ARTICLE
8 June 2021

The New Tenant Data Privacy Act

AO
A&O Shearman

Contributor

A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
Owners of New York City apartment buildings should take notice of the new Tenant Data Privacy Act (the TDPA). The TDPA will regulate the collection, use, safeguarding...
United States New York Real Estate and Construction

Owners of New York City apartment buildings should take notice of the new Tenant Data Privacy Act (the TDPA). The TDPA will regulate the collection, use, safeguarding, and retention of tenant data by owners of "smart access" residential buildings. The new law was enacted on May 30, 2021, and will become effective at the end of June 2021. Owners of New York City residential buildings will have until January 1, 2023, to come into compliance.

New Policies Under the TDPA

The TDPA defines smart access buildings as any multiple dwelling that uses an electronic keyless entry system (e.g. a key fob), radio frequency identification cards, mobile apps, biometric information or other digital technology to access a multiple dwelling, common areas or individual units. A multiple dwelling is a residential building with at least three units.

Under the TDPA, landlords of smart access buildings will be required to do the following:

  • Obtain express consent from tenants, either in writing or through a mobile application, before collecting reference data. Smart access systems use reference data to verify that an individual is authorized to enter.
  • Provide a "plain language" privacy policy to tenants which will disclose (i) what data the smart access system will collect, (ii) which third parties the data will be shared with, (iii) how the data will be safeguarded, and (iv) the period of time the data will be retained.
  • Implement security measures to protect tenants' data, such as encryption, password reset capability and regular updates to firmware that address security vulnerabilities.
  • Destroy authentication data no later than 90 days after collection. Authentication data is generated at the point of authentication when granting a user entry to a smart access building.
  • Limit the categories of collected data to (i) name, (ii) preferred method of contact, (iii) lease information, (iv) unit number, (v) biometric identifier information, (vi) time and method of access (only for security purposes), (vii) password and username used to grant entry and (viii) identifying information associated with the smart access hardware.

Prohibited Practices Under the TDPA

Landlords and any other entities that collect data through smart access systems will be prohibited from selling or disclosing tenant data to third parties, engaging in location tracking outside the premises, and determining the frequency of tenant and guest ingress/egress. Landlords will also be prohibited from collecting information about tenants' use of internet services and utilities.

Enforcement

The TDPA creates a private right of action for tenants whose data is sold and used in violation of the TDPA. Such tenants may seek compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, as well as attorneys' fees. Whether the law grants such rights to tenants of a cooperative remains an open question. In addition to the private right of action granted to tenants, landlords and system providers will be required to delete any data collected in violation of the TDPA.

The Law https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=4196254&GUID=29A4B0E2-4C1F-472B-AE88-AE10B5313AC1&Options=ID%7cText%7c&Search=

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More