Although the Centers for Disease Control and Prevention (CDC) issued updated guidance for isolation and quarantine relating to COVID-19 on December 27, 2021, the New York State Department of Health (NYSDOH) did not follow suit until yesterday, January 4, 2022. In an interim guidance document made available online and sent to local health departments, school districts, congregate care settings and healthcare providers, NYSDOH stated that it is “aligning with CDC’s updated isolation and quarantine recommendations” but, because CDC guidance is in flux and expected to be updated as further evidence relating to the current surge is gathered, NYSDOH’s policy is being issued on an interim basis and is subject to change.

Isolation for the General Population

NYSDOH now requires that a person who tests positive for COVID-19 or experiences symptoms of COVID-19 isolate for five days after symptom onset or, if asymptomatic, after receiving a positive test. Subsequently:

  • For most people, if asymptomatic at the end of five days or symptoms are improving and the person has been without a fever for at least twenty-four hours, isolation ends and the individual must wear a well-fitting mask while around others for five additional days. ​Presumably (though not stated explicitly by NYSDOH), if a person’s symptoms are not improving on the fifth day of isolation, isolation should continue until symptoms begin improving and the individual has been without a fever for at least twenty-four hours.
  • Individuals who are unable to wear a well-fitting mask or are moderately/severely immunocompromised may not discontinue isolation after the initial five days. In most cases, isolation may be ended after ten total days have elapsed and the individual has been without a fever for at least twenty-four hours. However, if such a person was “severely ill” with COVID-19 (i.e., hospitalized, on a ventilator or subject to intensive care), then extending isolation to a total of twenty days “may” be warranted.

    • Quarantine for the General Population

    If a person is exposed to COVID-19, quarantine requirements depend on the individual’s vaccination status. Specifically:

  • If a person is unvaccinated or is vaccinated but has not received a booster for which the person is eligible, the individual must quarantine for five days after exposure and wear a well-fitting mask around others for five additional days after quarantine ends. Testing at the end of the initial five day period is recommended but not required. ​
  • If a person is fully vaccinated and boosted, or fully vaccinated and not yet eligible for a booster, the individual does not need to quarantine but is required to wear well-fitting mask around others for ten days after exposure. Again, testing at the end of the initial five day period is recommended but not required. ​

    • ​If symptoms develop for someone who was exposed to COVID-19, the person should continue quarantining (or begin/return to quarantine, as applicable) and seek testing. Quarantine will end if a negative result is received. If a person does not test, or tests positive, they must follow the isolation procedures described above.

    Quarantine and Isolation for Healthcare Workers

    On December 24, 2021, NYSDOH updated its guidance for quarantine and isolation of healthcare workers and “other critical workforce.” That guidance is no longer applicable to “other critical workforce” members and those individuals should now follow the January 4th guidance. However, the December 24th guidance remains in effect for healthcare workers.

    ***

    If you have any questions concerning quarantine and isolation requirements, please contact Jessica M. Baquet at (516) 393-8292 or jbaquet@jaspanllp.com.

    Coronavirus vaccination record card. Protective mask divided into two parts. Concept of defeating Covid-19

    On December 6, 2021, New York City Mayor Bill de Blasio announced a COVID-19 vaccine mandate for all private-sector employers in the City. Under the mandate of the Department of Health, New York City businesses, regardless of size, must ensure that employees who work in-person receive at least one dose of the vaccine by December 27, 2021. According to the website for the Mayor’s office, the City will issue “additional enforcement and reasonable accommodation guidance” on December 15th “along with additional resources to support small businesses with implementation.”

    This is not the City’s first vaccine mandate. In the last several months, the City imposed vaccine mandates on municipal workers, and employees and patrons of indoor dining, entertainment venues and gyms. Also on December 6th, Mayor de Blasio announced that the pre-existing mandate, known as the Key to New York Pass, will be expanded to require children ages 5 to 11 to show proof of at least one vaccination dose to patronize indoor dining, entertainment venues and gyms beginning on December 14, 2021. Additionally, starting on December 27, 2021, people ages 12 and older will be required to show proof that they have received two doses of the Pfizer or Moderna vaccine, or one dose of the Johnson & Johnson vaccine, to enter these facilities.

