001, Biometric identifier is defined: "The term "biometric identifier information" means a physiological, biological or behavioral characteristic that is used to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan; (ii) a fingerprint; (iii) a voiceprint; (iv) a scan or record of a palm, hand or face geometry; (v) gait or movement patterns; or (vi) any other similar identifying characteristic". In the case that the smart access system utilizes a biometric identifier for authentication, according to section 26-3002, the smart access system may collect biometric data to verify user's entry. Even though in several countries, processing biometric data for entry to buildings is regarded as non-proportionate to purpose, TDPA allows owners and third parties to process sensitive personal data only for entry to the building.

9. Privacy Policy

In section 26-3004, TDPA details privacy policy and requires the owner to provide a privacy policy for its tenants. The privacy policy must be in plain language, contain data elements that are processed by smart access system, name of third parties or to whom owner shares such data, protocols and safeguard, guidelines for erasure, retention schedule of data, the protocols for unauthorized access or disclosure of personal data, the process used to add and remove people who has provided consent on a temporary basis. Plus, the owner must make available any written privacy policy of the entity that developed the smart access system.

10. Conclusion

TDPA is one of the important steps for data privacy law in the USA. Privacy acts are generally embraced as part of consumer rights in the USA. The most outstanding example of these laws is, as might be expected, California Consumer Privacy Act ("CCPA"). Another example is Virginia Consumer Data Protection Act ("VCDPA") which was signed by the Governor on 2nd March 2021 and will be in effect in 2023. However, TDPA regulates a more confined space. It aims at the relation between tenants and owners.

Owners of Class A multiple dwellings that use smart access system in New York have new obligations under the TDPA. Owners may not collect every type of personal data, and they are not allowed to retain personal data without limitation. Moreover, they may not process personal data in the way TDPA prohibits. Otherwise, TDPA bestows legal remedies to users and does not limit users to abrogate any claim under common law and other law or rule.


1. Multiple dwelling that is occupied for permanent residence purposes.

2. Consent can be in writing or through the mobile application.

3. Anonymization may not be used in any case, TDPA allows anonymization of reference data only when removal of reference data would render smart access system inoperable.

4. Disclosing of personal data can be lawful in some cases, for instance, it is lawful to disclose personal data in the case that it is required by law.

5. The term minor basically refers to a person under the age of 18.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.