The Real Estate Board of New York to The Committees on Criminal Justice, Justice System, General Welfare, Public Housing, and Housing and Buildings of the New York City Council Concerning Int. 1760

Download the Testimony

The Real Estate Board of New York (REBNY) is the City’s leading real estate trade association representing commercial, residential, and institutional property owners, builders, managers, investors, brokers, salespeople, and other organizations and individuals active in New York City real estate. REBNY thanks the Committee for the opportunity to testify on legislation that would regulate the collection and retention of data associated with smart access systems in multiple dwelling buildings.

REBNY understands there is widespread concern about personal data and privacy. From social media hacking to sales of personal data to data breaches, technological advances have made individuals’ sensitive information available for misuse. Because of the gravity of the concerns, REBNY supports efforts to develop an appropriate regulatory regime and appreciates the opportunity to help do so in the City of New York.

Many buildings have chosen to install smart access systems and have done so out of the interests of their tenants. These systems offer increased security, improved customer service, and greater efficiency. It is therefore important that the regulation of such systems strikes the correct balance in upholding privacy and data concerns while not undercutting the value of such systems, particularly in their ability to offer a safe living environment.  

BILL: Int. 1760-2019

SUBJECT: A Local Law to amend the administrative code of the city of New York, in relation to tenant data privacy.

SPONSORS: Council Members Levine, Kallos, Torres, Rivera, Brannan, Cabrera, Rosenthal, Menchaca, Reynoso, Cornegy, Chin, Ampry-Samuel, Holden, Louis, Richards, Lander, Koo, Maisel, Rose,  Constantinides, Ayala, Gibson, Grodenchik, Powers, Moya, Adams and Koslowitz

Int. 1760 would require owners of multiple dwelling buildings that use smart access systems, including but not limited to key fobs or biometric identifiers, to provide residents with a data collection, retention, and privacy policy. The bill would restrict the collected data to that which is necessary for confirming right of access to the property. It would also require the properties to receive consent from tenants to use such systems, regularly destroy the collected reference data, and restrict the sharing of data with third parties without consent.

REBNY shares the Council’s concern for transparency and consent in the collection of any personally identifiable information as well as the policies governing the data retention. Protecting residents’ privacy is a critical component of ensuring an equal and safe place to live. To that end, however, we encourage Council to consider how some provisions of the legislation could be improved.

Current bill language states that “a smart access system to collect information about the frequency and time of such system by a tenant and their guests” would be restricted. While REBNY respects residents’ right to come and go freely and without observation, this clause limits the usefulness of smart access systems. Specifically, by preventing the collection of information about tenants and guests’ frequency and timing of entry, it would significantly hinder an owner’s ability to investigate illegal short-term rental operations. Such investigations are normally prompted from a complaint of a full-time resident. Out of an obligation to community safety as well as the City’s law, building management will use the access data to help determine who is entering the building and if that person is legally authorized to be there. To better protect the building residents and enforce City law, Council should create an exception to this proviso that allows an owner to utilize the data to investigate in good faith – and consistent with existing protections for tenants relating to retaliation and harassment –  lease violations relating to primary residency, illegal short-term sublets/hoteling, illegal conduct, subpoenas issued by law enforcement, insurance claims, etc.    

The bill also establishes a restriction on the collection and use of data collected from tenants’ utility usage and would require consent from tenants to use such information or share it with third parties. As the Council is well-aware, sustainability is central to the real estate industry and many companies have set ambitious climate goals. To manage their progress, however, it is essential buildings be able to measure energy use. As written, the bill will meaningfully limit owners’ ability to drive ESG initiatives where the information is tied to energy use in dwelling units. The utility use information is typically shared with third parties with all personal associated data redacted, in order to analyze building performance and help orient plans for better environmental outcomes. To ensure that legislation not undercut any building’s environmental goals, it should provide an exemption for the sharing of utility information with third parties, provided that it is void of all personally identifiable information and shared only with the intention of providing greater understanding of the building’s environmental profile.

Another point for consideration is that the bill states that ownership of the authentication data remains to the tenant unless also granted to the owner by the tenant. It is important to note that much of the data covered is not maintained by the management company or the building but is embedded in applications set up by the resident, the vendor, or the vendor’s contractor. While the data is owned by the tenant and their landlord, with consent, it is stored and maintained by those service providers and data processors. To better ensure the protection of individuals’ data and privacy, the legislation could be strengthened by making the data management companies’ responsibility more explicit. We offer the following suggestion:

“§ 27-2051.7 Prohibitions. a. It shall be unlawful for any entity that collects, stores, maintains or processes data pursuant to section 27- 2051.6….”

This slight amendment will clarify that the protection and retention policy for data is not solely the responsibility of the property owner and explicitly extends the same obligations to any company that is granted access to the data.

Thank you for the consideration of these points.