Analyzing the New York City Tenant Data Privacy Act and Its Impact on the Biometric Privacy Landscape
After just having put in place the nation’s first municipal-level biometric privacy law regulating “commercial establishments,” New York City has further added to the web of biometric privacy regulation that continues to grow across the country with its enactment of the Tenant Data Privacy Act (TDPA), which regulates the collection, use, retention and security of biometric data (as well as other forms of sensitive personal information) by owners and operators of “smart access buildings” located in New York City.
The TDPA is the latest in a string of new laws specifically targeting the collection and use of biometrics, but is the first of its kind to provide targeted requirements and limitations focused on residential “smart access” technology.
The TDPA will go into effect on July 29, 2021, although the teeth of the law—its private right of action relating to prohibited sales of biometric data—will not take effect until Jan. 1, 2023.
As such, landlords that operate in the Big Apple should consult with experienced biometric privacy counsel to begin coming into compliance with the TDPA immediately. At the same time, landlords outside of New York City should also consider enhancing their own biometric privacy compliance programs at this time, as it is likely that similar laws will be enacted in other parts of the country soon.
The TDPA applies to “smart access buildings,” such as any home or other type of residence that is rented by three or more families and utilizes a system to grant entry to the common areas or individual dwelling units that rely on “smart access systems,” which encompass biometrics and other types of advanced digital technology.
Importantly, unlike California’s and Virginia’s broader consumer privacy laws, the TDPA does not provide any revenue or other thresholds that must be satisfied before a company can be considered to fall within the scope of the law. Rather, all owners and landlords that utilize biometric data to facilitate building access—regardless of size—are required to comply with the TDPA.
Two other definitions of importance to the TDPA are “reference data” and “authentication data.” Reference data refers to data that is initially collected to be used by a smart access system to verify an individual’s identity, and authentication data refers to data that is generated or collected at the point of authentication, i.e., at the time an individual seeks access to a building.
Under the TDPA, owners of smart buildings that regulate access with the help of biometrics must adhere to several requirements and limitations:
- Data collection limitations: Owners may collect biometric data only if its smart access system utilizes such information. In addition, even when collection is permitted, owners are barred from collecting any additional biometric data beyond what is needed to operate its smart access system.
- Express consent: Before any biometric data is collected, tenants and guests must first provide their express consent, either in writing or through a mobile application.
- Retention limitations: Subject to certain limited exceptions, biometric data must be permanently destroyed within specified timeframes; namely, 90 days after authentication data is collected and 90 days after a tenant moves out or a visitor’s access expires.
- Prohibition on other uses of biometric data: Biometric data cannot be sold, leased, or disclosed unless a tenant or visitor gives express authorization in writing or through a mobile application.
- Security measures: “Stringent” security measures must be maintained to safeguard biometric data, including—at a minimum—encryption, firmware that allows for the remediation of any security or vulnerability issues, and the ability to change passwords (if they are used).
Importantly, the TDPA provides a private right of action that allows tenants to pursue class action litigation in connection with the unlawful sale of their biometric data. Under the TDPA’s private right of action effective Jan. 1, 2023, tenants can recover compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, along with attorney fees. In some instances, tenants may be able to recover punitive damages as well.
There are several key takeaways from the passage of the TDPA.
First, the enactment of the TDPA continues the upward trend of municipalities that are becoming active on the biometric privacy legislation front with the addition of new laws targeting the collection and use of biometric data. Thus, no longer is biometric privacy merely the province of state lawmakers.
In addition to the TDPA and the Big Apple’s new biometric privacy law regulating “commercial establishments,” Portland, Ore. also recently enacted the nation’s first private-sector ban over the use of facial recognition technology, which went into effect at the start of 2021. Combined, the success seen by Portland and New York City in enacting strict regulation over the use of biometrics may encourage lawmakers in other cities to follow suit by enacting similar ordinances of their own to further regulate the collection, use and security of biometric data.
In addition—and perhaps more importantly—the private right of action provision contained in the TDPA continues the swift transition by state and municipal lawmakers away from administrative enforcement (placing enforcement in the hands of state attorneys general or their municipal equivalents) and toward private rights of action, which expose businesses to significant liability exposure through the potential for consumer class action litigation.
Although owners of smart access buildings have a grace period until the start of 2023 before the law goes into full effect, owners located in New York City who use biometric data for tenant and visitor access purposes should immediately begin complying with the TDPA. Moreover, owners located outside of New York City are also well-advised to update their compliance programs to incorporate the requirements and limitations set forth in the TDPA, as it is likely that similar laws will be enacted in other parts of the country in the near future.
In particular, owners should work with experienced privacy counsel on the following:
- Consent mechanisms: Develop methods for obtaining the necessary consents from tenants, such as through updating current lease agreements.
- Systems for permanently deleting biometric data: Develop systems and procedures to ensure that all tenant and visitor biometric data is permanently deleted within the TDPA’s mandatory timeframes.
- Data security: Implement the necessary data security measures to comply with the security component of the TDPA.
- Vendor management: Because the TDPA applies with equal force to vendors, assess current vendors’ ability to comply with the TDPA and update vendor contracts to take into consideration the new issues raised by the law, such as by adding an indemnification provision pertaining to vendor non-compliance with the law and security breaches caused by the acts and/or omissions of the vendor.
The TDPA represents the first law directly regulating biometric data used for tenant access purposes, but it will almost certainly not be the last. As such—because the TDPA is likely to encourage other municipal and/or state legislators to enact similar laws in their own jurisdictions—owners, landlords and others in the real estate sector that utilize biometric data as a method of residential access control are well advised to update their biometric privacy compliance programs to satisfy the requirements and limitations of the TDPA to ensure continued compliance with the ever-expanding web of biometric privacy laws and to mitigate potential liability exposure.
“Analyzing the New York City Tenant Data Privacy Act and Its Impact on the Biometric Privacy Landscape,” by David J. Oberly was published in the New York Law Journal on June 25, 2021.
Reprinted with permission from the June 25, 2021, edition of the New York Law Journal © 2021 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited.