§ 26-3003.
AC § 26-3003
a. It shall be unlawful for any owner of a smart access building or third party that collects reference data or authentication data pursuant to section 26-3002 to: 1. sell, lease or otherwise disclose such data to another person except: (a) pursuant to any law, subpoena, court ordered warrant, other authorized court ordered process or active law enforcement investigation; (b) to a third party that operates or facilitates the operation of such building's smart access system, provided that the user has given express authorization, in writing or through a mobile application, and has received in writing, in advance of such authorization: (i) the name of the third party, (ii) the intended use of such data by such third party, and (iii) any privacy policy of such third party; (c) for data collected pursuant to subdivision f of section 26-3002, to an entity employed, retained or contracted by the owner to improve the energy efficiency of such building; (d) to a guest as expressly authorized, in writing or through a mobile application, by a tenant; or (e) as otherwise required by law; 2. utilize any satellite navigation system or other similar system in the equipment or software of a smart access system to track the location of any user of a smart access system outside of the building using such smart access system; 3. use a smart access system to capture the reference data of any minor, except as authorized in writing by such minor's parent or legal guardian; 4. use a smart access system to deliberately collect information on or track the relationship status of tenants and their guests, except as otherwise required by law; 5. use a smart access system to collect or track information about the frequency and time of use of such system by a tenant and their guests to harass or evict a tenant; 6. use a smart access system to collect reference data from a person who is not a tenant in such smart access building who has not given express consent, in writing or through a mobile application, provided that reference data may be collected for any employee or agent of an owner in a smart access building, and 7. share any data that may be collected from a smart access system regarding any minor, unless such entity has received the written authorization of such minor's parent or legal guardian. b. It shall additionally be unlawful for any owner of a smart access building, or an agent thereof, to: 1. utilize data collected through a smart access system for any purpose other than: (i) to grant access to and monitor entrances and exits to the smart access building, and to common areas in such building, including but not limited to laundry rooms, mail rooms, and the like, and (ii) to grant access to dwelling units in such buildings that use a smart access system to grant entry into dwelling units; 2. use a smart access system to limit the time of entry into the building by any user except as requested by a tenant; 3. require a tenant to use a smart access system to gain entry to such tenant's dwelling unit; and 4. use any information collected through a smart access system to harass or evict a tenant. (L.L. 2021/063, 5/30/2021, eff. 7/29/2021) Editor's note: For related unconsolidated provisions, see Appendix A at L.L. 2021/063.