    While we await the release of further guidance, employers should begin working to update their existing policies to account for the enforcement of the expanded vaccine mandate to employees and, in some instances, customers. This should include a process for receiving and reviewing requests for exemptions or reasonable accommodations from the mandate.

    If you have questions concerning this expanded mandate or how to revise your company’s policies, please contact Jessica M. Baquet at (516) 393-8292 or jbaquet@jaspanllp.com.

    Whistleblower law book and gavel in a court.
    Whistleblower law book and gavel in a court.

    New York Governor Kathy Hochul recently signed S.B. 4394, an amendment of Section 740 of the New York Labor Law that amounts to a significant expansion of safeguards for whistleblowers. Effective January 26, 2022, the new law broadens the definition of retaliation, creates new notice and reporting requirements, extends certain protections to former employees and independent contractors, and increases potential damages, among other things discussed in greater detail below.

    Who is an “Employee” Under the New Law?

    Formerly, whistleblower protections were only extended to those “who perform[ ] services for and under the control and direction of an employer for wages or other remuneration,” as that was the definition of “employee.” However, under the amended law, the range of people protected from retaliation includes current and former employees as well as independent contractors.

    What Kind of Activity is Protected Under the New Law?

    Under the old law, employees were only protected when reporting a violation that created a substantial and specific danger to public health or safety. By contrast, the amended law protects those who disclose or threaten to disclose anything relating to practices and activities that the employee “reasonably believes” (1) violate a law rule, or regulation, or (2) pose a substantial and specific danger to public health or safety. The employee is also protected if he provides information to or testified before a public body, or objects or refuses to participate in the subject policy or practice.

    What Constitutes Retaliation Under the New Law?

    Under the old law, the definition of retaliatory conduct was limited to the discharge, suspension or demotion of an employee, or other adverse employment action. Now, the law also protects against actual or threatened adverse employment actions, including (1) the above-described conduct, (2)  conduct that would adversely impact a former employee’s current or future employment; and (3) the contacting of immigration authorities or reporting the immigration status of employees or their family members.

    How Have the Reporting Requirements Changed?

    Under the old law, employees had to report any violations to their employer first, before disclosing it to a public body. This was intended to give the employer a reasonable opportunity to correct the alleged violation. The amended law, however, requires only that employees make a “good faith” effort to notify their employer first. Further, the employee can entirely bypass that step, and go straight to public disclosure if the employee reasonably believes: (1) that there is imminent and serious danger to public health or safety; (2) that reporting the alleged wrongdoing to their employer will result in the destruction of evidence, concealment, or harm to the employee; or (3) that his supervisor already knows of the violation and will not correct it.

    What Else Has Changed?

    Under the old law, a plaintiff could seek (1) injunctive relief; (2) reinstatement; (3) compensation for lost wages, benefits, and other remuneration; and (4) reasonable costs, disbursements, and attorneys’ fees. The law now allows for a jury trial and permits, in addition to existing remedies, front pay in lieu of reinstatement, the recovery of up to $10,000 and punitive damages. If the plaintiff prevails, he may be entitled to injunctive relief, reinstatement, compensation for lost wages, benefits, and other remuneration, and reasonable costs, disbursements, and attorneys’ fees. Importantly, the amended law also expands the statute of limitations from one to two years. However, it is also of note that, if the court finds that a retaliation claim was brought without basis in law or fact, the employer may now be awarded reasonable costs and attorney fees.

    Recommendations for Employers Going Forward

    Employers are required to post notice of the employees’ protections, rights and obligations under the new law. The notice should be conspicuous, meaning in an accessible and well-lighted place. A model posting will likely be available at the Department of Labor website in advance of the law’s effective date. Additionally, it may be appropriate to provide additional training for managers responsible for receiving and escalating whistleblower complaints. Further, it may be advisable to contact counsel when presented with reported violations by employees.

    For further information on New York’s whistleblower laws or how to revise your company’s policies, contact Jessica Baquet or David Paseltiner at 516-746-8000.

