We have reminded our friends and clients recently about some requirements of the New York SHIELD Act that became effective earlier this year. See, e.g., Don’t forget physical safeguards for data privacy when returning to in-person work. We have also reminded them about the fast-approaching effective date for New York City’s new biometric privacy law for commercial establishments. See, e.g., New York City’s Biometric Privacy Law takes effect on July 9, 2021.
Just to keep some of you even busier, however, remember that the New York City Council passed yet another privacy law earlier this year that also relates, in part, to biometric privacy. That other new law, the Tenant Data Privacy Act (TDPA), applies to the collection, retention, use, and security of biometric data and other personal information in all residential buildings in New York City with three or more dwelling units.
The TDPA was passed on April 29, 2021, and deemed returned unsigned by the mayor on June 1. Technically (in a structure that may create headaches for “compliance with all laws” representations in some transactions), the law becomes effective on July 29, 2021, even though liability for violations will not arise until January 1, 2023.
What are the “reference data” and “authentication data? The first is what you collect first — for example, a name and a picture or fingerprint — to link or refer an identity (a name) to some other data (the picture or fingerprint). The second is what you collect each time thereafter (the picture or fingerprint from an entry camera or scanner) to confirm or authenticate the identity previously established to permit access. But beware: The TDPA is not limited to biometric data. The other data linked to an identity could be something like a passcode instead of a biometric feature. See, e.g., N.Y.C. Admin. Code §§ 26-3001, 3002(a)(6). Thus, the law is potentially broader than many news stories and law firms have recognized. And hidden in one subsection, see id. § 26-3002(f), is a free-standing prohibition on collection of most data about utility services and virtually all data about internet services.
Luckily, the potentially most-dangerous provision of the new law — a private right of action with compensatory (and possibly punitive) damages, or statutory damages of $200 to $1,000 per occupant, plus attorneys’ fees — does not apply to all violations of the TDPA, but only to the improper sale, lease, or disclosure of occupants’ data.
What are we helping clients do about this? We are making sure you know to find and secure the data subject to the new law (if you do not know where the data are, you cannot destroy or anonymize the information, for example); are drafting the necessary consents (which can include lease amendments); are updating your privacy policies; and are updating your vendor policies and contracts.