As I discussed in recent blog, a new addition to the New York City Administrative Code (2021 NYC Local Law No. 3, NYC Admin. Code Sections 22-1201 – 22-1205)(the “Biometric Privacy Law”) will go into effect on July 9 regulating the use of facial recognition technology. In a move to expand such regulations beyond commercial businesses, the City has also adopted a new law regulating the use of smart access technologies in residential buildings (2021 NYC Local Law No. 63, NYC Admin. Code Sections 26-3001 – 26-3007) (the “Tenant Data Privacy Act”). The Act goes into effect on July 29, 2021 (other than with respect to the private right of action described below, which becomes effective January 1, 2023). Landlords that operate in New York City that use smart access technology are well advised to become familiar with the Act and its requirements, include making any necessary changes to their existing policies and procedures as needed to be in compliance with its terms. As with the Biometric Privacy Law, it is quite likely that other jurisdictions may look to follow New York City’s lead, so landlords outside of the City are likewise advised to become familiar with the Act and to proactively address requirements that they may soon be required to abide by.
Set forth below is a summary of the scope and terms of the Act.
To What Buildings Does the Act Apply?
The Act applies to “smart access buildings”, which are “class A multiple dwellings” located within New York City that use a “smart access system.” A “class A multiple dwelling” is any a dwelling which is rented or leased, or is to be rented or leased, as the residence of three or more families living independently of each other that is occupied for permanent residence. This term excludes multiple dwellings which are occupied as a temporary residence of individuals or families who are lodged at such buildings (such as hotels, rooming houses, boarding houses, boarding schools, furnished room houses, club houses, and college and school dormitories). A “smart access system” is any system that uses electronic or computerized technology, a radio frequency identification card, a mobile phone application, biometric identifier information, or any other digital technology to grant entry to a class A multiple dwelling, common areas in such dwelling or to an individual unit in such dwelling.
How Does the Act Regulate Data Collection?
Required Consent
An owner of a smart access building or a third party may not collect reference data from a user for use in a smart access system except where such user has expressly consented, in writing or through a mobile application, to the use of such smart access building’s smart access system. “Reference data” means the information against which authentication data is verified at the point of authentication by a smart access system to grant a user entry to a smart access building, a dwelling unit of such building or a common area of such building. A “third party” is an entity that installs, operates, or otherwise directly supports a smart access system, and has ongoing access to user data, excluding any entity that solely hosts such data, and a “user” is a tenant of a smart access building, and any person a tenant has requested, in writing or through a mobile application, be granted access to such tenant’s dwelling unit and such building’s smart access system. The term “owner” means and include the owner of the freehold of the premises or lesser estate therein, a mortgagee or vendee in possession, assignee of rents, receiver, executor, trustee, lessee, agent, or any other person or entity directly or indirectly in control of a dwelling.
What Data May Be Collected?
An owner or third party may collect only the minimum amount of authentication data and reference data necessary to enable the use of a smart access system in a smart access building and may not collect additional biometric identifier information from any users. “Authentication data” is data generated or collected at the point of authentication in connection with granting a user entry to a smart access building, common area or dwelling unit through such building’s smart access system, provided that data generated through or collected by a video or camera system that is used to monitor entrances but not grant entry is not “authentication data.” “Biometric identifier information” is a physiological, biological, or behavioral characteristic that is used to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan; (ii) a fingerprint; (iii) a voiceprint; (iv) a scan or record of a palm, hand, or face geometry; (v) gait or movement patterns; or (vi) any other similar identifying characteristic. This definition is similar, but not identical, to that used in the Biometric Privacy Law.
A smart access system may only collect, generate, or use the following information:
- the user’s name;
- the dwelling unit number and other doors or common areas to which the user has access using such smart access system in such building;
- the user’s preferred method of contact;
- the user’s biometric identifier information if such smart access system utilizes biometric identifier information;
- the identification card number or any identifier associated with the physical hardware used to facilitate building entry, including radio frequency identification card, Bluetooth, or other similar technical protocols;
- passwords, passcodes, user names, and contact information used singly or in conjunction with other reference data to grant a user entry to a smart access building, dwelling unit of such building or common area of such building through such building’s smart access system, or to access any online tools used to manage user accounts related to such building;
- lease information, including move-in and, if available, move-out dates; and
- the time and method of access, solely for security purposes.
Notwithstanding the above provisions, an owner may retain, separate from a smart access system, a record of the unique identification number or other unique identifier associated with the physical hardware used to facilitate building entry, including key cards or other similar technical protocols, and the dwelling unit number associated with such unique identifier, solely for the purpose of deactivating or activating the key card or other hardware associated with such unique identifier.
Destruction of Data
Owners of smart access buildings and third parties are required to destroy any authentication data collected from or generated by a smart access system in their possession no later than 90 days after such data has been collected or generated, except for authentication data that is retained in an anonymized format.
Reference data for any tenant who has permanently vacated a smart access building is required to be removed, or anonymized where removal of such data would render the smart access system inoperable, from a smart access system no later than 90 days after the tenant has permanently vacated the building.
Reference data for any user that has been granted access to a former tenant’s dwelling unit and is not a tenant of the smart access building is required to removed, or anonymized where removal of such data would render the smart access system inoperable, from the smart access system no later than 90 days after access expires.
