With yet another recently proposed data privacy bill, New York appears to be doubling down on data privacy.

The latest, the Tenant Data Privacy Act, passed by the New York City Council late last month, would apply to building owners in the city

Under the TDPA, which would amend the administrative code of the city of New York, building owners who oversee “smart access” buildings – any building that uses electronic or computerized technology to facilitate entry, think key fobs, apps, RFID cards, or biometric data – would have to ensure tenant data is kept secure.

Building owners would have to implement policies, procedures, and technology to guarantee that tenant data is collected properly, safeguarded, and when the time is right, that authentication data destroyed.

To break down the requirements further, let’s dig into the four basic tenets of the TDPA as it stands currently.

Consent

The law will require building owners to obtain express consent from a tenant, either in writing or via a mobile app, to collect reference data, or data that connects the tenant to the system they’re using to access the building. Building owners would only be permitted to collect the minimum amount of data necessary, essentially whatever it takes to enable the smart system to work effectively.

Privacy policy

Building owners need to outline, in plain language, its privacy policy. How data it collects will be used, who it will be shared with, how it'll be protected, and how long it will be held by the building owner.

Stringent Security Safeguards

Building owners need to ensure the smart access system they have in place has security measures in place that can protect the security and data of tenants, guests, and other individuals who use it. Data encryption, the ability for the user to change the password, and firmware that's able to be regularly updated in case vulnerabilities arise.

Data retention

Building owners would need to destroy any data collected from or generated by smart access systems in their possession no later than 90 days after its been collected or generated, except for authentication data in anonymized format.

As it stands, it sounds as if the TDPA will take effect at the end of next month as long as it isn't vetoed by the city's mayor. Building owners wouldn't have to technically comply with the legislation until January 1, 2023, following a lengthy grace period.

Of course, it’s still too early to tell whether the Tenant Data Privacy Act will become law – but given recent data privacy machinations in the state, it seems like it could be on the fast track.

The state's Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, went into effect last March, during the pandemic. The law, an update to New York's data breach notification law, applies to any organization in New York that either owns or licenses computerized data containing private data of New Yorkers.

Under the Act, requires any organization that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including but not limited to disposal of data.

Like many states, New York also has a state-centric consumer data privacy looming. Governor Andrew Cuomo said earlier this year developing a comprehensive data privacy bill - one that establishes a Consumer Data Privacy Bill of Rights - was a priority for the state in 2021.

The state's Department of Financial Services, of course, still has its Cybersecurity Regulation - applicable to financial services that operate in the state - on the books.

The department has been cracking down on violations of the regulation recently, agreeing to million dollar settlements with two companies, one for $1.5 million in March and another for $3 million in April.