We have reminded our friends and clients recently about some requirements of the New York SHIELD Act that became effective earlier this year. See, e.g., Don’t forget physical safeguards for data privacy when returning to in-person work. We have also reminded them about the fast-approaching effective date for New York City’s new biometric privacy law for commercial establishments. See, e.g., New York City’s Biometric Privacy Law takes effect on July 9, 2021.
Just to keep some of you even busier, however, remember that the New York City Council passed yet another privacy law earlier this year that also relates, in part, to biometric privacy. That other new law, the Tenant Data Privacy Act (TDPA), applies to the collection, retention, use, and security of biometric data and other personal information in all residential buildings in New York City with three or more dwelling units.
The TDPA was passed on April 29, 2021, and deemed returned unsigned by the mayor on June 1. Technically (in a structure that may create headaches for “compliance with all laws” representations in some transactions), the law becomes effective on July 29, 2021, even though liability for violations will not arise until January 1, 2023.
The way the TDPA works is to: (1) limit the collection of data for “smart access” systems to what such systems require for operation; (2) require consent in advance, in writing or through a mobile application, to the collection of “reference data” and “authentication data” from tenants and visitors; (3) require (with some exceptions) the destruction or anonymization of all “reference data” 90 days after a tenant moves out or a visitor’s access expires, and the destruction or anonymization of all “authentication data” 90 days after it is collected; (4) require providing tenants with a written privacy policy with certain mandatory disclosures; (5) require the maintenance of certain “stringent” data security measures; and (6) forbid almost all sale, lease, or disclosure data to any third party unless the relevant tenant or visitor expressly agrees — in an authorization that identifies that third party by name.
What are the “reference data” and “authentication data? The first is what you collect first — for example, a name and a picture or fingerprint — to link or refer an identity (a name) to some other data (the picture or fingerprint). The second is what you collect each time thereafter (the picture or fingerprint from an entry camera or scanner) to confirm or authenticate the identity previously established to permit access. But beware: The TDPA is not limited to biometric data. The other data linked to an identity could be something like a passcode instead of a biometric feature. See, e.g., N.Y.C. Admin. Code §§ 26-3001, 3002(a)(6). Thus, the law is potentially broader than many news stories and law firms have recognized. And hidden in one subsection, see id. § 26-3002(f), is a free-standing prohibition on collection of most data about utility services and virtually all data about internet services.
Luckily, the potentially most-dangerous provision of the new law — a private right of action with compensatory (and possibly punitive) damages, or statutory damages of $200 to $1,000 per occupant, plus attorneys’ fees — does not apply to all violations of the TDPA, but only to the improper sale, lease, or disclosure of occupants’ data.
What are we helping clients do about this? We are making sure you know to find and secure the data subject to the new law (if you do not know where the data are, you cannot destroy or anonymize the information, for example); are drafting the necessary consents (which can include lease amendments); are updating your privacy policies; and are updating your vendor policies and contracts.