Two new laws recently went into effect in New York City that regulate the collection, storage, and disclosure of information that can identify an individual “biometrically”—that is, by way of their fingerprints, retinal or iris scan, facial recognition, or voice recognition, among other unique identifying information. At a time when many residential buildings are incorporating this type of “proptech” into their access control and security systems, it is crucial that condominium associations and cooperative corporations be aware of the restrictions and notice requirements that these new laws put into effect. The laws provide for steep fines, legal fees, and other penalties related to improper sale and use of biometric data by commercial establishments - including building owners and operators.
CooperatorNews spoke with attorney Steven Ebert, a partner with the New York-based national law firm Cassin & Cassin LLP, who specializes in real estate, finance, and general business transactions. He informs us that the new laws—Biometric Identifier Information, Chapter 12 of the New York City Administrative Code, and the Tenant Data Privacy Act (TDPA)—reflect a growing concern among municipalities in the U.S. about the ever-evolving technologies that capture, store, disseminate, and otherwise use individual physiological identifiers, and are increasingly being deployed in commercial and residential environments.
Biometric Privacy Law
The Biometric Privacy Law went into effect on July 9, 2021, and requires any commercial establishment that collects, retains, converts, stores, or shares customers’ biometric identifier information to disclose such activity using clear and conspicuous signage near all customer entrances. The law also forbids these establishments to sell, lease, trade, share in exchange for anything of value, or otherwise profit from the transaction of biometric identifier information.
Ebert says this law could have implications for a co-op or condo that includes commercial units, as many in New York do. In such scenarios, he warns, “You need to be very careful when it comes to who owns a security camera, or cameras. Imagine if you have an outdoor café, and there’s a security camera—is it the restaurant’s camera? Is it the building’s camera? Also, what if the building, or more specifically the ownership of the building, also has an ownership stake in the [business] institution?” Buildings with commercial establishments that include sales of food and drink, retail, or entertainment are subject to this law, and as such, Ebert says boards and managers need to have a very clear understanding of who owns, and therefore bears responsibility - and liability - for images and other bio-data that may be captured and stored by the systems in place on their premises.
TDPA - What Does it Require?
Of more direct consequence to New York co-ops, condos, and other residential properties is the Tenant Data Privacy Act. The TDPA technically went into effect last week on July 29, 2021, and any new Class A multiple dwelling (any residential building with three or more units) with ‘smart access' technology that comes online after August 1, 2021, must start complying immediately. Existing buildings have until January 1, 2023 to comply.
“What the Act requires,” says Ebert, “is that [each building or association has] to provide privacy notices for tenants; they have to let them know all about the smart access system, and obtain consent. There has to be a data retention policy that requires the data to be destroyed or anonymized within 90 days. They also have to make sure the data is not sold or shared. Ultimately, they have to really protect and manage the data.”
Existing laws such as the SHIELD Act already require businesses - including co-op corporations, certain incorporated condominiums, and their managing agents - to adequately protect personal data and private information. Therefore, robust data encryption and storage should already be in place, as well as policies and procedures surrounding how the data is collected and used.
“Where I see a lot of people have problems is in data retention policies,” notes Ebert. “They’re not allowed to just keep that data forever. It’s so important how they collect the data, how they store and protect the data, how they transmit data, and how they delete the data. It’s important that they have efficient solutions, because there are some penalties out there, as well as reputational concerns.”
What Types of Data Are Included?
Ebert cautions that the TDPA is not limited to biometric data. The smart technology used in modern buildings can include data that comes from linking to a mobile device, a key fob, or even a passcode. “It can also be RFID technology—what you see on credit cards or passports now,” he continues. “These types of access systems are very popular, and would trigger this law, even for a small portion of the building—to enter a fitness center or a parking garage, for example, and not just access to the resident’s apartment.”
Buildings and communities also must pay attention to what data is being collected. Information about residents’ internet usage, for example, is forbidden. “It is also illegal under this law for [property managers or boards of directors] to use the smart access system to limit the time of entry for a user,” Ebert adds. In other words, cutting off a resident’s access to a health club during regular hours for nonpayment of fees as an end-run around going to court is not allowed under the law.
