Two new laws recently went into effect in New York City that regulate the collection, storage, and disclosure of information that can identify an individual “biometrically”—that is, by way of their fingerprints, retinal or iris scan, facial recognition, or voice recognition, among other unique identifying information. At a time when many residential buildings are incorporating this type of “proptech” into their access control and security systems, it is crucial that condominium associations and cooperative corporations be aware of the restrictions and notice requirements that these new laws put into effect. The laws provide for steep fines, legal fees, and other penalties related to improper sale and use of biometric data by commercial establishments - including building owners and operators.
CooperatorNews spoke with attorney Steven Ebert, a partner with the New York-based national law firm Cassin & Cassin LLP, who specializes in real estate, finance, and general business transactions. He informs us that the new laws—Biometric Identifier Information, Chapter 12 of the New York City Administrative Code, and the Tenant Data Privacy Act (TDPA)—reflect a growing concern among municipalities in the U.S. about the ever-evolving technologies that capture, store, disseminate, and otherwise use individual physiological identifiers, and are increasingly being deployed in commercial and residential environments.
Biometric Privacy Law
The Biometric Privacy Law went into effect on July 9, 2021, and requires any commercial establishment that collects, retains, converts, stores, or shares customers’ biometric identifier information to disclose such activity using clear and conspicuous signage near all customer entrances. The law also forbids these establishments to sell, lease, trade, share in exchange for anything of value, or otherwise profit from the transaction of biometric identifier information.
Ebert says this law could have implications for a co-op or condo that includes commercial units, as many in New York do. In such scenarios, he warns, “You need to be very careful when it comes to who owns a security camera, or cameras. Imagine if you have an outdoor café, and there’s a security camera—is it the restaurant’s camera? Is it the building’s camera? Also, what if the building, or more specifically the ownership of the building, also has an ownership stake in the [business] institution?” Buildings with commercial establishments that include sales of food and drink, retail, or entertainment are subject to this law, and as such, Ebert says boards and managers need to have a very clear understanding of who owns, and therefore bears responsibility - and liability - for images and other bio-data that may be captured and stored by the systems in place on their premises.
TDPA - What Does it Require?
Of more direct consequence to New York co-ops, condos, and other residential properties is the Tenant Data Privacy Act. The TDPA technically went into effect last week on July 29, 2021, and any new Class A multiple dwelling (any residential building with three or more units) with ‘smart access' technology that comes online after August 1, 2021, must start complying immediately. Existing buildings have until January 1, 2023 to comply.