Data Privacy Bill Targets Buildings with Keyless Entry Systems

On April 29, the New York City Council passed the Tenant Data Privacy Act (TDPA) that would require owners of "smart access" buildings that use keyless entry systems to provide tenants with a data retention and privacy policy. Under the TDPA, a smart access building is one that uses electronic or computerized technology such as a key fob, radio frequency identification cards, mobile phone applications, biometric information such as fingerprints, voiceprints, hand, or face geometry; or other digital technology to grant entry to the building, or to common areas or individual dwelling units. 

The bill is currently awaiting the mayor's signature. If enacted, the TDPA will take effect at the end of June, though owners will be granted a grace period until Jan. 1, 2023, to develop their compliance programs and to allow for time to upgrade or update the existing system to make it compliant with the law.

Data Collection Policies & Procedures

The TDPA would require owners of smart access buildings to develop and maintain policies and procedures to address the following requirements:

Express consent. The act would require owners to obtain consent “in writing or through a mobile application” to collect reference data through the smart access system. Reference data is the data used by the system to verify that the individual seeking access is authorized to enter. Even after obtaining consent, the owner would be permitted to collect only the minimum amount of data necessary to enable the smart access system to function effectively.

Privacy policy. Building owners would also need to provide a “plain language” privacy policy to their tenants that describes the information the smart access system collects about tenants, how long the landlord retains the data, how the data is destroyed, and how tenants can allow guests to access the building through the access system.

Security safeguards. Additionally, the TDPA would require building owners to implement strong security measures and safeguards to protect the data of its tenants, guests, and other users of the smart access system. At a minimum, these security measures would need to include data encryption, a password reset capability if the system uses a password, and regularly updated firmware to address security vulnerabilities.

Data destruction. With limited exceptions, owners would need to destroy any “authentication data” collected through their smart access systems no later than 90 days after collection. Authentication data is the data collected from the user at the point of authentication, excluding any data generated through or collected by a video or camera system used to monitor entrances, but not to grant entry.

Permissible Categories of Data Collection

The TDPA would impose strict limits on the categories of tenant data that building owners would be permitted to collect, generate, or utilize through their smart access systems. Specifically, they would be permitted to collect only:

• User's name;
• Dwelling unit number and that of other doors or common areas to which the user has access;
• User’s preferred method of contact;
• User’s biometric identifier information if the smart access system utilizes such information;
• Identification card number or any identifier associated with the physical hardware used to facilitate building entry;
• Passwords, passcodes, usernames, and contact information used singly or in conjunction with other reference data to grant the user access;
• Lease information, including move-in and, if available, move-out dates; and
• Time and method of access but solely for security purposes.

Building owners would also be prohibited, subject to certain exceptions, from selling, leasing, or otherwise disclosing tenant data to any third parties. Building owners that wish to engage third-party vendors to operate or facilitate use of their smart access systems would be required to first: (a) provide to users the name of the vendor, the intended use of user data by the vendor, and a copy of the vendor’s privacy policy; and (b) obtain the users’ express written authorization to disclose the users’ data to the vendor.

Tenants Could Sue If Their Data Is Sold

The TDPA would also create a private right of action for tenants whose data is unlawfully sold. Such tenants would be empowered to seek either compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, along with attorneys’ fees.

City Council Passes Bills to Expand Tenants Right to Counsel

In addition to the privacy bill, the City Council recently passed two bills focused on expanding the right to counsel in housing court for tenants citywide and an outreach program to notify tenants of their rights.

Outreach campaign. Int. 1529-A establishes an outreach campaign to notify tenants about their housing court rights. The bill requires a coordinator from the Office of Civil Justice to collaborate with community groups in engaging and educating tenants of their rights in housing court, and then report on their efforts.

The coordinator's initiatives include but are not limited to hosting “know your rights” training sessions and other workshops for tenants, distributing written information to tenants, helping tenants form and maintain tenant associations, referring tenants to designated community groups, and any other activity to engage, educate, or inform tenants about their rights in housing court. For such efforts, the bill says the coordinator must prioritize rent-stabilized tenants, senior citizens, and tenants most at risk of entry into the shelter system. This bill would go into effect 180 days after it becomes law.

Expanding existing right to counsel. Int. 2050-A expands the existing right to counsel for low-income tenants in housing court. In 2017, Local Law 136, the Universal Access to Legal Services, or “Right to Counsel” law, was enacted. The law required the Office of Civil Justice to provide free legal representation to low-income tenants making no more than 200 percent of the federal poverty level in eviction proceedings in housing court or tenancy termination from NYCHA. When the law was enacted, it was only in a limited number of ZIP codes, which eventually expanded to 25 ZIP codes across the city. Int. 2050-A expands the right to counsel to all ZIP codes citywide and takes effect immediately.