     

     

     

    marijuana

    As we discussed in an earlier related blog post, effective March 31, 2021, the Marijuana Regulation and Taxation Act (“MRTA”) legalized the use of recreational marijuana for adults who are 21 and older and amended New York Labor Law 201(d), among other revisions, to prohibit employers from discriminating against an employee for such employee’s “legal use of consumable products, including cannabis in accordance with state law, prior to the beginning or after the conclusion of the employee’s work hours, and off of the employer’s premises and without use of the employer’s equipment of other property.” Recently, the New York Department of Labor (“DOL”) issued guidance on MRTA, which delineates permitted employer actions and answers to frequently asked questions.

    Employers cannot test for cannabis and cannot rely on drug workplace policies existing prior to the effectiveness of MRTA, except for limited circumstances, such as if drug testing is specifically required by law. However, employers can implement new policies prohibiting cannabis use during work hours or on the employer’s property in compliance with the law.

    What constitutes “work hours”?

    Under the DOL guidance, “work hours […] means all time, including paid and unpaid breaks and meal periods, that the employee is suffered, permitted or expected to be engaged in work, and all time the employee is actually engaged in work. Such periods of time are still considered ‘work hours’ if the employee leaves the worksite.” Additionally, employers can prohibit cannabis while an employee is on call or “expected to be engaged in work.”

    What is employer’s property?

    Employers can prohibit use and even possession of cannabis on the “employer’s property, including leased or rented space, company vehicles, and areas used by employees within such property (e.g. lockers, desks, etc.).” The DOL guidance further states that “employers are permitted to prohibit use in company vehicles or on the employer’s property, even after regular business hours or work shifts.”

    Can an employer take action against an employee for using cannabis on the job?

    Yes, employers may take employment action against an employee if the employee manifests specific articulable symptoms of impairment that (i) decrease or lessen the performance of their duties or tasks and (ii) interfere with an employer’s obligations to provide safe and healthy workplace, free from recognized hazards as required by state and federal occupational safety and health laws (such as the operation of heavy machinery in an unsafe and reckless manner). Articulable symptoms of impairment are objectively observable indications that employee’s performance of the duties of the position of their position are decreased or lessened, however, the DOL guidance cautions that “such articulable symptoms may also be an indication that an employee has a disability protected by federal and state law (e.g., the NYS Human Rights Law), even if such disability or condition is unknown to the employer. Employers should consult with appropriate professionals regarding applicable local, state, and federal laws that prohibit disability discrimination.” Additionally, the DOL guidance specifies that the smell of cannabis alone is not an articulable symptom of impairment.

    For further information or guidance on revising your policies and procedures, please contact Jessica Baquet or David Paseltiner.

    On October 6, 2021, the New York Workers’ Compensation Board adopted a revised regulation addressing the amount of intermittent Paid Family Leave (“PFL”) that is available to employees who work more than five days per week. The revised regulation becomes effective January 1, 2022, and is not retroactive.

    Under existing regulations, employees who are qualified for PFL may take up to 12 weeks of such leave during a period of 52 consecutive weeks. Employees are not required to take PFL all at once and may elect to take it in full day increments on an intermittent basis. When taking PFL on an intermittent basis, the maximum days of PFL that an employee may take is determined by multiplying the average number of days he or she works per week by 12, but in no event more than 60 days of PFL per 52-week period for employees working at least five days per week. As a result, an employee who works more than five days a week is currently capped at 60 days per 52-week period.

    Under the revised regulation, the 60-day cap has been eliminated, and employees who work more than five days per week will be eligible to take additional intermittent PFL once the revised regulation takes effect. Without the cap, employees who work six days per week will become entitled to 72 days of PFL to be used intermittently in a 52-week period, and employees who work seven days per week will become entitled to 84 days of PFL to be used intermittently in a 52-week period.

    The revised regulation does not affect employees who work five or fewer days per week but will  greatly increase the days of intermittent PFL leave available to employees who do work in excess of this amount. Employers who have employees working more than five days per week should take note of this change and take steps to ensure compliance with the revised regulation when it becomes effective.

    For further information or guidance on revising your policies, please contact David Paseltiner or Jessica Baquet.

     

    Paid family leave form in clipboard and note pad.

    On Nov. 1, 2021, New York Governor Kathy Hochul signed an amendment to the New York Paid Family Leave Benefits Law (the “PFL”) expanding the definition of “family member” for the purposes of the PFL to include biological or adopted siblings, half-siblings, and step-siblings. The current definition of “family member” covers children, parents, grandparents, grandchildren, spouses and domestic partners. While the change to the definition will not become effective January 1, 2023, employers should make a note of the change and take steps to prepare for the expended coverage prior to its effective date.

    For further information or guidance on revising your policies, please contact David Paseltiner

    As noted in an earlier blog, on March 12, 2021, New York enacted a new law requiring public and private employers to provide paid leave for any employee receiving a COVID-19 vaccination. Under this law, employers must provide their employees up to four hours (or, if greater, such time as an employee is entitled to receive pursuant to a collectively bargained agreement or as otherwise authorized by the employer) of paid time off per vaccine injection at their regular pay rate.

    When the law was enacted, COVID-19 booster shots were not something that was considered necessary, and guidance from the Labor Department contemplated that total paid leave for vaccinations would be capped at eight hours for those taking a two-dose vaccination series. While, as noted above, the statute itself indicates that four hours of leave is available “per vaccine injection, to avoid any doubt, the Labor Department has revised its Frequently Asked Questions to make clear that the law applies to any COVID-19 vaccination received by an employee, including booster shots.

    Employers should update their paid vaccine leave policies and practices to include paid time off for booster shots.

    For further information or guidance on revising your policies, please contact David Paseltiner or Jessica Baquet.

     

    Coronavirus vaccination record card. Protective mask divided into two parts. Concept of defeating Covid-19

    This morning, the United States Department of Labor (DOL) published its much-anticipated Emergency Temporary Standard (ETS) concerning COVID-19 vaccination and testing. The ETS was issued at the directive of President Biden and sets forth the details of the mandate that certain employers require their employees to become fully immunized against COVID-19 or, alternatively, to submit to weekly COVID-19 testing and wear face coverings in the workplace. DOL has also released other materials, including fact sheets, a webinar and sample policies, to assist employers in complying with the ETS.

    In this blog, I will summarize some of the salient aspects of the ETS. Note that the requirement that employees become fully vaccinated or submit to weekly testing will become effective on January 4, 2022. All other aspects of the ETS will become effective on December 5, 2021.

    Which employers are subject to the ETS?

    The ETS applies to most private employers with at least one hundred employees company-wide, including employees who are full-time, part-time, temporary or seasonal. Independent contractors are not counted for purposes of determining an employer’s size.

    Certain large private employers are not subject to the ETS because they are covered by other federal rules and regulations. These include federal contractors and subcontractors, and employers whose employees provide healthcare or healthcare support services (which are covered by a separate emergency temporary standard).

    While the ETS does not currently apply to employers with fewer than one hundred employees, DOL’s fact sheet makes it clear that the ETS could be expanded to cover smaller employers in the future. It states that OSHA requires additional time to determine whether it is feasible for smaller employers to comply with the ETS.

    The ETS also applies to state and local government employers with at least one hundred employees, but only in states with safety plans approved by the Occupational Health and Safety Administration (OSHA).

    What obligations do employers have concerning vaccination, testing and face masks?

    Under the ETS, employers have a number of obligations concerning vaccination, testing and face masks. It is important to note that the ETS sets out the minimum obligations of employers. It does not prevent employers from adopting stricter or more protective policies and protocols.

    First, employers must develop a policy requiring employees to become fully vaccinated or submit to weekly COVID-19 testing and wear face masks in the work place. To be clear, employers are not required to provide employees with a weekly “test out” option, and may instead implement a straightforward mandatory vaccination policy. According to the ETS, its provisions override any state or local law or regulation barring employers from requiring vaccination, testing and/or mask-wearing.

    If an employer implements a mandatory vaccination policy without a “test out” option, the employer still must make exceptions for employees: (1) for whom a vaccine is medically contraindicated; (2) for whom medical necessity requires a delay in vaccination; or (3) who are legally entitled to reasonable accommodations under federal law because they have a disability or sincerely held religious belief that conflicts with vaccination requirements. If an employer permits an employee in one of these categories to be present in the workplace, the employee must comply with the ETS’ mandatory testing and mask-wearing requirements (and the employer’s policies must address those requirements). However, employees need not follow vaccination or testing requirements if they: (1) do not report to a workplace where other people are present; (2) work from home; or (3) work exclusively outdoors.

    Second, employers must take certain steps to facilitate their employees becoming vaccinated. Employers must provide employees up to four hours of paid time off for each vaccination dose. This paid time off is in addition to time off available under the employers’ usual policies; employees cannot be made to use other accrued paid time off or sick leave. Employers must also provide a “reasonable” amount of paid time off to recover from side effects experienced after each vaccination dose.

    Third, for employers who choose to provide employees with a “test out” option, the employer must ensure that each employee who is not fully vaccinated, and who is in the workplace at least once per week, is tested for COVID-19 at least weekly and wears face coverings while at work. The ETS does not require employers to pay for costs associated with testing, although payment may be required by other laws, employment contracts or collective bargaining agreements.

    Fourth, employers must require employees, regardless of vaccination status, to provide prompt notice if they test positive for or are diagnosed with COVID-19. Employers must remove such employees from the workplace and prohibit them from returning until they meet the criteria for doing so.

    What notices must employers provide to employees?

    Employers are obligated to provide employees with certain information and to present that information in the language and at the literacy level that its employees can comprehend. The information to be imparted includes: (1) the requirements of the ETS and the specific workplace policies and procedures the employer has adopted in order to comply with the ETS; (2) a document published by the Centers for Disease Control and Prevention entitled “Key Things to Know About COVID-19 Vaccines”; (3) information about employee protections against retaliation and discrimination; and (4) information about criminal penalties that may be imposed against an employee who knowingly supplies false statements or documentation.

    What record-keeping requirements does the ETS impose upon employers?

    Employers must obtain and keep proof of their employees’ vaccination status, and treat this proof as confidential medical information under, among other laws, the Americans with Disabilities Act. Employers must permit an employee, or his/her authorized representative, to examine and/or copy the employee’s vaccination or testing documentation.

    Employers must also create a roster of their employees’ vaccination status. The employer is not required to permit its employees to inspect the roster, but must make available to any employee or his/her authorized representative the total number of employees in the workplace and the number of those employees who are vaccinated.

    What information must an employer report to the government?

    Employers must report to OSHA in certain instances. Specifically, the employer must report any work-related COVID-19 in-patient hospitalizations to OSHA within 24 hours of learning of them, and any work-related COVID-19 deaths within 8 hours of learning about them. However, employers need not submit their policies to OSHA unless requested.

    ***

    If you have any questions concerning the ETS or mandatory vaccination policies, please contact Jessica M. Baquet at (516) 393-8292 or jbaquet@jaspanllp.com.

    Coronavirus vaccination record card. Protective mask divided into two parts. Concept of defeating Covid-19

    This week the Food and Drug Administration (“FDA”) announced its full approval of the Pfizer-BioNTech vaccine for use among people age 16 and older. Within just hours of that announcement, a string of employers private and public alike began declaring their intentions to put mandatory vaccination policies in place. Among the most notable early actors were the Pentagon, Goldman Sachs, CVS, the unions at Disney, the New York City School System, and the New York State Court System, all of which declared that mandates are now in place, or soon will be.

    Back in December 2020, the FDA permitted use of the vaccine pursuant to an emergency use authorization (“EUA”), which the FDA defines as a “mechanism to facilitate the availability and use of medical countermeasures, including vaccines, during public health emergencies.” Pfizer and BioNTech applied for full approval in May and now have the FDA’s official seal of approval, just like other more familiar vaccines.

    While a string of new vaccine mandates have come into effect in the short time since the FDA’s announcement, not much has really changed from a legal perspective. According to guidance from Equal Opportunity Employment Commission (“EEOC”), employers have technically been able to implement mandates since December, provided they did so in alignment with state and local laws, and with certain medical and religious exemptions.

    Why then all the hubbub around FDA licensure? The answer seems largely to do with perception – that of the general public and, more specifically, the employees to be directly affected by these mandates. EEOC guidance notwithstanding, the implementation of vaccine mandates has not been without its backlash. Some employers have faced lawsuits challenging the legality of the policies themselves. Others have had employees quit. All have faced the difficult question of how to implement a mandate when vaccination itself has become an emotionally and politically charged subject shrouded in misinformation and misunderstanding. The hope is that the FDA’s seal of approval may give the vaccine campaign the image boost it still desperately needs among those who doubt its efficacy.

