Important Privacy Law Development -- New York State Employee Monitoring Law Goes Into Effect in May
Starting May 7, 2022, employers in the state of New York will be required to provide notice to their employees of certain types of electronic monitoring (S2628).
The law applies specifically to any employers (defined under the law as “any individual, corporation, partnership, firm, or association with a place of business in the state”) that engage in electronic monitoring of their employees.
What is “electronic monitoring”?
Under the new law, electronic monitoring is when any employer “monitors or otherwise intercepts telephone conversations, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems.”
This means that employers that record employee phone calls, review employee emails, use monitoring software on emails or computers, or otherwise use electronic means to track or monitor their employees must be aware of and comply with their new obligations under this law.
What do employers need to do?
The law requires the employers to provide prior written notice upon hiring to all employees who are subject to electronic monitoring. The notice must be in writing or in an electronic record and acknowledged by the employee. Each employer must also post the notice of electronic monitoring in a conspicuous place which is readily available for viewing by the employees subject to the electronic monitoring.
What do notices need to say?
In the written notice, the employee must be advised that “mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems may be subject to monitoring at any and all times and by any lawful means.”
Notice is not required, however, for processes that are (1) designed to manage the type or volume of email, voicemail, or internet usage, (2) not targeted to monitor or intercept the email, voicemail, or internet usage of a particular individual, and (3) performed solely for computer system maintenance or protection.
What happens if companies don’t comply?
The Attorney General of New York may enforce this law through a maximum civil penalty of $500 for the first offense, $1,000 for the second offense, and $3,000 for any subsequent offense.
What should companies do next?
Companies have just over a month now to operationalize the requirements of this law before it becomes effective.
To prepare, New York employers should:
- Identify and understand the instances of employee monitoring that they engage in, as defined under the law;
- Draft the written notice and implement a mechanism for obtaining and tracking acknowledgements from new employees;
- Determine how and where to post the notice of electronic monitoring; and
- Incorporate these notice requirements into the company’s broader privacy and security compliance function.
Our Data Privacy and Cybersecurity practice regularly advises companies on how to meet the requirements of new laws like this one. If you have any questions concerning this law or any other data privacy or cybersecurity laws, please do not hesitate to contact any member of our team.