Home Alone? New York City Enacts Tenant Data Privacy Act


May.27.2021

Tenants in New York City may soon have reason to sleep a little easier – the New York City Council has enacted a Tenant Data Privacy Act that is poised to enhance privacy protections in multifamily buildings in the city. Motivated by the large amounts of data that the Internet of Things (IoT) can generate in residential settings, the Act regulates the use of “smart access systems” such as smart locks and other keyless technologies to unlock entrances to common areas or individual apartments. The Act also regulates the use of utilities data such as gas, electricity, and Internet service. Key terms include notice and consent requirements, collection limits, use restrictions and minimum security obligations, as described in more detail below. Unless vetoed by Mayor Bill de Blasio this month, the Act is expected to become law by June 2021, with a grace period until January 1, 2023 before enforcement can begin in earnest. In the meantime, impacted companies should work with experienced counsel to come into compliance with the new rules.

Notice and Consent

Under the Act, tenants and guests must expressly consent to the use of a building’s smart access system, either in writing or through a mobile application. To help tenants to make an informed decision, the Act also requires landlords to provide tenants with a smart access system privacy policy that satisfies minimum disclosure requirements. The policy must state what data will be collected by the smart access system, what third parties the data will be shared with and what those third parties’ privacy policies are. In addition, the policy must describe how the data is protected, how long it is retained for, what protocols will be followed in the event of a security breach and how data is destroyed, anonymized or otherwise removed from the smart access system. Furthermore, the policy must explain how to add and remove individuals who have consented to use of the smart access system on a temporary basis. Landlords must also share the privacy policies of the smart access system developer or the entity that currently operates the system.

The Act also prohibits landlords from requiring a tenant to use a smart access system to get into his or her unit. This prohibition effectively codifies a 2019 settlement by a group of New York City tenants who objected to their landlord’s efforts to phase out the use of mechanical keys in their building. In practice, if a tenant does not consent to the use of the smart access system, then the landlord will still need to provide a key for the tenant’s unit.

Collection Limits

Under the Act, a smart access system must collect only the minimum amount of data needed to enable the system to function. Permitted categories of data include the tenant’s or guest’s name, preferred method of contact, biometric identifier information (if applicable), ID card number, password, username, lease information including move-in and move-out dates (if available), and the entrances for which access is permitted. Time and method of access information may also be collected, but only for security purposes.

Separate restrictions apply to the collection of utilities information. Landlords are only permitted to collect total monthly usage information about a tenant’s use of gas, electricity or any other utility unless otherwise required by law, even if more granular data is available. In addition, it is unlawful for a landlord to collect any information about a tenant’s use of Internet service if the landlord does not provide the Internet service directly to tenants. For landlords who provide Internet directly and want to analyze tenants’ usage information, the information must either be aggregated and anonymized or otherwise necessary for billing purposes.

Use Restrictions

The Act expressly prohibits using smart access data for any purpose other than granting access to and monitoring entrances and exits. The Act additionally prohibits off-site location tracking of the user of a smart access system, collecting smart access data from minors without the consent of a parent or guardian, using smart access data to track the relationship status of tenants and their guests or using such data to harass or evict a tenant. In addition, landlords cannot sell, lease or otherwise disclose such data unless a narrow exception is met, such as cooperation with an active law enforcement investigation or disclosure to a building guest with a tenant’s express authorization. Tenants whose data is sold in violation of the Act are eligible for minimum statutory damages of up to $2000 per violation, plus costs and attorneys’ fees.

Minimum Security

To comply with the Act, smart access systems must implement stringent security measures and safeguards to protect the security and data of tenants, guests and other individuals. At a minimum, such security measures must include data encryption and regular updates to firmware to enable security and vulnerability issues to be remediated. In addition, systems that are password-protected must permit users to change the password. In most circumstances, landlords must also ensure that smart access data is deleted or anonymized within 90 days of a tenant’s move-out date or the date on which the tenant withdraws authorization for the use of the data. Data may be retained for a longer period only if it is needed for specific permitted purposes, such as detecting security incidents, protecting against fraud or similar bad acts, debugging or compliance with law.

What To Do Now

Unless vetoed by Mayor de Blasio this month, the Act is expected to become law by June 2021. Landlords in the city have a grace period until January 1, 2023 to come into compliance before enforcement of the law is expected to begin in earnest. In the meantime, landlords should consider taking the following steps to get ready:

  • Work with smart access system vendors to develop a privacy notice that complies with applicable requirements.
  • Consider how to display the privacy notice to tenants.
  • Obtain any consents from tenants that may be required by law.
  • Establish policies and procedures to ensure tenant data complies with applicable collection and use restrictions.
  • Implement and maintain minimum security requirements for smart access systems.
  • Ensure smart access data is deleted no later than 90 days after tenants’ move out dates, or earlier upon request.