STATE OF NEW YORK
________________________________________________________________________
10635
IN SENATE
June 1, 2026
___________
Introduced by Sen. KAVANAGH -- read twice and ordered printed, and when
printed to be committed to the Committee on Rules
AN ACT to amend the multiple dwelling law and the multiple residence
law, in relation to the use of smart access systems and the informa-
tion that may be gathered from such systems
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The multiple dwelling law is amended by adding a new
2 section 50-b to read as follows:
3 § 50-b. Prohibition of entry systems collecting or using biometric
4 data. 1. Definitions. For the purposes of this section, the following
5 terms shall have the following meanings:
6 a. "Biometric identifier information" means a physiological, biolog-
7 ical or behavioral characteristic that is used to identify, or assist in
8 identifying, an individual, including, but not limited to: (i) a retina
9 or iris scan, (ii) a fingerprint, (iii) a voiceprint, (iv) a scan or
10 record of a palm, hand, or face geometry, (v) gait or movement patterns,
11 or (vi) any other similar identifying characteristic that can be used
12 alone or in combination with each other, or with other information, to
13 establish individual identity.
14 b. "Smart access system" means any system that uses electronic or
15 computerized technology, a radio frequency identification card, a mobile
16 phone application, biometric identifier information, or any other
17 digital technology in order to grant access to a class A multiple dwell-
18 ing, common areas in such multiple dwelling, or to an individual dwell-
19 ing unit in such multiple dwelling.
20 2. Prohibition. No smart access system or other system that collects
21 or uses biometric data shall be installed in any multiple dwelling after
22 the effective date of this section. For smart access systems that rely
23 on the collection of biometric data that have already been installed
24 before the effective date of this section, biometric identifier informa-
25 tion may be collected pursuant to this section in order to register a
26 user and operate such smart access system, until use of such system is
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD00912-06-6
S. 10635 2
1 discontinued. Use of such system shall be discontinued no later than two
2 years after the effective date of this section.
3 § 2. The multiple residence law is amended by adding a new section
4 130-a to read as follows:
5 § 130-a. Electronic or computerized entry systems. 1. Definitions. For
6 the purposes of this section, the following terms shall have the follow-
7 ing meanings:
8 (a) "Account information" means information that is used to grant a
9 user entry or access to any online tools that are used to manage user
10 accounts related to a smart access system.
11 (b) "Authentication data" means data generated or collected at the
12 point of authentication in connection with granting a user entry to a
13 multiple dwelling, dwelling unit of such building, or common area of
14 such building through a smart access system, except that it shall not
15 include data generated through or collected by a video or camera system
16 that is used to monitor entrances but not to grant entry.
17 (c) "Biometric identifier information" means a physiological, biolog-
18 ical or behavioral characteristic that is used to identify, or assist in
19 identifying, an individual, including, but not limited to: (i) a retina
20 or iris scan, (ii) a fingerprint, (iii) a voiceprint, (iv) a scan or
21 record of a palm, hand, or face geometry, (v) gait or movement patterns,
22 or (vi) any other similar identifying characteristic that can be used
23 alone or in combination with each other, or with other information, to
24 establish individual identity.
25 (d) "Critical security vulnerability" means a security vulnerability
26 that has a significant risk of resulting in an unauthorized access to an
27 area secured by a smart access system.
28 (e) "Reference data" means information against which authentication
29 data is verified at a point of authentication by a smart access system
30 in order to grant a user entry to a multiple dwelling, dwelling unit of
31 such building, or common area of such building.
32 (f) "Security breach" means any incident that results in unauthorized
33 access of data, applications, services, networks or devices by bypassing
34 underlying security mechanisms. A "security breach" occurs when an indi-
35 vidual or an application illegitimately enters a private, confidential
36 or unauthorized logical information technology perimeter.
37 (g) "Smart access system" means any system that uses electronic or
38 computerized technology, a radio frequency identification card, a mobile
39 phone application, biometric identifier information, or any other
40 digital technology in order to grant access to a multiple dwelling,
41 common areas in such multiple dwelling, or to an individual dwelling
42 unit in such multiple dwelling.
