New York Enacts Employee Privacy Law

Privacy & Cybersecurity Update

Date: May 10, 2022

Most businesses understandably work to protect the privacy and security of consumers’ personal information. Of at least equal importance, however, is the privacy and security of their employees’ information. On May 7, New York’s new employee privacy law became effective and it requires employers to provide written notice to their employees prior to engaging in certain electronic monitoring activities. The state’s attorney general is responsible for enforcing the law (as it does not expressly provide a private right of action), and businesses may face financial penalties for noncompliance. Although several recently enacted consumer privacy laws exempt from their scope personal data collected in the human resources (HR) context – with California being a notable exception – New York’s law should serve as a reminder of the broad range of surveillance, data privacy, and information security requirements applicable to HR data.

New York Employee Privacy Law

Scope of applicability. The New York law applies to any private business (e.g., individual corporation, partnership, firm, or association) with a place of business within the state that uses an electronic device to monitor or otherwise intercept an employee’s (i) telephone conversations or transmissions, (ii) electronic mail or transmissions, or (iii) internet access or usage. Accordingly, unlike other data protection laws, New York’s employee privacy law does not limit its scope of applicability to a business based on its size, revenue, or number of employees and does not create any type of exception specifically for small businesses.

Notice and acknowledgment. The law mandates that employers issue a formal notice to employees stating that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee … may be subject to monitoring at any and all times by any lawful means.” It further provides that employers must provide this written notice “upon hiring to all employees who are subject to electronic monitoring” and the notice must be “acknowledged by the employee either in writing or electronically.” Most often, an organization will include this notice in an employee handbook or other data protection policy and require employees to review and agree to it during the onboarding process.

General notice. In addition to furnishing formal, written notice directly to employees, the New York law requires employers to “post the notice of electronic monitoring in a conspicuous place which is readily available for viewing by its employees who are subject to electronic monitoring.” This requirement seems analogous to posting other HR practices and employee disclaimers (e.g., whistleblower or antidiscrimination rights) on a company’s bulletin board or in the employee breakroom. In addition, the law requires employers to physically post the actual notice or policy that is provided to employees upon hiring and does not appear to allow for substitute notices or summaries to be posted in its place. However, as a matter of best practice, organizations should consider posting on computers and other devices similar disclaimers that employees have to acknowledge and agree to at the time of login.

Exceptions. The New York law sets forth one important exception. In particular, it provides that its notice and acknowledgment requirements do not apply to surveillance or monitoring processes or techniques “that are designed to manage the type or volume of incoming or outgoing” email, voicemail, or internet usage that do not target “a particular individual, and that are performed solely for the purpose of computer system maintenance and/or protection.”

HR Activities: Federal and State Data Protection Laws

The New York law should remind employers of the broad range of federal and state laws governing surveillance, data privacy, and information security that apply in the HR context. For instance, New York’s law incorporates several aspects of the employee surveillance laws enacted in Delaware and Connecticut, which set forth similar notice and acknowledgment requirements. Accordingly, organizations that are subject to the New York law should implement very similar processes and procedures to comply with their obligations under the Delaware and Connecticut laws.

The federal Wiretap Act and similar laws enacted by state legislatures protect the privacy and confidentiality of certain wire, oral, and electronic communications, including those transmitted via telephone, email, and the internet. In fact, the monitoring of employees’ private communications – even when undertaken on employer-provided devices – may constitute an impermissible and unlawful “interception” of such communications under the Wiretap Act and similar state laws. Accordingly, business should ensure that their employment monitoring activities align with these federal and state laws, and that they have implemented and maintain acceptable use policies and procedures that clearly delineate an employee’s expectation of privacy (or lack thereof) on company-provided technology and devices to ensure compliance with these legal requirements. In fact, the substance of the “notice” requirement set forth in the New York law will be similar to the disclaimers that organizations should furnish their employees to address compliance issues with respect to federal and state wiretap laws.

Some states have adopted data protection laws requiring employers to furnish their employees with notice of their data processing activities that are not limited to surveillance activities. For instance, Michigan law requires organizations that collect Social Security numbers in certain circumstances to adopt and maintain a “privacy policy” that addresses confidentiality and unlawful disclosures of such data, access privileges, data disposal, and penalties for noncompliance. The law further requires these organizations to “publish the privacy policy in an employee handbook, in a procedures manual, or in [one] or more similar documents, which may be made available electronically.”

Several state and local laws require organizations to adopt formal policies governing the collection, retention, and secure disposal of sensitive personal data, such as Social Security numbers, and these extend to personal data collected from employees and contractors. In addition, every U.S. state has enacted its own data breach notification law that requires organizations to notify individuals when their personal information has been subject to unauthorized access, acquisition, use, or disclosure. These laws generally apply to sensitive personal information included in HR records and other personnel files relating to employees.

California and HR Data

The California Consumer Privacy Act of 2018, as amended (CCPA), sets forth a broad range of data protection obligations on covered businesses and their service providers. Importantly, it requires covered businesses to furnish to employees a “notice at collection,” which essentially is a notice provided to employees and other consumers by a business at the time (or before) the business collects personal information from the individual. An employee privacy notice that is compliant with the CCPA should include, but would not be limited to, the types of personal information collected by a business through its information technology monitoring and surveillance activities that are described in the New York employee privacy law. For more information on the CCPA’s privacy notice requirement in the HR context, see here. Importantly, the CCPA currently exempts several of the law’s privacy requirements from applying in the HR context (e.g., privacy right requests). However, these exemptions are scheduled to expire on January 1, 2023, and businesses should be prepared to comply with a broad range of data protection requirements in the HR context.

FOR MORE INFORMATION

For more information, please contact:

Steven G. Stransky
216.566.5646
202.263.4126
Steve.Stransky@ThompsonHine.com
Certified Information Privacy Professional/Government (CIPP/G)
Certified Information Privacy Professional/United States (CIPP/US)

Thomas F. Zych
216.566.5605
Tom.Zych@ThompsonHine.com

Thora Knight
212.908.3971
Thora.Knight@ThompsonHine.com

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

© 2022 THOMPSON HINE LLP. ALL RIGHTS RESERVED.