Reference data for any user who has withdrawn authorization from an owner or third party who had previously been given access to such reference data pursuant to the Act must be removed, or anonymized where removal of such data would render the smart access system inoperable, from the smart access system no later than 90 days after such authorization has been withdrawn. The same time frame shall apply when a tenant withdraws a request that a guest be granted access to such tenant’s dwelling unit via the smart access system if such guest is not also a tenant of such smart access building.
Reference data collected solely for the operation of a smart access system for a tenant who has permanently vacated a smart access building must be destroyed no later than 90 days after a tenant has permanently vacated a smart access building or has withdrawn authorization from the owner of such smart access building or a third party.
Reference data collected solely for use of such smart access system for any user that has been granted access to such tenant’s dwelling unit and is not a tenant of such smart access building shall be destroyed within the same timeframe, following such user’s withdrawal of authorization, such tenant’s withdrawal of the request that such user be granted access to such tenant’s dwelling unit via the smart access system or such tenant’s permanent vacation.
Notwithstanding the above requirements, owners of smart access buildings and third parties that have an obligation to destroy data pursuant to the Act shall not be required to destroy any data that (i) is necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity; (ii) is necessary to debug to identify and repair errors that impair existing intended functionality; (iii) is protected speech under the United States or New York state constitution; or (iv) is necessary to comply with another law or legal obligation. In addition, reference data may be retained and used by a smart access system pursuant to a user request, in writing or through a mobile application, that such user’s reference data be retained for longer than 90 days.
Any information that an owner of a multiple dwelling collects about a tenant’s use of gas, electricity or any other utility is required to be limited to such tenant’s total monthly usage, unless otherwise required by law. Owner of multiple dwellings are prohibited from collecting any information about a tenant’s use of internet service, except that in a multiple dwelling in which internet service is provided directly from an owner to tenants, the landlord may collect such information if such information is aggregated and anonymized, or necessary for billing purposes.
What Does the Act Prohibit?
The Act provides that is it unlawful for any owner of a smart access building or third party that collects reference data or authentication data to:
- sell, lease, or otherwise disclose such data to another person except:
(a) pursuant to any law, subpoena, court ordered warrant, other authorized court ordered process or active law enforcement investigation;
(b) to a third party that operates or facilitates the operation of such building’s smart access system, provided that the user has given express authorization, in writing or through a mobile application, and has received in writing, in advance of such authorization: (i) the name of the third party, (ii) the intended use of such data by such third party, and (iii) any privacy policy of such third party;
(c) for data collected regarding utility usage as described above, to an entity employed, retained, or contracted by the owner to improve the energy efficiency of such building;
(d) to a guest as expressly authorized, in writing or through a mobile application, by a tenant; or
(e) as otherwise required by law;
- utilize any satellite navigation system or other similar system in the equipment or software of a smart access system to track the location of any user of a smart access system outside of the building using such smart access system;
- use a smart access system to capture the reference data of any minor, except as authorized in writing by such minor’s parent or legal guardian;
- use a smart access system to deliberately collect information on or track the relationship status of tenants and their guests, except as otherwise required by law;
- use a smart access system to collect or track information about the frequency and time of use of such system by a tenant and their guests to harass or evict a tenant;
- use a smart access system to collect reference data from a person who is not a tenant in such smart access building who has not given express consent, in writing or through a mobile application, provided that reference data may be collected for any employee or agent of an owner in a smart access building, and
- share any data that may be collected from a smart access system regarding any minor unless such entity has received the written authorization of such minor’s parent or legal guardian.
Any data collected in violation of the prohibitions set forth in items 3, 4, 5 and 6 above is required to be destroyed immediately.
It also unlawful for any owner of a smart access building, or an agent thereof, to:
- utilize data collected through a smart access system for any purpose other than: (i) to grant access to and monitor entrances and exits to the smart access building, and to common areas in such building, including but not limited to laundry rooms, mail rooms, and the like, and (ii) to grant access to dwelling units in such buildings that use a smart access system to grant entry into dwelling units;
- use a smart access system to limit the time of entry into the building by any user except as requested by a tenant;
- require a tenant to use a smart access system to gain entry to such tenant’s dwelling unit; and
- use any information collected through a smart access system to harass or evict a tenant.
What Does the Act Require of Smart Access Systems?
The Act requires that smart access systems implement stringent security measures and safeguards to protect the security and data of tenants, guests, and other individuals in smart access buildings. Such security measures and safeguards must, at a minimum, include data encryption, the ability of the user to change the password if the system uses a password and firmware that is regularly updated to enable the remediation of any security or vulnerability issues.
Is There an Individual Right of Action to Enforce the Act?
The Act provides that a lawful occupant of a dwelling unit, or a group of such occupants, in a smart access building may bring an action alleging an unlawful sale of data in violation of the Act. If the court finds that a person has sold data in violation of the Act, the court shall, in addition to any other relief such court determines to be appropriate, award to each such occupant per each unlawful sale of such occupant’s data: (i) compensatory damages and, in such court’s discretion, punitive damages, or (ii) at the election of each occupant, damages ranging from $200 to $1,000, as well as reasonably attorneys’ fees and court costs. This right is in addition to any other remedies that may be provided for under common law or by other law or rule.
Is an Owner’s Violation of the Act Grounds to Not Pay Rent?
No. The Act expressly states nothing shall relieve any occupant or occupants from any obligation to pay rent or any other charge for which such occupant or occupants are otherwise liable to a person found to be in violation of the Act, and that nothing shall affect any other right or responsibility of an occupant or owner afforded to such person pursuant to a lawful lease.