Swipe on, Swipe off: Key Fobs are Gathering Your Data and How the New York Tenant Data Privacy Act Looks to Help

Sameer Ahirrao -

A New York City law will regulate how landlords may gather and use their tenants’ data. This law is the first of its kind to create duties and responsibilities for building owners in how they must manage data and information gathered through smart access devices.

Convenience vs Privacy

In the ongoing tug-of-war between personal convenience and data privacy, the new Tenant Data Privacy Act (TDPA) intends to secure both for renters. With new convenient ways to access your building, misplacing your keys has become an issue of the past, but as we move towards a digital/keyless entry system our landlords misusing our data has created a new worry. As you swipe into your apartment with a key fob or even your smartphone, your landlord is gathering your data, whether she knows it or not.

But what is the big deal? It’s just a Key Fob.

While one may think their key fob isn’t revealing personal or sensitive information, data brokers and hackers can use this information to determine your work schedule, weekly habits, and even your relationship status and partners.

In some cases, this data can even be used by a landlord to harass or evict a tenant. Your key fob or RFID card contains a lot of personal information such as your name, age, and address, all of which your landlord is collecting and storing with each swipe into your building. Also, many smart access systems utilize apps which use GPS technology to track your location, even when you are outside the building. And unfortunately, there have been no regulations that dictate what landlords can or cannot do with their tenants’ data, until now.

So what is the Tenant Data Privacy Act?

On April 29, 2021, The New York City Council passed the Tenant Data Privacy Act (TDPA). This soon-to-be law will require owners and managers of apartments in NYC that utilize keyless entry systems (such as key fobs, biometric identifiers, and electronic technologies such as Latch™ and Butterfly™) to create and disclose to their tenants an easy to understand data privacy and retention policy. This Act looks to create reasonable restrictions for how a landlord can manage their tenant’s data, such as limiting the categories of data that can be collected, prohibiting data sales, and creating policies for data retention.

Who does it apply to?

Unlike California’s CCPA or Virginia’s CDPA, there are no minimum income or user requirements for the law to cover a business. The TDPA applies to anyone who owns/ operates a Class A multiple dwelling in New York City that utilizes a smart access system. A smart access system is any method that uses electronic or computerized technology, a radio frequency identification card, a mobile phone application, biometric identifier information, or other digital technology in order to grant entry into a Class A dwelling or common area.

Class A dwellings are buildings which are occupied by three or more families living independently of one another, such as an apartment complex or a flat house. Thousands of buildings in NYC use some sort of smart access technology, so if you are a landlord or tenant in NYC, the TDPA will likely affect you.

What does the TDPA do?

New security requirements: The TDPA requires building owners who use a smart access system to adopt stringent security measures and safeguards to protect the data of tenants, guests, and other individuals who enter the building. Such measures must include data encryption, the ability of the user to change the password, and firmware that is regularly updated to enable the remediation of any security or vulnerability issues.

Consent: All landlords will now be required to get consent, either written or through a mobile app, before collecting any data that belongs to tenants, minors (in which parental consent is required), or any guests of the smart access building. Consent can be withdrawn anytime by a tenant.

New restrictions on data collection: Even after obtaining consent, the TDPA dictates what specific types of data can be collected from the use of a smart access system. While the Act bars the collection of most data, a building owner may still collect limited types of authentication data. The allowed authentication data includes the tenant’s or guest’s name, preferred method of contact, ID card number, password, username, biometric identifier information, lease information including move-in and move-out dates, and the entrances for which access is permitted. Time and method of access information may also be collected, but that is limited for security purposes only.

New restrictions on data from utilities: The TDPA also creates restrictions for what information can be gathered through a tenant’s utility use. This Act dictates that landlords may now only collect a tenant’s monthly usage of gas, electricity, or any other utility. In addition, it is now unlawful for a landlord to collect any information about a tenant’s use of Internet services if the landlord does not provide the Internet service directly to tenants, and even then a landlord may only retain was is necessary for billing purposes.

New restrictions on use: Even though the TDPA limits what type of data can be collected, the permissible data is restricted by its use. Under the TDPA, building owners cannot sell, lease, or otherwise disclose the permissible authentication data unless one of these exceptions is met: cooperation with an active law enforcement investigation, discloser to a third party that facilitates the operation of a smart access system (for which the tenant must still consent); for utility data, but only to an entity employed to improve the energy efficiency of the building; or to a guest of the tenant, as authorized by the tenant. Additionally, the TDPA bars landlords from tracking tenants or other users of smart access systems outside of the apartment building, as well as using authentication data to harass or evict a tenant.

Duty to Delete: The TDPA also creates a data retention policy that requires building owners to continuously delete their entire resident’s (current and past) and guest’s authentication and reference data 90 days after it has been collected, except for data that has been anonymized. However, authentication data may be retained and utilized by a smart access system for longer than 90 days, if a tenant makes a specific request, in either writing or through mobile application, for the building owner to do so. This request to keep data can be withdrawn at any time in which then the data would then need to be deleted or anonymized within 90 days of their withdrawal.

Potential fines & Private Right of Action: Failure to comply with these new policies can result in fines distributed by the NYC Department of Housing. Additionally, the TDPA carves a private right of action for any resident to privately sue their landlords for up to $1,000 per tenant if their landlord took part in an illegal sale of data.

What is next?

Unless vetoed by NYC Mayor Bill de Blasio, the TDPA will become law 60 days after it signed by the Mayor’s office. If this bill follows its predicted schedule, it will become law by the end of June 2021, with a grace period that will run until January 1, 2023 allowing building owners to become fully compliant with the Tenant Data Privacy Act. When this law takes effect NYC landlords will need to:

  • Adopt a data retention policy to discover what data you are collecting, and whose data you are collecting.
  • Delete newly collected data on a continuous 90 day cycle.
  • Establish stringent security measures and safeguards to protect their tenant’s data.
  • Gather consent from your tenants to collect their data.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.