Articles

Employment Law Update: New York Employers: Employee Privacy Law Became Effective March 12, 2024

Date: March 12, 2024
New York employers must now comply with a new privacy law in effect. Specifically, employers are prohibited from obtaining certain information and/or access to an applicant or employee’s personal electronic accounts. On September 14, 2023, New York Governor Hochul signed S.2518/A.836 into law, which amends New York’s Labor Law to now prohibit employers from requesting, requiring or coercing a job applicant or employee to:

(1) disclose the username, login information, and passwords of their personal accounts[1] through an electronic communications device[2]; (2) access the employee's or applicant's personal account in the presence of the employer or (3) reproduce, in any manner, photographs, video, or other information contained within a personal account obtained by means prohibited by this law, as a condition of hire, employment or for use in a disciplinary action. The law became effective March 12, 2024.

Notably, the law does not prohibit an employer from:
  1. requiring an employee to disclose any username, password or other means for accessing non-personal accounts that provide access to the employer's internal computer or information systems;
  2. requesting or requiring an employee to disclose access information to an employer-provided account used for business purposes where the employee was provided prior notice of the employer's right to request or require such access information;
  3. accessing a company-paid electronic communications device where the provision of or payment for such electronic communications device was conditioned on the employer's right to access such device and the employee was provided prior notice of and explicitly agreed to such conditions (though an employer may not access any personal accounts on such device);
  4. complying with a court order in obtaining or providing information from, or access to, an employee's accounts as such court order may require;
  5. restricting or prohibiting an employee's access to certain websites while using an employer's network or while using an electronic communications device paid for in whole or part by the employer where the provision of or payment for such electronic communications device was conditioned on the employer's right to restrict such access and the employee was provided prior notice of and explicitly agreed to such conditions;
  6. viewing, accessing, or utilizing information about an employee or applicant that can be obtained without any required access information, that is available in the public domain, or for the purposes of obtaining reports of misconduct or investigating misconduct, photographs, video, messages, or other information that is voluntarily shared by an employee, client, or other third party that the employee subject to such report or investigation has voluntarily given access to contained within such employee's personal account.
  7. complying with a duty to screen employees or applicants prior to hiring or to monitor or retain employee communications that is established under federal law or by a self-regulatory organization; or
  8. raising as an affirmative defense that it acted to comply with federal, state or local law requirements.
Thus, covered employers may not terminate, discipline, or penalize an employee or otherwise threaten to do so because of an employee's refusal to disclose information that cannot be compelled under this law. Covered employers also may not fail or refuse to hire a job applicant because the applicant refuses to disclose information that cannot be compelled under this law.

New York follows at least twenty other states, including California, Connecticut, Delaware, Maryland, and New Jersey, that have passed similar legislation.

What Should Employers Do Now?
 
  • Review/update, where needed, relevant policies and agreements to address the lawful circumstances when an employer may request or require login and password access information to accounts on electronic communications devices, including those used for business purposes and to access to the employer's internal computer or information systems;
 
  • Provide written notice to employees of (and get their consent to) your organization's right to request or require such access information on Company-owned and paid-for electronic devices and communications and under what circumstances and get a signed acknowledgement of receipt.
     
  • Train your managers and Information Services/Technology personnel on this new law.

Whiteford’s Labor & Employment Law Group is continuing to monitor developments in this area and will provide updates as they develop. Please feel free to reach out to our Department with any questions.
 
[1] "Personal account" means an account or profile on an electronic medium where users may create, share, and view user-generated content, including uploading or downloading videos or still photographs, blogs, video blogs, podcasts, instant messages, or internet website profiles or locations that is used by an employee or an applicant exclusively for personal purposes.
 
[2] "Electronic communications device" means any device that uses electronic signals to create, transmit, and receive information, including, but not limited to computers, telephones, personal digital
assistants and other similar devices.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.