Tenant Data Privacy Law
Under Local Law 63 of 2021, property owners of multiple dwellings that utilize smart access (keyless) systems, including but not limited to key fobs, electronic or computerized technology, radio frequency identification card, mobile phone application, biometric identifiers, or any other digital technology in order to grant entry to class A multiple dwelling, common areas in such multiple dwelling, or to an individual dwelling unit, must provide tenants with a data retention and privacy policy. The smart access system must have robust security and safeguards to protect the security and data of tenants and their guests.
Owners of a smart access building or third party:
- Must obtain express consent either in writing, or through a mobile application to collect reference data from a user for use in a smart access system
- May collect only the following minimum amount of authentication data and reference data necessary to enable the use of the smart access system:
- the user’s name;
- the dwelling unit number and other doors or common areas to which the user has access using such smart access system in such building;
- the user’s preferred method of contact;
- the user’s biometric identifier information (such as fingerprints, voiceprints, retina scans) if such smart access system utilizes biometric identifier information;
- the identification card number or any identifier associated with the physical hardware used to facilitate building entry, including radio frequency identification card, bluetooth or other similar technical protocols;
- passwords, passcodes, user names and contact information used singly or in conjunction with other reference data to grant a user entry to a smart access building, dwelling unit of the building, or common area of the building through the building’s smart access system, or to access any online tools used to manage user accounts related to such building;
- lease information, including move-in and, if available, move-out dates; and
- the time and method of access, solely for security purposes.
- Must destroy any authentication data collected from or generated by such smart access system in their possession no later than 90 days after such data has been collected or generated, except for authentication data that is retained in an anonymized format.
- May not sell, lease or disclose data that they collect to another person unless required to by law, or if the person is the operator of the smart access system and the tenant has given consent.
- May not use any satellite navigation system or similar system in the smart access system to track user location outside of the buildings.
- May not use the smart access system to use the data collected for any purpose other than granting access and monitoring entrances and exits and access to building common areas, or to limit time of entry into the building, or require use of a smart access system to gain entry to the tenant's dwelling unit. No information may be used to harass or evict a tenant.
The Tenant Data Privacy law also:
- Provides for a private right of action for unlawful sale of data collected through the smart access system.
- Limits retention of reference data and information and use of information regarding tenants' use of utilities and internet service.
- Prohibits misuse of the smart access system to track frequency and time of use of the system in order to harass or evict a tenant, to track the relationship status of a tenant and their guests, to collect reference data from a person who is not a tenant, and to share any data collected regarding a minor, without parental permission.
For a copy of Local Law 63, please visit The New York City Council - File #: Int 1760-2019 (nyc.gov).