New York City tenants harboring “big brother” concerns over landlords abusing data collected through smart access (i.e., keyless entry) systems will soon be able to rest easier. Following California, Virginia, and the British Virgin Islands, the New York City Council recently became the latest legislative body to pass privacy legislation with the Tenant Data Privacy Act (“TDPA” or the “Act”). New York City Mayor Bill DeBlasio will need to sign the measure for it to become law (currently, the expectation is that he will sign it). If signed, the TDPA will go into effect on June 1, 2021.
The Act will require owners to:
- Obtain consent to collect data through the smart access system;
- Provide a written privacy notice to tenants that describes the information the smart access system collects about tenants, how long the landlord retains the data, how the data is destroyed, and how tenants can allow guests to access the building through the access system;
- Provide the access system provider’s privacy notice to tenants (if different from the owner’s privacy notice);
- Limit data the access system collects to name, apartment number, preferred method of contact, biometric identifiers (where applicable), any identifiers or passcodes associated with the smart access system hardware, and lease information (i.e., move-in and move-out dates);
- Obtain parental consent before collecting data relating to minors; and
- Delete data that does not need to be kept for legal or security reasons after the end of the tenancy.
Landlords and system providers will need to “immediately” delete any data collected in violation of the TDPA and must implement security safeguards (including encryption) to protect building access data.
The TDPA prohibits owners from collecting any information about tenants’ use of internet service and restricts the information owners can obtain about tenants’ use of gas and electricity to total monthly usage. The Act also prohibits landlords, providers and any other entities that collect data through smart access systems from:
- Selling or disclosing the data to third parties, other than pursuant to a court order or with tenant consent (third parties do not include hosting providers);
- Engaging in location tracking, including outside the premises;
- Determining the frequency of tenant/guest ingress and egress;
- Restricting the times or places through which guests can enter a building;
- Using the data for purposes other than monitoring entrances, exits, and common areas (the TDPA specifically prohibits using access data to evict tenants); or
- Requiring tenants to use smart access systems to access their homes.
The TDPA provides a limited private right of action to tenants whose owners sell access data in violation of the TDPA. In addition to attorneys’ fees, such tenants could recover compensatory and punitive damages or statutory damages ranging from $200 to $1,000 per unlawful sale.
Owners utilizing (or considering) smart access systems should:
- Consider updating leases to get consent for the collection of smart access data;
- Develop an understanding (e.g., though data mapping) of their collection, use, and disclosure of access data, and institute practices that align with TDPA requirements;
- Prepare privacy notices and data retention schedules; and
- Make TDPA compliance part of the vendor evaluation process, including assessing vendor compliance and updating vendor agreements to seek indemnification for TDPA breaches as needed.
Unlike privacy laws in California and Virginia, the TDPA contains no exemptions for annual revenue or volume of data processing. Accordingly, the Act applies to all owners of multiple dwellings that utilize smart access systems, regardless of size. Larger landlords will want to dedicate appropriate efforts to compliance to limit their exposure to private litigation.
For more data, privacy & cybersecurity updates, join the conversation on Goodwin’s Slack channel.
Goodwin's Chambersand Legal 500 ranked Data, Privacy and Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs.