Tenant Data Privacy Act Enacted by NY City Council

Photo by Barry Williams/for New York Daily News

Returned unsigned by the Mayor’s office, Local Law No. 63 – the Tenant Data Privacy Act – has been enacted by City Council on May 30th, 2021. 

This law essentially requires owners of multifamily dwellings with smart access systems to protect the personal information of their tenants by providing them with a privacy policy. 

Here are the details of the law: 

Scope

Smart access refers to keyless entries into units or common areas, such as a gym or laundry room. The technology including under the umbrella of smart access includes: 1) digital, electronic, or computerized technology, 2) radio frequency identification (RFID) cards; 3) mobile phone applications; and 4) biometric identifier information.

Information protected under the law includes: 1) authentication data used at the point of entry to grant access to the unit or common areas, under which security camera footage is included if it is used to grant entry; 2) reference data; 3) tenant utilities records; and 4) internet service. 

Privacy policies

A landlord or third-party smart access system operator can only connect the minimum amount of authentication and reference data in their efforts to operate the smart access system. They must obtain consent from the tenant to use their authentication and reference data, either in writing or via mobile application; landlords must supply tenants a privacy policy – of their own, of the smart access system developer, and of the current operator – all  written in “plain language” that includes the minimum information required by law in order for consent to be informed.  

Protecting Data

All of the authentication and reference data obtained by landlords/third-parties about tenants must be safeguarded appropriately. Proper protections include: 1) data encryption; 2) the tenant’s ability to change a password for password-protected systems; and 3) regularly updated firmware to enable system fixes. 

Using Data

All of the authentication and reference data obtained by landlords/third-parties about tenants can only be used to grant and monitor access. Uses that are not allowed under this law include: 1) tracking a user’s location outside the building, frequency and time of system use, or relationship status; 2) collecting information about a minor without the express consent of a parent or guardian; 3) and harassing or evicting a tenant. 

Unless it is in compliance with a subpoena or in cooperation with an ongoing law enforcement investigation, a landlord/third-party can not sell, lease, or disclose any of the authentication and reference data obtained about tenants. 

Private right of action 

Should a landlord/third-party sell any of the authentication and reference data obtained, the tenant or occupation group (as a class) may seek compensatory and punitive damages, or statutory damages. These can range from $100 to $200 per tenant, excluding attorneys’ fees and costs. This excludes any common law remedy or code violation penalty. It does not, however, exclude the tenant from paying rent or charges due to the landlord/third-party. 

Destroying Data

All of the authentication data obtained by landlords/third-parties about tenants must be destroyed within 90 days of being generated or collected. 

All of the reference data obtained by landlords/third-parties about tenants must be destroyed within 90 days of the tenant permanently vacating or withdrawing consent.

Although the law was enacted in May, it does not become effective until July 29th, and liability for violations will not begin until January 1st, 2023. 

As such, landlords should begin understanding and implementing the requirements set forth in this law. 

Recommendations:

• Develop privacy policies for tenants
• Secure consent from tenants to use keyless entry systems
• Proactively protect tenant personal information 

For more information, here is the official text regarding City Council’s law: 

https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=4196254&GUID=29A4B0E2-4C1F-472B-AE88-AE10B5313AC1&Options=ID%7cText%7c&Search=

Founded by attorneys Andreas Koutsoudakis and Michael Iakovou, KI Legal focuses on guiding companies and businesses throughout the entire legal spectrum as it relates to their business including day-to-day operations and compliance, litigation and transactional matters.

Connect with Andreas Koutsoudakis on LinkedIn.

Connect with Michael Iakovou on LinkedIn.

This information is the most up to date news available as of the date posted. Please be advised that any information posted on the KI Legal Blog or Social Channels is being supplied for informational purposes only and is subject to change at any time. For more information, and clarity surrounding your individual organization or current situation, contact a member of the KI Legal team, or fill out a new client intake form.