    On the legal front, vaccine mandates have seen success in Texas, Florida, North Carolina, and California, among other places, where court decisions have all come down in favor of mandates. Also, in July, the US Department of Justice issued an opinion concluding that the Food, Drug and Cosmetic Act does not prohibit public or private entities from mandating Covid-19 vaccination, even if the vaccines only have emergency-use authorization. Moreover, on August 12th, the U.S. Supreme Court, the nation’s highest court itself, held that Indiana University could require its students to be vaccinated against Covid-19.

    In other words, from a legal standpoint, vaccine mandates are proper as long as employers abide by state and local law and applicable guidelines, including those by the EEOC specifying necessary accommodations. Yet the question of whether to issue a mandate remains complex. Employers should consider, among other things, whether they have a firm grasp of the applicable guidelines; whether they are prepared to face lawsuits, even if unsuccessful; whether they are prepared to answer employees’ questions and concerns as to ethics, autonomy and safety; whether they have in place the mechanisms necessary to ensure that private information remains private; whether they are prepared to deal with potential workers’ compensation claims; whether the nature of the work is such that employees work in close proximity to each other; whether they have the resources to combat misinformation; and whether they are prepared to suffer a loss of workforce, should at-will employees ultimately decline to be vaccinated.

    For further information as to whether a policy requiring vaccinations is right for your workplace, please contact Jessica M. Baquet at jbaquet@jaspanllp.com.

     

     

    As I discussed in recent blog, a new addition to the New York City Administrative Code (2021 NYC Local Law No. 3, NYC Admin. Code Sections 22-1201 – 22-1205)(the “Biometric Privacy Law”) will go into effect on July 9 regulating the use of facial recognition technology. In a move to expand such regulations beyond commercial businesses, the City has also adopted a new law regulating the use of smart access technologies in residential buildings (2021 NYC Local Law No. 63, NYC Admin. Code Sections 26-3001 – 26-3007) (the “Tenant Data Privacy Act”). The Act goes into effect on July 29, 2021 (other than with respect to the private right of action described below, which becomes effective January 1, 2023). Landlords that operate in New York City that use smart access technology are well advised to become familiar with the Act and its requirements, include making any necessary changes to their existing policies and procedures as needed to be in compliance with its terms. As with the Biometric Privacy Law, it is quite likely that other jurisdictions may look to follow New York City’s lead, so landlords outside of the City are likewise advised to become familiar with the Act and to proactively address requirements that they may soon be required to abide by.

    Set forth below is a summary of the scope and terms of the Act.

    To What Buildings Does the Act Apply?

    The Act applies to “smart access buildings”, which are “class A multiple dwellings” located within New York City that use a “smart access system.” A “class A multiple dwelling” is any a dwelling which is rented or leased, or is to be rented or leased, as the residence of three or more families living independently of each other that is occupied for permanent residence. This term excludes multiple dwellings which are occupied as a temporary residence of individuals or families who are lodged at such buildings (such as hotels, rooming houses, boarding houses, boarding schools, furnished room houses, club houses, and college and school dormitories). A “smart access system” is any system that uses electronic or computerized technology, a radio frequency identification card, a mobile phone application, biometric identifier information, or any other digital technology to grant entry to a class A multiple dwelling, common areas in such dwelling or to an individual unit in such dwelling.

    How Does the Act Regulate Data Collection?

    Required Consent

    An owner of a smart access building or a third party may not collect reference data from a user for use in a smart access system except where such user has expressly consented, in writing or through a mobile application, to the use of such smart access building’s smart access system.  “Reference data” means the information against which authentication data is verified at the point of authentication by a smart access system to grant a user entry to a smart access building, a dwelling unit of such building or a common area of such building.  A “third party” is an entity that installs, operates, or otherwise directly supports a smart access system, and has ongoing access to user data, excluding any entity that solely hosts such data, and a “user” is a tenant of a smart access building, and any person a tenant has requested, in writing or through a mobile application, be granted access to such tenant’s dwelling unit and such building’s smart access system. The term “owner” means and include the owner of the freehold of the premises or lesser estate therein, a mortgagee or vendee in possession, assignee of rents, receiver, executor, trustee, lessee, agent, or any other person or entity directly or indirectly in control of a dwelling.

