New York Latest State to Provide Additional Employee Privacy Protections With Electronic Monitoring Law
Beginning on May 7, 2022, employers in New York State who engage in electronic monitoring of employee communications will be required to notify their workers of such monitoring.
S2628, signed into law on November 8, 2021, requires all employers in the state of New York to provide prior written notice to newly hired employees if they intend to monitor or otherwise intercept telephone conversations or transmissions, email, or internet access or usage of or by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems. This likely includes video conferencing platforms such as Zoom or Teams. Notice must be:
Provided in writing;
In an electronic record, or in another electronic form; and
Acknowledged by each employee either in writing or electronically.
Electronic monitoring “solely for the purpose of computer system maintenance and/or protection” does not trigger S2628’s notice requirements.
Employers must also post a notice of electronic monitoring in a conspicuous place which is readily available for viewing by its employees who are subject to electronic monitoring.
S2628 does not contain a private right of action. However, as has been seen with other data privacy statutes, the absence of such a provision will not necessarily preclude plaintiffs from filing suits against defendants for purported violations of their obligations under S2628. A common practice in data privacy litigations is for plaintiffs to seek to use violations of a statutory right to privacy as a predicate for imposing liability under other theories of recovery, such as negligence per se. This is frequently done by plaintiffs in data event and cybersecurity class actions and the same approach could be used here.
Further, S2628 is enforceable by the New York state office of the attorney general, which is authorized to seek penalties of up to $500 for the first offense, $1,000 for a second offense, and $3,000 for third and subsequent offenses.
More broadly, S2628 fits within a recent trend of increased focus on measures to protect the privacy of individuals in the employment context. The California Consumer Privacy Act (“CCPA”) which took effect in 2020 provides consumers—including employees (subject to several significant exemptions)—certain rights regarding the personal information that businesses collect about them. Although the California Privacy Rights Act (“CPRA”) extended the CCPA’s employee-related exemptions until January 1, 2023, employers are still required to provide employees with a notice at collection. There are laws similar to S2628 in Connecticut and Delaware.
This proliferation of state laws has been accompanied by a rise in data privacy lawsuits brought by employees concerning their employers’ privacy practices. Cases have been frequently brought this year in the wake of cyberattacks directed against employers that results in the purported disclosure of employees’ personal information. There have also been increased privacy litigations filed regarding employers’ collection of the biometric data and sensitive financial information of employees (with suits filed under the Illinois Biometric Information Privacy Act (“BIPA”) and the Fair Credit Reporting Act (“FCRA”), among others).