Privacy Law Essentials: New York City's Tenant Data Privacy Act

July 16, 2021
Hinshaw Privacy & Cyber Bytes

Hinshaw summer associate Jenny Li contributed to the research and drafting of this alert.

The New York City Tenant Data Privacy Act (TDPA) was passed on May 28, 2021. Scheduled to go into effect on July 29, 2021, the law addresses a number of perceived privacy-related issues concerning smart access systems in multifamily buildings.

To whom does it apply?

The law will affect three groups of people: owners of smart access buildings, tenants of smart access buildings and their guests, and third-party entities that install or operate the smart access system for such buildings. A smart access building is any Class A multifamily building—or any multifamily building occupied for permanent residence purposes—that uses a smart access system. A smart access system is any system that uses digital technology such as key cards, fobs, phones, and fingerprints to grant entry to the building, its common areas, or an individual unit in the building.

What types of information does it cover?

The law applies to authentication data and reference data. Authentication data is data generated or collected to grant entry into a smart access building. Such data excludes any data generated or collected by a video or camera system that monitors entrances but does not grant entry. Reference data is data against which authentication data is checked for identity verification.

What does the law require and prohibit?

Data Collection

Building owners and third-party entities must obtain express consent from tenants and their guests before collecting their data. Even after obtaining express consent, building owners and third-party entities are limited to collecting or using the following information:


Building owners and third-party entities are prohibited from:

Furthermore, building owners are prohibited from:

What obligations will it impose?

Data Destruction and Retention

If building owners or third-party entities violate the prohibition on collecting unauthorized data about an individual, deliberately collecting information on the relationship status of their tenants and guests, or tracking the frequency that tenants or guests use the smart access system, the building owner or third-party entity must immediately destroy the data.

Building owners and third-party entities must also destroy data collected or generated by a smart access system with 90 days of collection or generation unless the data is anonymized.

Additionally, unless removing the tenant or guest's data makes the smart access system inoperable, their data must be removed within 90 days of the following events:

However, if removing the data makes the smart access system inoperable, the tenant or guest's data must be anonymized.

Nevertheless, building owners and third-party entities can retain data beyond the 90-day time frame where:

Data Safeguards

To protect the security of individuals' data, the law requires stringent security measures and safeguards be implemented. At a minimum, security measures must include data encryption, regularly updated firmware, and the ability for the user to change the password if the smart access system uses a password.

Privacy Policy

Building owners must provide a written privacy policy to tenants. The policy must use plain language and include the following information:

Furthermore, building owners must provide to tenants the written privacy policy of the entity who developed the smart access system or who currently operates the smart access system.

What remedies will the law provide?

Tenants can sue building owners or thirty-party entities for violating the prohibition against the sale of data to another person. Each tenant can recover damages of $200 to $1,000 for each unlawful sale of data, along with attorneys' fees and court costs.

When does it go into effect?

The TDPA will go into effect on July 29, 2021. Owners of existing smart access buildings have until January 1, 2023, to comply with the law. Owners of smart access buildings that are new or go online after the law takes effect must comply immediately.