Chapter 186 of the General Laws is hereby amended by adding the following section:-

Section 32. (a) For the purpose of this section, the following terms shall, unless the context clearly requires otherwise, have the following meanings:

“Authentication data”, the data generated or collected at the point of authentication in connection with granting a user entry to a smart access building, common area or dwelling unit through such building’s smart access system, except that it does not include data generated through or collected by a video or camera system that is used to monitor entrances but not grant entry.

“Biometric identifier information”, a physiological, biological or behavioral characteristic that is used to identify or assist in identifying an individual including, but not limited to: (i) a retina or iris scan; (ii) a fingerprint; (iii) a voiceprint; (iv) a scan or record of a palm, hand or face geometry; (v) gait or movement patterns; or (vi) any other similar identifying characteristic.

“Dwelling unit”, any house or building, or portion thereof, that is occupied, designed to be occupied, or is rented, leased or hired out to be occupied, as a home or residence of 1 or more persons..

“Minor”, a person under the age of 18 years, except a person over the age of 15 years who is married, a parent, serving in the military or has been found financially independent by a court order.

“Multiple dwelling” a dwelling which is usually occupied for permanent residence purposes and which is either rented, leased, let or hired out, to be occupied as the residence or home of 3 or more families living independently of each other. 

“Reference data”, the information against which authentication data is verified at the point of authentication by a smart access system in order to grant a user entry to a smart access building, dwelling unit of such building or a common area of such building.

“Smart access building”, a multiple dwelling that utilizes a smart access system.

“Smart access system”, any system that uses electronic or computerized technology, a radio frequency identification card, a mobile phone application, biometric identifier information or any other digital technology in order to grant entry to a multiple dwelling, common areas in such multiple dwelling or to an individual dwelling unit in such multiple dwelling.

“Third party”, an entity that installs, operates or otherwise directly supports a smart access system and has ongoing access to user data, excluding any entity that solely hosts such data.

“User”, a tenant of a smart access building and any person a tenant has requested, in writing or through a mobile application, be granted access to such tenant’s dwelling unit and such building’s smart access system.

(b)(1) A landlord of a smart access building or third party may not collect reference data from a user for use in a smart access system, except where such user has expressly consented, in writing or through a mobile application, to the use of such smart access building’s smart access system. Such landlord or third party may collect only the minimum amount of authentication data and reference data necessary to enable the use of such smart access system in such building and may not collect additional biometric identifier information from any users. Such smart access system may only collect, generate or utilize the following information:

(i) the user’s name;

(ii) the dwelling unit number and other doors or common areas that the user has access to using such smart access system in such building;

(iii) the user’s preferred method of contact;

(iv) the user’s biometric identifier information if such smart access system utilizes biometric identifier information;

(v) the identification card number or any identifier associated with the physical hardware used to facilitate building entry, including radio frequency identification card, bluetooth or other

similar technical protocols;

(vi) passwords, passcodes, user names and contact information used singly or in conjunction with other reference data to grant a user entry to a smart access building, dwelling unit of such building or common area of such building through such building’s smart access system or to access any online tools used to manage user accounts related to such building;

(vii) lease information, including move-in and, if available, move-out dates; and

(viii) the time and method of access, solely for security purposes.

(2) A landlord of a smart access building and any third party shall destroy any authentication data collected from or generated by such smart access system in their possession no later than 90 days after such data has been collected or generated, except for authentication data that is retained in an anonymized format.

(3) Reference data for any tenant who has permanently vacated a smart access building shall be removed, or anonymized where removal of such data would render the smart access system inoperable, from the smart access system no later than 90 days after such tenant has permanently vacated such building. Reference data for any user that has been granted access to such tenant’s dwelling unit and is not a tenant of such smart access building shall be removed, or anonymized where removal of such data would render the smart access system inoperable, from the smart access system no later than 90 days after access expires. Reference data for any user who has withdrawn authorization from a landlord or third party who had previously been given access to such reference data pursuant to this subsection shall be removed, or anonymized where removal of such data would render the smart access system inoperable, from the smart access system no later than 90 days after such authorization has been withdrawn. The same time frame shall apply when a tenant withdraws a request that a guest be granted access to such tenant’s dwelling unit via the smart access system, if such guest is not also a tenant of such smart access building.

(4) Reference data collected solely for the operation of such smart access system for a tenant who has permanently vacated a smart access building shall be destroyed no later than 90 days after a tenant has permanently vacated a smart access building or has withdrawn authorization from the landlord of such smart access building or a third party. Reference data collected solely for use of such smart access system for any user that has been granted access to such tenant’s dwelling unit and is not a tenant of such smart access building shall be destroyed within the same timeframe following such: (i) user’s withdrawal of authorization; and (ii) tenant’s withdrawal of the request that such user be granted access to such tenant’s dwelling unit via the smart access system or such tenant’s permanent vacation. Any data collected in violation of this subsection shall be destroyed immediately.

(5) A landlord of a smart access building and any third party that has an obligation to destroy data pursuant to this subsection shall not be required to destroy any data that is:

(i) necessary to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity or prosecute those responsible for that activity;

(ii) necessary to debug to identify and repair errors that impair existing intended functionality;

(iii) protected speech under the United States Constitution or constitution of the commonwealth; or

(iv) necessary to comply with another law or legal obligation.