43 (h) "Third party" means an entity that installs, operates or otherwise
44 directly supports a smart access system, and has ongoing access to user
45 data, excluding any entity that solely hosts such data.
46 (i) "User" means a tenant or lawful occupant of a multiple dwelling,
47 and any person a tenant or lawful occupant has requested, in writing or
48 through a mobile application, be granted access to such tenant or lawful
49 occupant's dwelling unit and such building's smart access system.
50 2. Entry. (a) Where an owner installs or plans to install a smart
51 access system on any entrance from the street, passageway, court, yard,
52 cellar, or other common area of a multiple dwelling, such system shall
53 not rely solely on a web-based application to facilitate entrance but
54 shall also include a key fob, key card, digital key or passcode for
55 tenant use.
S. 10635 3
1 (b) Owners may provide various methods of entry into individual apart-
2 ments including a mechanical key or a smart access system of a key fob,
3 key card or digital key, provided, however that such smart access system
4 shall not rely solely on a web-based application.
5 (c) Notwithstanding paragraph (a) or (b) of this subdivision, owners
6 shall provide a non-electronic means of entry where requested by the
7 tenant or lawful occupant due to a religious preference.
8 (d) All lawful tenants and lawful occupants shall be provided with a
9 key, key fob, digital key or key card at no cost to such tenants and
10 lawful occupants. The term "lawful occupants" shall include children
11 under the age of eighteen who shall be issued a key, key fob, digital
12 keys or key card if a parent or guardian requests in writing or to a
13 phone number provided by the owner that such child be provided with one.
14 Tenants and lawful occupants may also receive additional keys, key fobs,
15 digital keys or key cards at no cost to the tenant or lawful occupant
16 for verified employees and up to two additional keys, key fobs, digital
17 keys or key cards at no cost to the tenant or lawful occupant for
18 guests. The term "guests" shall include family members and friends who
19 can reasonably be expected to visit on a regular basis or visit as need-
20 ed to care for the tenant, lawful occupant, or the dwelling unit if the
21 tenant or lawful occupant is away. Employees, including contractors,
22 professional caregivers or other services providers, may have an expira-
23 tion date placed on their key, key card, digital key or key fob, which
24 may be extended upon the tenant or lawful occupant's request. Tenants or
25 lawful occupants may request a new or replacement key, key fob, digital
26 key or key card at any time throughout the course of the tenancy. The
27 owner or their agent shall provide the first replacement key, key fob,
28 digital key or key card to the tenant or lawful occupant free of charge.
29 The cost of second and subsequent replacement keys, key fobs, digital
30 keys or key cards shall not be more than what the owner paid for the
31 replacement up to and not exceeding forty dollars.
32 (e) Any owner or agent of an owner that utilizes a smart access system
33 shall establish a written policy in plain language that provides a
34 description of the smart access system or systems used in the class A
35 multiple dwelling and an explanation of the policies and procedures in
36 place, including but not limited to a written policy governing tenant
37 requests for additional keys, key fobs, digital keys or key cards. An
38 owner may decline requests for additional keys, key fobs, digital keys
39 or key cards if such requests are not consistent with the owner's writ-
40 ten policy, provided however that any written policy that violates or
41 contradicts the provisions of this section or any other applicable law
42 shall be null and void. The owner shall not set limits on the number of
43 keys, key fobs, digital keys or key cards a tenant or lawful occupant
44 may request.
45 (f) An owner or agent of an owner that utilizes a smart access system
46 shall provide to tenants and lawful occupants any written privacy policy
47 of the third party that developed the smart access system utilized in
48 such building, and any written privacy policy of the third party that
49 currently operates the smart access system utilized in such building.
50 The owner shall additionally provide contact information and customer
51 service information of such entities to tenants and lawful occupants.
52 (g) Any door that has a smart access system shall have backup power or
53 an alternative means of entry to ensure that the entry system continues
54 to operate during a power outage or other system disruption. An owner,
55 or their agent, shall routinely inspect the backup power and shall main-
56 tain or replace it according to system specifications. Owners or their
S. 10635 4
1 agents shall provide tenants and lawful occupants with information about
2 whom to contact in the event that the tenant, lawful occupant or the
3 tenant's or lawful occupant's children, guests or employees become
4 locked out.
