Effective May 7, 2022, most New York employers must notify their employees of any electronic monitoring by posting a notice in the workplace. Additionally, employers must give express written notice to all new employees of any electronic monitoring the employer performs and obtain written or electronic acknowledgment of such monitoring. The law applies broadly to any employer that is an individual, corporation, partnership, firm or association with a place of business in the state of New York, regardless of size.

This law follows a trend of jurisdictions that are increasing employer notice obligations as they pertain to employee privacy, and New York employers should take steps, as outlined below, to ensure that their current notices and policies comply with this newly-enacted New York electronic monitoring law.

Overview of the Law

On November 8, 2021, Governor Hochul signed a law amending the New York Civil Rights Law to require employers who monitor or intercept telephone conversations, electronic mail, or internet access or usage by any employee by any electronic device or system to:

  • Give Notice and Secure an Acknowledgment from New Hires. Notice of monitoring must be provided upon hiring to all new employees. This notice must be in writing, electronic record or another form and be acknowledged in writing or in an electronic form.
  • Post Notice for All Employees. Covered employers must also post a notice of their electronic monitoring in a conspicuous place which is readily available for viewing by all employees subject to the electronic monitoring.

The law does not require employers to obtain acknowledgement from existing employees.

The law provides language akin to a model employee notice that employers can use, which states “an employee shall be advised that any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems may be subject to monitoring at any and all times and by any lawful means.”

The law does not apply to processes—such as firewalls or spam filters—that manage the type or volume of e-mail, telephone voicemail or internet usage but do not target or intercept the e-mail, telephone voicemail or internet usage of a particular individual and that are performed solely for the purpose of computer system maintenance and/or protection.

The law does not explicitly address whether individuals hired by New York employers to work remotely out of state are entitled to notice. However, in the absence of guidance, it may be prudent for employers to extend this right to employees outside of the state.

  • Enforcement and Penalties. The law is enforced by the Attorney General of New York and violation of the law makes employers subject to a maximum civil penalty of $500 for their first violation, $1,000 for their second violation and $3,000 for each subsequent violation of the law. There is no private right of action.

Growing Trend

There is a growing trend in favor of employer transparency as it relates to employee monitoring and collection of data. Other states, including Connecticut and Delaware, have similar employee surveillance laws, and the California Consumer Privacy Act requires notices to applicants and employees of how employers collect and use their data, and will provide employees with rights as it pertains to personal information collected by businesses after the employee-related exemptions expire January 1, 2023.

Recommended Actions for Employers

To avoid potential civil penalties, New York employers should prepare for the law by taking the following steps:

  • Update their employee handbooks, employee internet log-in portals and employee-facing website portals to reflect the law’s notice requirements.
  • Prepare an acknowledgement to be included in onboarding documents for new employees.
  • Prepare a notice to conspicuously post in a public area in the workplace—such as by the printer or coffee machine—to satisfy the law’s posting requirement. Employers may also elect to post the notice on their intranet sites.
  • The bill does not seem to be limited to employer-issued computers or devices. Employers should ensure their notices describe the electronic monitoring the employer performs on employee devices that are not employer-issued.

The authors would like to thank Jarrett Lewis, a Debevoise law clerk, for his contributions to this post.

***

To subscribe to our Data Blog, please click here.

Author

Jyotin Hamid, a partner in the New York office, is a seasoned litigator with extensive courtroom experience. He handles a diverse array of complex commercial litigation matters, with a particular focus on employment litigation and intellectual property disputes. He has represented major companies in their most challenging commercial matters. In the employment area, he has successfully handled numerous whistleblower, discrimination, contract, compensation and corporate raiding litigations involving high-level executives in a broad range of industries. Mr. Hamid also counsels employers on their most sensitive personnel matters, including investigations of alleged executive misconduct. He is also deeply involved in Debevoise’s market-leading intellectual property practice, and he has litigated trademark and trade dress cases involving some of the most well-known brands in the world.

Author

Tricia Bozyk Sherno is a member of Debevoise's Litigation Department, concentrating in employment and general commercial litigation. She has a broad-gauged employment law practice, with experience representing clients in matters involving discrimination and harassment, contracts, corporate raiding and compensation across a broad range of industries. She can be reached at tbsherno@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.