The Tenant Data Privacy Act, New Privacy Law In NYC

The Tenant Data Privacy Act or TDPA is a data privacy law that was passed in New York City in 2021 for the purposes of regulating the collection, processing, use, retention, and disclosure of “tenant data by owners of ‘smart access’ buildings.” While smart buildings around the world have enabled consumers to enjoy new features and capabilities that have never been seen in human history, these technological developments also have the potential to infringe on the personal privacy of the individuals that reside within such dwellings. To this point, the TDPA establishes various provisions that owners of smart access buildings within NYC are required to follow in an effort to protect the personal information and privacy of the numerous tenants that call such buildings home.

How is biometric and authentication data defined under NYC’s TDPA?

Under the TDPA, authentication data is defined as “the data generated or collected at the point of authentication in connection with granting a user entry to a smart access building, common area or dwelling unit through such building’s smart access system, except that it does not include data generated through or collected by a video or camera system that is used to monitor entrances but not grant entry.” Alternatively, biometric data is defined as “a physiological, biological or behavioral characteristic that is used to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan; (ii) a fingerprint; (iii) a voiceprint; (iv) a scan or record of a palm, hand or face geometry; (v) gait or movement patterns; or (vi) any other similar identifying characteristic.”

What are the responsibilities of owners of smart access buildings under the TDPA?

Under the TPDA, owners of smart access buildings within NYC are prohibited from collecting personal or reference data from tenants within their buildings, unless said tenants have provided their express consent to provide such information. Moreover, even when a resident consents to having their personal data collected, owners of smart access buildings are required to “collect only the minimum amount of authentication data and reference data necessary to enable the use of such smart access system in such a building, and may not collect additional biometric
identifier information from any users.” To this end, the provisions of the TDPA mandate that smart access building owners within NYC limit their collection of personal information to the following data elements:

• The resident’s name
• The resident’s preferred contact method.
• The resident’s biometric identifier information, if the smart access building in question utilizes such information.
• The specific dwelling unit number, as well as any door or common areas that residents may access using the smart access systems within the overall building.
• Identification card numbers, as well as any other identifier associated with the physical hardware used to facilitate access to the building, including radio frequency identification cards, Bluetooth, and other similar technologies.
• Usernames, contact information, passwords, and passcodes that are used individually or in combination with other types of reference data to grant a resident entry into a smart access building, a dwelling or common area within the building, or any other online tools that are used to manger user accounts in relation to the smart access building.
• Lease information, including a resident’s move-in and move-out date, if such information is available, with
  the time and method of access are to be used solely for security purposes.

Furthermore, the TDPA also obliges that owners of smart access buildings within NYC implement security measures and safeguards for the purposes of protecting the personal data and information of their residents. These security measures must include data encryption, as well as the ability for residents to change their passwords “if the system uses a password and firmware that is regularly updated to enable the remediation of any security or vulnerability issues”, at the bare minimum. What’s more, owners of smart access buildings within NYC may not retain the personal information of their residents for a period of time longer than 90 days, irrespective of the specific reasons or purposes for which they collected this information.

What are the penalties for violating NYC’s Tenant Data Privacy Act?

Smart access buildings owners within NYC that are found to be in violation of any of the provisions set forth in the TDPA are subject to a variety of penalties. Most notably, the law provides residents of such dwellings with the private right of action to seek both compensatory and statutory damages, in instances where they feel as though their rights have been violated under the law. With this being said, these damages can range from $200 to $1,000 per tenant within a particular smart access building or dwelling, as well as any associated attorney and court fees that may result from legal proceedings.

New York City’s Tenant Data Privacy Act is in many ways a revolutionary piece of legislation, as personal data is being collected in our current society in a manner that is very much unprecedented. In the context of smart access buildings, residents of such dwellings provide their personal information in a variety of ways to complete a multitude of objectives and tasks. As such, legislation is undoubtedly necessary to ensure that personal information and identifiers that are collected in relation to smart buildings are protected at all times. As such, while New York City is the only city in America to have passed legislation concerning smart building access privacy and data protection, similar laws will surely be passed in other major U.S. cities in the near future.