5 3. Notice. Owners or their agents shall provide written notice to a
6 tenant or lawful occupant at the time the tenant or lawful occupant
7 signs the lease, or when the smart access system is installed, of the
8 provisions of subdivision two of this section and a copy of the written
9 policies required by this section. For smart access systems already in
10 use, the owner or agent of the owner shall provide a copy of the written
11 policies within ninety days of the effective date of this section.
12 4. Data collection. (a) (i) The reference data, authentication data,
13 and account information gathered by any smart access system shall be
14 limited to: (1) account information necessary to enable the use of such
15 smart access system; (2) reference data, including the user's name,
16 dwelling unit number, and doors or common areas to which the user has
17 access; (3) the preferred method of contact for the user; (4) informa-
18 tion used to grant the user entry or to access any online tools used to
19 manage user accounts related to the building; (5) lease information
20 including move-in and, if available, move-out dates; and (6) authentica-
21 tion data such as time and method of access for security purposes and a
22 photograph of access events for security purposes.
23 (ii) No reference data, authentication data, account information, or
24 other data gathered or stored by any smart access system shall be sold,
25 leased, or otherwise disclosed to another party unless requested pursu-
26 ant to a grand jury subpoena, court ordered warrant, or subpoena, or
27 otherwise ordered by a court of competent jurisdiction through an order
28 enforceable in New York state.
29 (b) No smart access system or other system that collects or uses biom-
30 etric data shall be installed in any multiple dwelling after the effec-
31 tive date of this section. For smart access systems that rely on the
32 collection of biometric data that have already been installed before the
33 effective date of this section, biometric identifier information may be
34 collected pursuant to this section in order to register a user and oper-
35 ate such smart access system, until use of such system is discontinued.
36 Use of such system shall be discontinued no later than two years after
37 the effective date of this section.
38 (c) (i) The owner or agent of the owner of a multiple dwelling shall
39 collect only strictly necessary data required by the technology used in
40 the smart access system to identify the user and effectuate such
41 entrance and protect the privacy and security of such users.
42 (ii) The owner or agent of the owner shall not request or retain, in
43 any form, the social security number of any person as a condition of use
44 of the smart access system.
45 (iii) The owner, agent of the owner, or the vendor of a smart access
46 system on behalf of the owner may record each time a key fob, key card,
47 digital key or passcode is used to enter the building, but shall not
48 record any departures.
49 (iv) A copy of such data may be retained for reference at the point of
50 authentication by the smart access system. Provided, however, no refer-
51 ence data shall be collected for use in a smart access system except
52 where such user has expressly consented, in writing, to the use of such
53 reference data and smart access system.
54 (v) The owner or agent of the owner of the multiple dwelling or any
55 third party shall destroy or anonymize authentication data collected
56 from or generated by such smart access system within a reasonable time,
S. 10635 5
1 but not later than ninety days after the date collected, except for the
2 authentication data that is retained in an anonymized format. Such
3 anonymized data shall not be deanonymized or re-identified, and may be
4 retained for up to one year, or longer pursuant to subparagraph (vii) of
5 this paragraph, before destruction. The owner or third party shall
6 provide proof of destruction or anonymization to any tenant or lawful
7 occupant upon request.
8 (vi) Reference data for a user shall be destroyed or anonymized by the
9 owner, the agent of the owner, or third party within ninety days of (1)
10 the tenant or lawful occupant permanently vacating the dwelling, or (2)
11 a request by the tenant or lawful occupant to withdraw authorization for
12 those previously authorized by the tenant or lawful occupant. The owner
13 of the multiple dwelling, the agent of the owner, or appropriate third
14 party, if any, shall provide proof of destruction or anonymization of
15 reference data to the tenant or lawful occupant upon request.
16 (vii) An owner or agent of an owner of a class A multiple dwelling
17 that utilizes a smart access system and any third party that has an
18 obligation to destroy data pursuant to this section shall not be
19 required to destroy any data that is strictly necessary to detect
20 cybersecurity incidents, protect against malicious deceptive, fraudu-
21 lent, or illegal activity, or prosecute those responsible for that
22 activity; is necessary to debug, identify, repair errors that impair
23 existing intended functionality; or is necessary to comply with another
24 law, legal obligation, or court order.
