Returned unsigned by the Mayor’s office, Local Law No. 63 – the Tenant Data Privacy Act – has been enacted by City Council on May 30th, 2021.
Here are the details of the law:
Smart access refers to keyless entries into units or common areas, such as a gym or laundry room. The technology including under the umbrella of smart access includes: 1) digital, electronic, or computerized technology, 2) radio frequency identification (RFID) cards; 3) mobile phone applications; and 4) biometric identifier information.
Information protected under the law includes: 1) authentication data used at the point of entry to grant access to the unit or common areas, under which security camera footage is included if it is used to grant entry; 2) reference data; 3) tenant utilities records; and 4) internet service.
All of the authentication and reference data obtained by landlords/third-parties about tenants must be safeguarded appropriately. Proper protections include: 1) data encryption; 2) the tenant’s ability to change a password for password-protected systems; and 3) regularly updated firmware to enable system fixes.
All of the authentication and reference data obtained by landlords/third-parties about tenants can only be used to grant and monitor access. Uses that are not allowed under this law include: 1) tracking a user’s location outside the building, frequency and time of system use, or relationship status; 2) collecting information about a minor without the express consent of a parent or guardian; 3) and harassing or evicting a tenant.
Unless it is in compliance with a subpoena or in cooperation with an ongoing law enforcement investigation, a landlord/third-party can not sell, lease, or disclose any of the authentication and reference data obtained about tenants.
Private right of action
Should a landlord/third-party sell any of the authentication and reference data obtained, the tenant or occupation group (as a class) may seek compensatory and punitive damages, or statutory damages. These can range from $100 to $200 per tenant, excluding attorneys’ fees and costs. This excludes any common law remedy or code violation penalty. It does not, however, exclude the tenant from paying rent or charges due to the landlord/third-party.
All of the authentication data obtained by landlords/third-parties about tenants must be destroyed within 90 days of being generated or collected.
All of the reference data obtained by landlords/third-parties about tenants must be destroyed within 90 days of the tenant permanently vacating or withdrawing consent.
Although the law was enacted in May, it does not become effective until July 29th, and liability for violations will not begin until January 1st, 2023.
As such, landlords should begin understanding and implementing the requirements set forth in this law.
- Develop privacy policies for tenants
- Secure consent from tenants to use keyless entry systems
- Proactively protect tenant personal information
For more information, here is the official text regarding City Council’s law:
This information is the most up to date news available as of the date posted. Please be advised that any information posted on the KI Legal Blog or Social Channels is being supplied for informational purposes only and is subject to change at any time. For more information, and clarity surrounding your individual organization or current situation, contact a member of the KI Legal team, or fill out a new client intake form.