The New York City Tenant Data Privacy Act (TDPA) was passed on May 28, 2021. Scheduled to go into effect on July 29, 2021, the law addresses a number of perceived privacy-related issues concerning smart access systems in multifamily buildings.
To whom does it apply?
What types of information does it cover?
What does the law require and prohibit?
· The name of the tenant or guest;
· The unit number and areas in the building that the tenant or guest has access to with the smart access system;
· The tenant or guest’s preferred method of contact;
· The tenant or guest’s biometric identifier information—if the smart access system uses any physiological, biological, or behavioral characteristics to identify an individual;
· Passcodes or identifiers associated with the physical hardware used to gain entry;
· Lease information, including move-in and move-out dates; and
· The time and method of entry, to be used for security purposes only.
· Collecting any information about a tenant’s use of internet service, unless the building owner provides internet service directly to the tenant and the information is aggregated and anonymized or necessary for billing purposes;
· Selling, leasing, or disclosing the data to another person, with some exceptions;
· Using a smart access system to track the location of any tenant or guest when they are outside the building;
· Using a smart access system to capture data of any minor, unless the minor’s parent or legal guardian has given written authorization;
· Using a smart access system to deliberately collect information on or track the relationship status of tenants and their guests, unless required by law;
· Using a smart access system to collect information on or track the frequency and time that tenants and their guests use the system to harass or evict the tenant;
· Using a smart access system to collect data from an individual who is not a tenant and who has not given express consent, in writing or through a mobile application, except if the individual is an employee or agent of the building owner; and
· Sharing any data about a minor collected from a smart access system unless the minor’s parent or legal guardian has given written authorization.
· Using data collected through a smart access system for any purpose other than granting entry;
· Using a smart access system to limit the time that any tenant or guest can enter the building unless requested by a tenant;
· Requiring a tenant to use a smart access system for entry; and
· Using any information collected through a smart access system to harass or evict a tenant.
What obligations will it impose?
Data Destruction and Retention
· Tenant permanently vacates the smart access building;
· Guests of tenants who permanently vacate the smart access building who are not also tenants of the smart access building;
· Tenant or guest withdraws consent previously given to collect their data; and
· Tenant withdraws request to grant a guest access to the smart access system.
· Data is necessary to detect and protect against security incidents and prosecute those responsible;
· Data is necessary to debug and repair errors that impair existing functionality;
· Data is necessary to comply with another law;
· Data is protected speech under the United States or New York State constitutions;
· Tenant or guest request, in writing or through a mobile application, that their data be retained; or
· Building owners or third-party entity needs the identifiers associated with the physical hardware used to gain entry to deactivate or activate the hardware, given that such data is retained separately from the smart access system.
· The data elements the smart access system will collect;
· The names and privacy policies of any entities that the owner will share the data elements with;
· The protocols and safeguards that the owner will use to protect the data elements;
· How long the data will be retained;
· The protocols the owner will follow for any suspected or actual unauthorized access to or disclosure of the data elements;
· The guidelines for permanently destroying or anonymizing the data or removing the data from the smart access system; and
· The process used to add and remove individuals who have provided temporary, written consent to the smart access system.