Owners of New York City apartment buildings should take notice of the new Tenant Data Privacy Act (the TDPA). The TDPA will regulate the collection, use, safeguarding, and retention of tenant data by owners of “smart access” residential buildings. The new law was enacted on May 30, 2021, and will become effective at the end of June 2021. Owners of New York City residential buildings will have until January 1, 2023, to come into compliance.
The TDPA defines smart access buildings as any multiple dwelling that uses an electronic keyless entry system (e.g. a key fob), radio frequency identification cards, mobile apps, biometric information or other digital technology to access a multiple dwelling, common areas or individual units. A multiple dwelling is a residential building with at least three units.
Under the TDPA, landlords of smart access buildings will be required to do the following:
Landlords and any other entities that collect data through smart access systems will be prohibited from selling or disclosing tenant data to third parties, engaging in location tracking outside the premises, and determining the frequency of tenant and guest ingress/egress. Landlords will also be prohibited from collecting information about tenants’ use of internet services and utilities.
The TDPA creates a private right of action for tenants whose data is sold and used in violation of the TDPA. Such tenants may seek compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, as well as attorneys’ fees. Whether the law grants such rights to tenants of a cooperative remains an open question. In addition to the private right of action granted to tenants, landlords and system providers will be required to delete any data collected in violation of the TDPA.
For assistance with coming into compliance with the TDPA, please contact Real Estate partner Kris Ferranti.
Special thanks to Shearman & Sterling Felicia Belli for her contribution to this client publication.