Case Study 17.2: Smart Home, Surveilled Tenant — The Case of Fernwood Apartments

Background

Fernwood Apartments is a fictional 200-unit residential complex in a mid-sized American city, based on documented cases from New York, Seattle, and Austin. It represents the new generation of "smart building" residential real estate, where property management companies have integrated networked technology throughout the building infrastructure. The case examines what happens when tenants discover the extent of the surveillance infrastructure they had not been told about.

When Claudia Rivera signed her lease at Fernwood Apartments in September 2020, the leasing agent emphasized the building's amenities: gym, rooftop deck, bike storage, "smart building features." Claudia, a 28-year-old graduate student, was pleased to find a one-bedroom unit in a good neighborhood at a manageable price. She signed a standard 12-month lease. The lease mentioned "electronic access systems" in a paragraph about building rules.

In her first week, Claudia received a link to download the Fernwood app — an application that would allow her to unlock her unit door, the building entrance, and the parking garage; to receive package notifications; to submit maintenance requests; and to access the building's temperature control system. She downloaded the app and registered with her phone number.

What Claudia did not know, because it was not disclosed to her and was not readily discoverable, was the full scope of what the Fernwood app and the building's infrastructure were recording:

  • Every entry and exit from her unit, logged by timestamp to the building management system
  • Every entry and exit from the building and parking garage, similarly logged
  • The specific route she took through the building's common areas, tracked by the building's WiFi network through the triangulation of her phone's signal
  • The temperature preferences she set in her unit
  • The timing and frequency of her maintenance requests

This data was retained by Fernwood's property management company, Cascade Residential Properties, and was accessible to building managers, to Cascade's data analytics team, and — under terms disclosed in Cascade's privacy policy (not in the lease) — to third-party service providers and, in certain circumstances, to law enforcement.

Discovery

In February 2021, a tenant at Fernwood named Darius Okafor submitted a California Consumer Privacy Act (CCPA) request — a right available to California residents — asking Cascade to provide a copy of all personal data the company held about him. California's CCPA gave him this right.

What Cascade provided in response was a multi-page spreadsheet containing, among other things, every entry and exit event for Darius's unit and the building's common spaces over the previous seven months, time-stamped to the minute. The spreadsheet showed when Darius woke up (based on his first door interaction of the morning), when he left for work, when he returned, when he had overnight visitors (based on door access patterns), and dozens of other behavioral patterns that Darius had not knowingly produced as data.

Darius shared the spreadsheet with other Fernwood tenants. Several organized through a tenant association. Claudia was among them.

The tenant association consulted a tenant rights attorney who provided the following analysis:

The lease's "electronic access systems" language was too vague to constitute notice of behavioral monitoring. The clause described access control; it did not describe logging, retention, or analytics of movement patterns.

Cascade's privacy policy disclosed data collection practices more fully — but the privacy policy was a separate document, not incorporated into the lease, and was not provided to tenants at move-in. Tenants had not been directed to review it before signing.

CCPA gave California tenants the right to request their data (as Darius had done), to request deletion of their data, and to opt out of the sale of their data to third parties. It did not give tenants the right to prevent collection in the first place.

Federal law provided no direct remedy. ECPA might apply if the behavioral monitoring constituted interception of electronic communications, but courts had not established that WiFi triangulation data was "communication" in the relevant sense.

Fair Housing Act concerns were potentially relevant if the behavioral data was used in ways that produced discriminatory outcomes — for example, if occupancy pattern data was used to identify tenants who violated lease terms about guests (which could have disparate impact on extended-family households common in some immigrant communities), or if data was used in lease renewal decisions in ways that correlated with protected characteristics.

The attorney's overall assessment: Cascade's practices were probably legal under current law. They were almost certainly not what tenants understood they were consenting to when they signed the lease.