25 (d) (i) A third party shall not capture biometric identifier informa-
26 tion of an individual to gain entrance to a multiple dwelling unless the
27 owner clearly and conspicuously discloses near all entrances to the
28 building used by tenants or lawful occupants that the building utilizes
29 a smart access system that collects biometric identifier information.
30 (ii) Any third party that possesses biometric identifier information
31 of an individual that is captured by a smart access system:
32 (1) Shall not sell, lease or otherwise disclose the biometric identi-
33 fier information to another party unless pursuant to a grand jury
34 subpoena, court ordered warrant, or subpoena, or otherwise ordered by a
35 court of competent jurisdiction through an order enforceable in New York
36 state.
37 (2) Shall store, transmit and protect from disclosure the biometric
38 identifier information using reasonable care and in a manner that is the
39 same as or more protective than the manner in which the person stores,
40 transmits and protects confidential information the person possesses;
41 and
42 (3) Shall destroy the biometric identifier information within a
43 reasonable time, but not later than thirty days after the date
44 collected, except for reference data, and provide proof of such
45 destruction to the tenant or lawful occupant upon request. If any
46 prohibited information is collected, such as the likeness of a minor or
47 a non-tenant, the information shall be destroyed promptly but no later
48 than forty-eight hours after detection of such prohibited information.
49 (e) The owner of the multiple dwelling, or the managing agent, shall
50 develop and provide to tenants and lawful occupants written procedures
51 which describe the process used to add persons authorized by the tenant
52 or lawful occupant to the smart access system on a temporary or perma-
53 nent basis, such as visitors, children, their employees, and caregivers
54 to such building.
S. 10635 6
1 (i) The procedures shall clearly establish the owner's retention sche-
2 dule and guidelines for permanently destroying or anonymizing the data
3 collected.
4 (ii) The procedures shall not limit time or place of entrance by such
5 people duly authorized by the tenant or lawful occupant in writing
6 except as requested by the tenant or lawful occupant.
7 5. Prohibitions. (a) No form of location tracking beyond one hundred
8 feet of the multiple dwelling, including but not limited to satellite
9 location based services, shall be permitted in any equipment, key, or
10 software provided to users as part of a smart access system. Location
11 tracking features shall be capable of being disabled when the system is
12 not in use for the purposes of granting access to a class A multiple
13 dwelling, common areas in such multiple dwelling, or to an individual
14 dwelling unit in such multiple dwelling.
15 (b) It shall be prohibited to use a smart access system to capture the
16 reference data of any minor, except as authorized in writing by such
17 minor's parent or legal guardian, or information on the relationship
18 status or health status of tenants or lawful occupants and their guests
19 or employees. It is further prohibited to use a smart access system to
20 collect or track individually identifiable or reasonably linkable infor-
21 mation about the frequency and time of use of such system to an individ-
22 ual tenant or lawful occupant and their guests or employees to harass or
23 evict a tenant or lawful occupant or for any other purpose not expressly
24 related to the operation of the smart access system. Such usage data may
25 be collected only in anonymized and aggregated form.
26 (c) Information that is acquired via the use of a smart access system
27 shall not be used for any purposes other than granting access to and
28 monitoring building entrances and shall not be used as a basis or
29 support for an action to evict a lessee, tenant, or lawful occupant, or
30 an administrative hearing seeking a change in regulatory coverage for an
31 individual or unit. However, a tenant or lawful occupant may authorize
32 their information to be used by a third party, but such a request shall
33 clearly state who will have access to such information, for what purpose
34 it will be used, and the privacy policies which will protect their
35 information. Under no circumstances shall a lease or a renewal be
36 contingent upon authorizing such use. Smart access systems may use
37 third-party services to the extent required to maintain and operate
38 system infrastructure, including cloud-based hosting and storage. The
39 provider or providers of third-party infrastructure services shall meet
40 or exceed the privacy protections set forth in this section and shall be
41 subject to the same liability for breach of any of the requirements of
42 this section. Third-party services used by the smart access system shall
43 be disclosed to tenants or lawful occupants as part of the written poli-
44 cy required by this section.
