Your Tenant Privacy Rights

Life And Privacy

 If you are a tenant in a “smart” building – one that has an access system that uses digital technology, like an RFID card, a mobile phone application, biometric identifier, or key fob to grant entry – your landlord has the ability to collect personal data about you, like your comings and goings, socializing and frequency of guests, and patterns of work. Until recently, your landlord could do whatever they wanted with this data.

State and federal laws provide tenants with various protections, including anti-discrimination rights, credit check protections, procedures governing the eviction process, and the right to “quiet enjoyment” of their unit. Now a NYC law passed last year, which will be enforced beginning in January 2023, gives tenants new data privacy rights.

The Tenant Data Privacy Act applies to data used for access to (or within) a building. A building’s video system not used to provide entry is not subject to the law. The law requires landlords to provide tenants with a privacy policy written in “plain language” that includes information about data collection, disclosure, safeguards, retention periods, and what happens if there’s a data breach. The landlord must obtain express consent from tenants to collect access data and collect only the minimum amount necessary.

The law allows only certain types of data to be collected including name, apartment number, lease term info, building amenities the tenant has access to, contact info, passcodes, and biometric information if used. Landlords generally may not collect information on a tenant’s use of utilities (beyond monthly usage) or internet.

Generally, landlords are prohibited from using smart system access data for purposes beyond allowing entry, to limit the time of entry or departure, or for harassment or eviction purposes. They also may not use the data to track a user off premises, their frequency and time of system use, or relationship status, and are prohibited from requiring a tenant to use a smart access system instead of a key. Minors’ access information may not be collected without express parental or guardian consent.

A landlord may not sell, lease, or disclose collected data except under specified circumstances (like cooperating with law enforcement). After 90 days from collection, withdrawal of consent or moving out, the data must either be destroyed or anonymized.

If your landlord sells your access information in violation of your tenant privacy rights, you can sue them under the TDPA individually or as part of a class. Successful parties can seek damages and attorney’s fees. An aggrieved tenant may have recourse under other applicable laws as well.

Many residential buildings have converted to smart access systems, which tenants typically like because they provide convenience and added security. NYC’s law is one of the first laws nationwide to regulate data collection from residential multifamily smart buildings. It is part of a growing body of laws conferring personal data protection rights.


The information contained in this column is provided for informational purposes only and should not be construed as legal advice.

 By Gille Ann Rabbin, Esq., CIPP/US, CIPP/E

Sign up via our free email subscription service to receive notifications when new information is available.