The Tenant Association's Response

The Fernwood tenant association drafted a set of demands and presented them to Cascade's management:

  1. Full disclosure, in the lease, of all data collected about tenants and their homes
  2. Data minimization: collection limited to what is necessary for building operations
  3. A specific data retention schedule, with automatic deletion of behavioral data after 90 days
  4. No sharing of tenant behavioral data with third parties for commercial purposes
  5. Warrant requirements for law enforcement access to tenant data
  6. No use of tenant behavioral data in lease renewal decisions

Cascade's response, after two months of negotiation, was partial:

  • The company agreed to add a data disclosure addendum to future leases
  • The company agreed to reduce the retention period for access log data from 24 months to 12 months
  • The company declined to commit to warrant requirements for law enforcement access, citing existing legal obligations to respond to valid legal process
  • The company declined to prohibit use of behavioral data in lease renewal decisions, noting that tenant compliance with lease terms (like guest limitations) was a legitimate renewal consideration

The tenant association considered this an incomplete victory. The disclosure addendum would inform future tenants; it did not address the data already collected from current tenants. The retention reduction was meaningful but still allowed 12 months of behavioral profiling. The refusals on law enforcement warrants and lease renewal use represented significant ongoing risks.

The Broader Pattern: Smart Buildings and Data Power

The Fernwood case is not exceptional. The "smart building" segment of commercial real estate has grown rapidly, driven by the potential of building data to reduce operational costs, optimize energy use, and — in a dimension the industry discusses less publicly — to provide property managers with detailed behavioral intelligence about their tenants.

Industry publications aimed at property managers have been candid about the commercial potential of building data. Articles in property management trade journals have discussed using occupancy pattern data to identify "high-risk" tenants (those who have frequent overnight guests, those who are rarely home, those who set unusual temperature preferences), to inform lease renewal decisions, and to provide data for property insurance underwriting.

This commercial logic — in which tenant behavioral data is a resource to be extracted and monetized — is the direct application of the surveillance capitalism model (Chapter 11) to residential real estate. Tenants generate data; property managers hold and use that data. The power relationship ensures that tenants have minimal ability to negotiate the terms of this exchange.

For lower-income tenants — those with fewer housing alternatives, those in subsidized housing, those in tight rental markets — the ability to contest data practices is even more constrained. The power to demand data disclosures or to refuse surveillance arrangements depends on the power to say no and walk away. In tight rental markets, most tenants cannot afford to say no.

The Fernwood case illustrates the limits of consent-based privacy frameworks in contexts of structural power asymmetry. Cascade's data practices were disclosed — eventually, in a separate document, in technical language, after the lease was signed. The disclosure framework suggests this constitutes informed consent. The reality of the tenant's situation — needing housing, facing limited alternatives, signing a take-it-or-leave-it lease — makes "consent" to surveillance a legal fiction.

Meaningful consent to surveillance in the landlord-tenant context would require:

  • Clear, prominent disclosure before the lease is signed
  • A realistic ability to negotiate or refuse surveillance terms
  • An understanding of what the data will be used for and who will access it
  • A realistic ability to exit the arrangement if practices change

None of these conditions obtains in most rental markets. The structural solution — the one that does not depend on individual tenants' ability to negotiate with institutional landlords — requires regulatory intervention: mandatory disclosure standards, data minimization requirements, restrictions on use of behavioral data in tenancy decisions, and warrant requirements for law enforcement access.

Discussion Questions

  1. Darius used his CCPA right to access his data and discovered the extent of Cascade's monitoring. Should CCPA-equivalent rights exist in all states? What would be required to make data access rights genuinely useful for renters?

  2. Cascade argued that using behavioral data (like guest patterns) in lease renewal decisions was a legitimate consideration of lease compliance. Evaluate this argument. What housing discrimination concerns does it raise?

  3. The tenant association achieved partial reforms through collective negotiation. What does their experience suggest about the effectiveness of tenant organizing as a surveillance governance mechanism? What are its limits?

  4. Design a "smart building tenant bill of rights" covering disclosure, data minimization, retention, access rights, and law enforcement access. Be specific about what the rights require and how they would be enforced.

  5. The chapter argues that consent to surveillance in rental housing is structurally fictional. Does this analysis apply equally to owner-occupied housing, where homeowners "consent" to smart home device data collection? Are there meaningful differences?