45 (d) Information and data collected but not anonymized or aggregated
46 shall not be made available to any third party, unless authorized as
47 described in paragraph (c) of this subdivision, including but not limit-
48 ed to law enforcement, except upon a grand jury subpoena or a court
49 ordered warrant, subpoena, or other authorized court ordered process.
50 6. Storage of information. Any information or data collected shall be
51 stored in a secure manner to prevent unauthorized access by both employ-
52 ees and contractors and those unaffiliated with the owner or their
53 agents, except as otherwise provided in this section. Future or continu-
54 ing tenancy shall not be conditioned upon consenting to the use of a
55 smart access system.
S. 10635 7
1 7. Software and hardware issues. Whenever a company that produces,
2 makes available or installs smart access systems discovers a security
3 breach or critical security vulnerability in their software or hardware,
4 such company shall notify customers of such vulnerability within a
5 reasonable time of discovery but no later than twenty-four hours after
6 discovery and shall make software updates available and take any other
7 action as may be necessary to repair the vulnerability within a reason-
8 able time, but not longer than thirty days after discovery. Smart access
9 systems and vendors shall implement and maintain reasonable security
10 procedures and practices appropriate to the nature of the information
11 collected. In the event that a security breach or critical security
12 vulnerability that pertains to the embedded software, hardware, or firm-
13 ware on the smart access systems is discovered, smart access systems and
14 their vendors shall:
15 (a) be able to create updates to correct the vulnerabilities;
16 (b) contractually commit to customers that the smart access system or
17 vendor will create updates to the embedded software, hardware, or firm-
18 ware to remedy the vulnerabilities; and
19 (c) make such security-related software, hardware, or firmware updates
20 available for free to customers for the duration of the contract between
21 the building and smart access systems.
22 8. Waiver of rights; void. Any agreement by a lessee or tenant of a
23 dwelling waiving or modifying their rights as set forth in this section
24 shall be void as contrary to public policy.
25 9. Penalties. (a) A person who violates this section shall be subject
26 to a civil penalty of not more than five thousand dollars for each
27 violation. The attorney general may bring an action to recover the
28 civil penalty. An individual injured by a violation of this section may
29 bring an action to recover damages. A court may also award attorneys'
30 fees to a prevailing plaintiff.
31 (b) Where an owner or their agent receives a judgment that their use
32 of a smart access system resulted in harassment or otherwise deprived a
33 tenant or lawful occupant of any rights available under law, such owner
34 or agent shall be subject to a civil penalty of not more than ten thou-
35 sand dollars for each violation, provided however that the total penalty
36 shall not exceed one hundred thousand dollars.
37 (c) For purposes of this subdivision, each day the violation occurs
38 shall be considered a separate violation.
39 10. Rent regulated dwellings. Installation of a smart access system
40 pursuant to this section in a dwelling subject to the emergency tenant
41 protection act of nineteen seventy-four, the emergency housing rent
42 control law, the local emergency housing rent control act, or the rent
43 stabilization law of nineteen hundred sixty-nine shall constitute a
44 modification of services requiring the owner of such dwelling or their
45 agent to apply to the division of housing and community renewal for
46 approval before performing such installation. Such installation shall
47 not qualify as a basis for rent reduction.
48 11. Exemptions. (a) Nothing herein shall apply to multiple dwellings
49 owned or managed by an entity subject to 42 U.S.C. § 1437 et seq., or
50 any of its subsidiaries, or multiple dwellings that are primarily occu-
51 pied by transient occupants for a period of less than thirty days.
52 (b) Nothing in this section shall limit the authority of the division
53 of housing and community renewal to impose additional requirements
54 regarding smart access systems installed in multiple dwellings for which
55 the division is required to approve substitutions or modifications of
56 services.
S. 10635 8
1 § 3. Severability. If any provision of this act, or any application of
2 any provision of this act, is held to be invalid, that shall not affect
3 the validity or effectiveness of any other provision of this act, or of
4 any other application of any provision of this act, which can be given
5 effect without that provision or application; and to that end, the
6 provisions and applications of this act are severable.
7 § 4. This act shall take effect on the one hundred eightieth day after
8 it shall have become a law.