(6) Any information that a landlord of a multiple dwelling collects about a tenant’s use of gas, electricity or any other utility shall be limited to such tenant’s total monthly usage. It shall be unlawful for a landlord of a multiple dwelling to collect any information about a tenant’s use of internet service, except in a multiple dwelling that internet service is provided directly from a landlord to tenants, the landlord may collect such information if such information is aggregated and anonymized or necessary for billing purposes.

(7) Notwithstanding any provisions of this section, a landlord may retain, separate from the smart access system, a record of the unique identification number or other unique identifier associated with the physical hardware used to facilitate building entry, including key cards or other similar technical protocols, and the dwelling unit number associated with such unique identifier, solely for the purpose of deactivating or activating the key card or other hardware associated with such unique identifier.

(8) Notwithstanding any provisions of this section, reference data may be retained and

utilized by a smart access system pursuant to a user request, in writing or through a mobile

application, that such user’s reference data be retained for longer than 90 days.

(c)(1) It shall be unlawful for any landlord of a smart access building or

third party that collects reference data or authentication data pursuant to subsection (b) to:

(i) sell, lease or otherwise disclose such data to another person except: (A) pursuant to any law, subpoena, court ordered warrant, other authorized court ordered process or absent a court ordered process in emergencies when human welfare is at risk; (B) to a third party that operates or facilitates the operation of such building’s smart access system, provided that the user has given express authorization, in writing or through a mobile application and has received in writing, in advance of such authorization: (1) the name of the third party; (2) the intended use of such data by such third party; and (3) any privacy policy of such third party; (C) for data collected to an entity employed, retained or contracted by the landlord to improve the energy efficiency of such building; or (D) to a guest as expressly authorized, in writing or through a mobile application, by a tenant;

(ii) utilize any satellite navigation system or other similar system in the equipment or software of a smart access system to track the location of any user of a smart access system outside of the building using such smart access system;

(iii) use a smart access system to capture the reference data of any minor, except as authorized in writing by such minor’s parent or legal guardian;

(iv) use a smart access system to deliberately collect information on or track the relationship status of tenants and their guests;

(v) use a smart access system to collect or track information about the frequency and time of use of such system by a tenant and their guests to harass or evict a tenant;

(vi) use a smart access system to collect reference data from a person who is not a tenant in such smart access building who has not given express consent, in writing or through a mobile

application, provided that reference data may be collected for any employee or agent of a landlord in a smart access building, and

(vii) share any data that may be collected from a smart access system regarding any minor, unless such entity has received the written authorization of such minor’s parent or legal guardian.

(2) It shall additionally be unlawful for any landlord of a smart access building, or an agent thereof, to:

(i) utilize data collected through a smart access system for any purpose other than: (A) to grant access to and monitor entrances and exits to the smart access building and to common areas in such building, including but not limited to laundry rooms, mail rooms and the like; and (B) to grant access to dwelling units in such buildings that use a smart access system to grant entry into dwelling units.

(ii) use a smart access system to limit the time of entry into the building by any user except as requested by a tenant;

(iii) require a tenant to use a smart access system to gain entry to such tenant’s dwelling unit; and

(iv) use any information collected through a smart access system to harass or evict a tenant.

(d)(1)The landlord of a smart access building, or an agent thereof, shall provide to tenants a written policy in plain language that describes, at a minimum, the following information if it is not included in the privacy policy described in paragraph (2):

(i) the data elements to be collected by the smart access system;

(ii) the names of any entities or third parties the landlord shall share such data elements with and the privacy policies of any such entities or third parties;

(iii) the protocols and safeguards the landlord shall provide for protecting such data elements;

(iv) the retention schedule of such data;

(v) the protocols the landlord shall follow to address any suspected or actual unauthorized access to or disclosure of such data elements, including notification of users;

(vi) guidelines for permanently destroying or anonymizing such data or removing such data from the smart access system; and

(vii) the process used to add and remove persons who have provided written consent on a

temporary basis to the smart access system.

(2) The landlord of a smart access building, or an agent thereof, shall make available to tenants any written privacy policy of the entity that developed the smart access system utilized in such building or any written privacy policy of the entity that currently operates the smart access system utilized in such building.

(e) A smart access system shall implement stringent security measures and safeguards to protect the security and data of tenants, guests and other individuals in smart access buildings. Such security measures and safeguards must, at a minimum, shall include data encryption, the ability of the user to change the password if the system uses a password and firmware that is regularly updated to enable the remediation of any security or vulnerability issues.

(f)(1) A lawful occupant of a dwelling unit, or a group of such occupants, in a smart access building may bring an action in superior court alleging an unlawful sale, lease or disclosure of data pursuant to this section. The superior court shall have original jurisdiction over such petitions in equity and authority to enjoin such violations. The court may, in addition to any relief court determines to be appropriate, award to:

(i) each such occupant per each unlawful sale, lease or disclosure of such occupant’s data: (A) compensatory damages and, in such court's discretion, punitive damages; or (B) at the election of each occupant, damages ranging from $200 to $1,000; and

(ii) such occupants reasonable attorneys’ fees and court costs.

(2) Nothing in this section shall relieve any such occupant or occupants from any obligation to pay rent or any other charge that such occupant or occupants are otherwise liable to a person found to be in violation of this section. Nothing in this section shall affect any other right or responsibility of an occupant or landlord afforded to such person pursuant to a lawful lease.

(g) The executive office of housing and livable communities shall inform tenants and landlords about the provisions of this section by including information about this section on its website.