WeVote

Bill

Bill

S 10635

Relates to the use of smart access systems and the information that may be gathered from such systems

2025 Regular Session Introduced by Brian Kavanagh

Bans new biometric smart entry systems in class A dwellings and requires non-biometric access, strict data limits, privacy policies, and strong security standards.

REFERRED TO HOUSING
0
WeVote Research Nonpartisan
Bill Summary · S 10635

Summary of Bill S 10635 (2025-2026) – New York

Purpose and intent

  • Prohibits the installation and ongoing use of smart entry systems that collect biometric data in class A multiple dwellings, while establishing comprehensive privacy, safety, and governance standards for electronic or computerized entry systems.
  • Aims to protect tenant privacy by restricting data collection, use, retention, and disclosure, and by ensuring non-biometric fallback entry methods and clear tenant-facing policies.

Key provisions and changes

1) Prohibition on biometric data collection (Section 50-b, Multiple Dwelling Law)

  • Defines biometric identifiers (e.g., fingerprints, iris/retina scans, voiceprints, facial geometry, gait) and smart access systems.
  • Bars new installations of smart access systems that collect biometric data after the effective date.
  • For systems installed before the effective date that rely on biometrics, biometric data may be collected only to register users and operate the system, with use discontinued within two years of the section’s effective date.

2) Electronic/entry system requirements and data governance (Section 130-a, Multiple Residence Law)

  • Introduces terms: account information, authentication data, biometric identifier information, reference data, security breach, third party, user.
  • Entry access requirements:
    • Systems must include non-web-based entry options (e.g., key fob, key card, digital key, or passcode) in addition to any web app.
    • Non-web entry must be available for individual units; tenants must have access methods at no cost.
    • Written privacy policies from third parties must be provided; ongoing contact information disclosed.
    • Backup power and outage procedures required, with contact information for lockout scenarios.
  • Data collection limits:
    • Collect only data strictly necessary to operate the system (name, unit numbers, access doors, contact method, lease info, time and method of access, photos for security).
    • Prohibit sale or disclosure of data except via grand jury subpoenas or court orders.
    • Ban collection/disclosure of social security numbers; limit retention and require destruction/anonymization within specified timeframes (generally 90 days, with anonymized data potentially kept longer).
    • Allow only data necessary to detect security incidents or to operate the system; require consent for non-essential reference data.
  • Third-party biometric handling:
    • Third parties must disclose presence of biometric collection; may not disclose without proper orders.
    • Must protect biometric data with reasonable security measures and destroy it within 30 days (40-48 hours for prohibited information such as a minor’s likeness).
  • Data retention and destruction:
    • Establish procedures for adding authorized persons (visitors, caregivers) with clear retention and destruction/anonymization timelines.
    • Prohibit evictions or tenancy actions based on data usage unless expressly allowed; allow tenant authorization for third-party uses with disclosures, but not as a lease condition.

3) Prohibitions and privacy protections

  • Location tracking beyond 100 feet is prohibited; tracking features must be disable-able when not in use.
  • Strict limits on collecting minor data; aggregate/anonymized usage data only for non-identifiable purposes.
  • Non-anonymized data may be shared with third parties only under explicit authorization and with privacy disclosures.
  • Software/hardware security: vendors must notify of breaches/vulnerabilities within 24 hours and fix within 30 days; mandatory security updates for embedded components; reasonable security practices required.

4) Enforcement, penalties, and exemptions

  • Civil penalties up to $5,000 per violation; potential damages and attorney’s fees; higher penalties (up to $10,000 per violation, capped at $100,000) if harassment or deprivation of rights occurs.
  • Rent-regulated dwellings: installation requires DHCR approval and cannot be used to justify rent reductions.
  • Exemptions: certain owner categories (e.g., large entities under federal housing programs) and transient occupancy dwellings; DHCR may impose additional requirements.

5) Effective date

  • Act takes effect 180 days after becoming law.

Who/what is affected

  • Class A multiple dwellings and their owners/managers, tenants and lawful occupants, and third-party vendors/partners involved in smart access systems.
  • Tenants’ ability to access units and common areas via non-biometric methods is preserved.
  • Residents receive written policies, privacy notices, and clear contact information for system providers.

Procedural/timeline notes

  • Senate passage on June 4, 2026; referred to Assembly Housing; takes effect 180 days after enactment.
  • Provisions include severability and a one-time notice requirement for existing systems within 90 days of effective date.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.