Building owners and managers are also required to articulate their policies around data privacy, protection, retention, and deletion, and to distribute that information to all residents using plain language. Collected information must also be anonymized or destroyed within 90 days after collection, Ebert advises. “So the law has a very defined period in which this information has to be destroyed.”
What Are the Penalties?
“An important point is what we call a ‘private right of action,’” says Ebert. “The initial fines per incident may seem low: $200 to $1,000. But here’s two other extras: Individuals can sue [an association or landlord] for what we call ‘compensatory and punitive damages.’ This law is on top of any common law right to sue, and does not knock out other remedies; the tenant can also sue for attorneys’ fees, and you also have the potential for a class action suit. So maybe a $1,000 fine is not a lot. But if you have ownership that owns 10,000 apartments around the city, well, take $1,000 times 10,000, and that gets very expensive. And if they’re making that error for one tenant, they’re probably mishandling the information for everyone. So this technology needs to be rolled out in a very careful way.”
Ebert stresses that this new legislation isn’t all hassle and risk. “There’s a lot of upside,” he says. “I don’t want to discourage buildings from implementing efficiencies and innovation; they just have to make sure that they’re complying with the new rules.”
How Might These Laws Evolve?
“Technology is going to move rapidly,” says Ebert. “As more and more tenants become more technology-comfortable, implementing smart tech is a great way for buildings to show that they’re using best-in-class features. Residents like these amenities and systems. It also does provide a lot of security. It’s harder to copy facial recognition than a regular key that someone can just take to a locksmith. There’s a lot of ways that this can work for everyone’s benefit.”
That said, there are some angles that the new laws have not yet addressed, says Ebert. “Religious observance, for example. Say somebody is not using technology during the Sabbath—the law does not address that fully. Landlords and boards should make sure they have backup options for reasonable accommodations—that’s going to be very important. They also need to keep in mind the power grid for the building. What if the power goes out? There must be backup plans.”
What Can Boards & Managers Do?
When it comes to how boards and managers should navigate this new landscape, “They should make sure they do their research,” says Ebert. “You need to have the right kind of systems—don’t just buy something off the shelf and just have your building super run it. That would be a mistake. You need a point person, whether it’s your legal counsel, your management company, or a committee on technology and privacy - the best would be a combination of all three. If you have smart planning, this is very easy to follow. That’s a positive thing about this law. I think the lesson is that it all needs to be managed properly. This is an area that evolves a lot, and can evolve quickly. Buildings need to have an implementation plan with it.”
Other Concerns for Specific Buildings
Ebert says he’s “more concerned for the smaller property owners [or buildings] out there,” when it comes to taking this issue seriously. “Because [a manager or owner] may say, ‘We’ve got 20 units, and in a COVID environment, we’ll just put in this smart locking system so [we] can remotely open and close and change things, and don’t even need to be on-site at the property, or worry about having a lockbox for keys.’” But what may seem like a boon to convenience could bring them into conflict with the law, if not executed carefully and properly, Ebert cautions. “It’s important for the board to bring this up at one of the annual meetings, or call a special meeting to help residents understand the pros and cons of the data collection and make sure it fits in with the culture of the building.”
For example, says Ebert, “What about all the buildings that have rolled out virtual doorman systems? They need to go back and take a look and say, ‘Have we done our due diligence to make sure we’re not attributed with any responsibility?’” He says this is especially true for smaller buildings, which are more likely to make use of virtual doorman technology. “If you have a virtual doorman,” says Ebert, “you’re generally talking about smaller buildings that can’t afford to have a live human doorman there regularly. They need to have counsel look at the virtual doorman service contract to see who ultimately is responsible for data collection, control, and breaches. Whose network are those security cameras working on? Are they totally controlled by that virtual doorman vendor, or do they somehow plug into the building systems? Is it hardwired? Or wireless? Does the data get transferred? How is it stored, and for how long? How protected are the codes? Who can get access to that information?”
Ultimately, what these laws provide is a backstop to the broad - and intimate - personal and physiological data that today’s technologies are able to capture. Managers and operators of multifamily communities must approach security and any other system that collects personal data with eyes wide open. “People are looking for integrated solutions that might also tie into their systems,” says Ebert, “but you have to be careful. There’s a lot of rich data out there, and people need to be mindful and make sure that innovation is balanced with protection and compliance.”