residents agreeing to tenant data privacy act

DisclaimerThis is not legal advice. We are not a law firm. This is our interpretation of the Tenant Data Privacy Act. Please contact a licensed attorney if you need assistance interpreting this or any laws.


The NYC Tenant Data Privacy Act was passed on May 28, 2021. For New York City multifamily property owners and managers, this law might mean some changes to the way you currently operate your building. Want some clarification on what the Tenant Data Privacy Act (TDPA) will mean for you? Read on to find out.

In this post, we explain what the Tenant Data Privacy Act is and how it will affect you. Then, we go over why it’s important to comply, and the specific steps you can take to make sure you comply.

This post covers:


What is the NYC Tenant Data Privacy Act?

The NYC Tenant Data Privacy Act is a set of rules and regulations regarding tenant data associated with the use of smart access systems. If your building has a smart access control system, you have until January 1, 2023, to comply with this law.

From smart locks to intercoms, smart building hardware depends on internet-connected components and databases to give residents access to more features. Over the course of an average day, a smart lock can learn a lot, such as how often a resident enters and exits their building, whether they have guests over, and lots of other sensitive information.

The TDPA protects information like this. And, it imposes punishments for building owners or third-party installers and operators that sell this information or otherwise use it improperly.

Starting with the more wide-ranging New York Privacy Act passed in 2021, the Tenant Data Privacy Act is part of a larger push to protect the data of New York’s citizens.

TDPA protects information like:

  • Tenant and guest names
  • The unit number and areas in the building that a tenant or guest can access with the smart access system
  • A tenant’s or guest’s preferred method of contact
  • Biometric credential information, like fingerprints
  • Usernames, passwords, PIN codes, and other credential information
  • Lease information, like move-in and move-out dates
  • The time and method of a tenant’s or guest’s entry


Watch how ButterflyMX works:


What does the TDPA mean for you?

Depending on your role in a smart building, you’re entitled to different things under the Tenant Data Privacy Act.

Here’s how the tenant data privacy law affects you if you’re a:


New York City tenant data privacy act is enforced throughout the city


Building owners

If you own a building that uses smart access control technology, understanding the Tenant Data Privacy Act starts with understanding the differences between two types of data: authentication data and reference data.

Authentication data is the data your smart access system generates when it grants access to a resident. It’s called that because this data is generated at the point of the tenant’s authentication.

On the other hand, reference data is the data your smart access system refers to when it checks a resident’s credentials. If your residents use PIN codes to enter your building, the database of verified PIN codes is an example of reference data.

Essentially, the TDPA states that you can only collect the minimum amount of authentication and reference data from your residents. You are prohibited from collecting anything more. And when you do collect these two types of data, unless you’re using it to investigate a security incident, you’re obligated to destroy authentication data within 90 days of collection and you’re obligated to destroy reference data within 90 days of a tenant moving out.

In addition, minors can’t use smart access systems until you obtain their parents’ permission.

Note: The Tenant Data Privacy Act does not apply to standard video or security camera feeds because you don’t use those for property access.



Under the TDPA, tenants have the right to sue if a smart building owner or operator misuses their data or hangs onto it for too long.


Third-party installers or operators

If you’re a smart building owner, maintaining an excellent working relationship with your third-party installer is a great way to ensure compliance with the TDPA.

Ultimately, third-party installers must follow sections of the Tenant Data Privacy Act. Like building owners, third parties now need to be more stringent about destroying data. They’re also forbidden from selling that data to others.

However, the best third-party operators aren’t just looking out for themselves. They also use their familiarity with the technology to look out for their clients.


Technician installing intercom the complies with TDPA


Why is it important to comply?

The fees and fines associated with non-compliance will take a huge bite out of your bottom line. Violating the TDPA might cost you between $200 to $1,000 per resident. An issue with your smart access system affects every single resident in the system. So, a court might find that you have to pay damages, individually, to every single tenant.

In addition, non-compliance doesn’t just put you at risk of tenant lawsuits. If you manage a property, you’re also in charge of managing its reputation. And why would a tenant rent from a legally questionable building if there’s a building that complies just down the street?


How smart building owners can comply

Here’s a quick summary of what you can do to comply with the Tenant Data Privacy Act:

  • Give tenants a written notice about the data you’re collecting and get their consent, either in writing or through a mobile app
  • Don’t sell or disclose tenant data to others
  • Destroy the authentication data generated by tenants after 90 days
  • Destroy all of a resident’s data after they move out
  • Get permission from a minor’s parents before allowing a minor to use your smart access system

If you’re looking for an access control system that complies with this new law, choose ButterflyMX. As a smart access control system that collects data for and on entry into a building, ButterflyMX is fully in compliance with the requirements of the NYC Tenant Data Privacy Act.


access control system

Profile image for Sophia Cooper


Sophia Cooper

Born and raised in Colorado, I love the outdoors, good food, and anything related to real estate or technology.