    What Data May Be Collected?

    An owner or third party may collect only the minimum amount of authentication data and reference data necessary to enable the use of a smart access system in a smart access building and may not collect additional biometric identifier information from any users. “Authentication data” is data generated or collected at the point of authentication in connection with granting a user entry to a smart access building, common area or dwelling unit through such building’s smart access system, provided that data generated through or collected by a video or camera system that is used to monitor entrances but not grant entry is not “authentication data.” “Biometric identifier information” is a physiological, biological, or behavioral characteristic that is used to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan; (ii) a fingerprint; (iii) a voiceprint; (iv) a scan or record of a palm, hand, or face geometry; (v) gait or movement patterns; or (vi) any other similar identifying characteristic. This definition is similar, but not identical, to that used in the Biometric Privacy Law.

    A smart access system may only collect, generate, or use the following information:

    • the user’s name;
    • the dwelling unit number and other doors or common areas to which the user has access using such smart access system in such building;
    • the user’s preferred method of contact;
    • the user’s biometric identifier information if such smart access system utilizes biometric identifier information;
    • the identification card number or any identifier associated with the physical hardware used to facilitate building entry, including radio frequency identification card, Bluetooth, or other similar technical protocols;
    • passwords, passcodes, user names, and contact information used singly or in conjunction with other reference data to grant a user entry to a smart access building, dwelling unit of such building or common area of such building through such building’s smart access system, or to access any online tools used to manage user accounts related to such building;
    • lease information, including move-in and, if available, move-out dates; and
    • the time and method of access, solely for security purposes.

    Notwithstanding the above provisions, an owner may retain, separate from a smart access system, a record of the unique identification number or other unique identifier associated with the physical hardware used to facilitate building entry, including key cards or other similar technical protocols, and the dwelling unit number associated with such unique identifier, solely for the purpose of deactivating or activating the key card or other hardware associated with such unique identifier.

    Destruction of Data

    Owners of smart access buildings and third parties are required to destroy any authentication data collected from or generated by a smart access system in their possession no later than 90 days after such data has been collected or generated, except for authentication data that is retained in an anonymized format.

    Reference data for any tenant who has permanently vacated a smart access building is required to be removed, or anonymized where removal of such data would render the smart access system inoperable, from a smart access system no later than 90 days after the tenant has permanently vacated the building.

    Reference data for any user that has been granted access to a former tenant’s dwelling unit and is not a tenant of the smart access building is required to removed, or anonymized where removal of such data would render the smart access system inoperable, from the smart access system no later than 90 days after access expires.

    Reference data for any user who has withdrawn authorization from an owner or third party who had previously been given access to such reference data pursuant to the Act must be removed, or anonymized where removal of such data would render the smart access system inoperable, from the smart access system no later than 90 days after such authorization has been withdrawn. The same time frame shall apply when a tenant withdraws a request that a guest be granted access to such tenant’s dwelling unit via the smart access system if such guest is not also a tenant of such smart access building.

    Reference data collected solely for the operation of a smart access system for a tenant who has permanently vacated a smart access building must be destroyed no later than 90 days after a tenant has permanently vacated a smart access building or has withdrawn authorization from the owner of such smart access building or a third party.

    Reference data collected solely for use of such smart access system for any user that has been granted access to such tenant’s dwelling unit and is not a tenant of such smart access building shall be destroyed within the same timeframe, following such user’s withdrawal of authorization, such tenant’s withdrawal of the request that such user be granted access to such tenant’s dwelling unit via the smart access system or such tenant’s permanent vacation.

    Notwithstanding the above requirements, owners of smart access buildings and third parties that have an obligation to destroy data pursuant to the Act shall not be required to destroy any data that (i) is necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity; (ii) is necessary to debug to identify and repair errors that impair existing intended functionality; (iii) is protected speech under the United States or New York state constitution; or (iv) is necessary to comply with another law or legal obligation. In addition, reference data may be retained and used by a smart access system pursuant to a user request, in writing or through a mobile application, that such user’s reference data be retained for longer than 90 days.

    Any information that an owner of a multiple dwelling collects about a tenant’s use of gas, electricity or any other utility is required to be limited to such tenant’s total monthly usage, unless otherwise required by law. Owner of multiple dwellings are prohibited from collecting any information about a tenant’s use of internet service, except that in a multiple dwelling in which internet service is provided directly from an owner to tenants, the landlord may collect such information if such information is aggregated and anonymized, or necessary for billing purposes.

    What Does the Act Prohibit?

    The Act provides that is it unlawful for any owner of a smart access building or third party that collects reference data or authentication data to:

    1. sell, lease, or otherwise disclose such data to another person except:

    (a)           pursuant to any law, subpoena, court ordered warrant, other authorized court ordered process or active law enforcement investigation;

    (b)          to a third party that operates or facilitates the operation of such building’s smart access system, provided that the user has given express authorization, in writing or through a mobile application, and has received in writing, in advance of such authorization: (i) the name of the third party, (ii) the intended use of such data by such third party, and (iii) any privacy policy of such third party;

    (c)           for data collected regarding utility usage as described above, to an entity employed, retained, or contracted by the owner to improve the energy efficiency of such building;

    (d)          to a guest as expressly authorized, in writing or through a mobile application, by a tenant; or

    (e)          as otherwise required by law;

    1. utilize any satellite navigation system or other similar system in the equipment or software of a smart access system to track the location of any user of a smart access system outside of the building using such smart access system;
    2. use a smart access system to capture the reference data of any minor, except as authorized in writing by such minor’s parent or legal guardian;
    3. use a smart access system to deliberately collect information on or track the relationship status of tenants and their guests, except as otherwise required by law;
    4. use a smart access system to collect or track information about the frequency and time of use of such system by a tenant and their guests to harass or evict a tenant;
    5. use a smart access system to collect reference data from a person who is not a tenant in such smart access building who has not given express consent, in writing or through a mobile application, provided that reference data may be collected for any employee or agent of an owner in a smart access building, and
    6. share any data that may be collected from a smart access system regarding any minor unless such entity has received the written authorization of such minor’s parent or legal guardian.

    Any data collected in violation of the prohibitions set forth in items 3, 4, 5 and 6 above is required to be destroyed immediately.

    It also unlawful for any owner of a smart access building, or an agent thereof, to:

    1. utilize data collected through a smart access system for any purpose other than: (i) to grant access to and monitor entrances and exits to the smart access building, and to common areas in such building, including but not limited to laundry rooms, mail rooms, and the like, and (ii) to grant access to dwelling units in such buildings that use a smart access system to grant entry into dwelling units;
    2. use a smart access system to limit the time of entry into the building by any user except as requested by a tenant;
    3. require a tenant to use a smart access system to gain entry to such tenant’s dwelling unit; and
    4. use any information collected through a smart access system to harass or evict a tenant.

    What Does the Act Require of Smart Access Systems?

    The Act requires that smart access systems implement stringent security measures and safeguards to protect the security and data of tenants, guests, and other individuals in smart access buildings. Such security measures and safeguards must, at a minimum, include data encryption, the ability of the user to change the password if the system uses a password and firmware that is regularly updated to enable the remediation of any security or vulnerability issues.

    Is There an Individual Right of Action to Enforce the Act?

    The Act provides that a lawful occupant of a dwelling unit, or a group of such occupants, in a smart access building may bring an action alleging an unlawful sale of data in violation of the Act. If the court finds that a person has sold data in violation of the Act, the court shall, in addition to any other relief such court determines to be appropriate, award to each such occupant per each unlawful sale of such occupant’s data: (i) compensatory damages and, in such court’s discretion, punitive damages, or (ii) at the election of each occupant, damages ranging from $200 to $1,000, as well as reasonably attorneys’ fees and court costs. This right is in addition to any other remedies that may be provided for under common law or by other law or rule.

    Is an Owner’s Violation of the Act Grounds to Not Pay Rent?

    No. The Act expressly states nothing shall relieve any occupant or occupants from any obligation to pay rent or any other charge for which such occupant or occupants are otherwise liable to a person found to be in violation of the Act, and that nothing shall affect any other right or responsibility of an occupant or owner afforded to such person pursuant to a lawful lease.