New York: New law establishes employer requirements for notice of electronic monitoring
On 8 November 2021, New York Governor Kathy Hochul signed into law Senate Bill ('SB') 2628, which requires every private-sector employer to provide notice of its electronic monitoring practices to all employees upon hiring, with written or electronic employee acknowledgement, and, more generally, in a 'conspicuous place' viewable by all employees. Since then, the law has taken effect on 7 May 2022. Mark Francis and Sophie Kletzien, from Holland & Knight LLP, summarise the main provisions and implications of SB 2628, while drawing comparisons to other States' laws.
Passage of SB 2628
The new law applies to all private employers within the state, regardless of size or entity type, and governs surveillance of employee internet usage and communications, including phone calls, text messages, and emails. The notice, either in written or electronic form, must advise employees that any and all telephone conversations, email communications, and internet access or usage may be subject to monitoring 'at any and all times and by any lawful means'.
The law amends the Civil Rights Law of the Consolidated Laws on New York, and is focused primarily around protecting the privacy interests of employees and a workforce that has largely shifted to electronically-based remote work in the wake of the COVID-19 pandemic. Accordingly, the new law only covers processes that target the activity or communications of a particular employee, and excludes activities designed to manage the type or volume of incoming or outgoing email, telephone voice mail, or internet usage, or performed solely for the purpose of system maintenance or security. This exclusion is important, but it may give rise to some grey areas given the potential for using monitoring tools to achieve multiple purposes.
Employee monitoring is a common practice, and many businesses already disclose monitoring practices through employee handbooks or internal privacy policies, as well as via electronic alerts on computer login screens. Nonetheless, the new law broadly covers all private employers. Therefore, there are likely a large number of businesses that will need to review and update their current practices. In addition, the required notice and affirmative employee acknowledgement 'upon hiring' may necessitate an update to new hire onboarding procedures in New York starting on 7 May 2022, when the law took effect.
The new law grants enforcement authority to the New York State Attorney General ('AG'), who may impose civil penalties upon employers not in timely compliance. Penalties range from $500 to $3,000 per violation, with a maximum of $500 for the first offense, $1,000 for the second offense, and $3,000 for any subsequent offenses. The law does not provide a private right of action.
New York's existing employee privacy laws
Before the passage of SB 2628, employees were subject to the existing protections of the law on eavesdropping under §§250.00 and 250.05 of Article 250 of Title N of Part 3 of Chapter 40 of the Penal Law of the Consolidated Laws of New York, which makes it unlawful for any individual (including an employer) to engage in wiretapping or to intercept electronic communications. Wiretapping is defined as 'intentionally overhearing or recording telephone communications of which the person is not a sender or receiver by means of any instrument, device, or equipment'. Because the definition of wiretapping includes only aural communications containing human voices, the law does not apply to video surveillance that does not capture sound or audio.1 In addition, the eavesdropping law does not apply if one of the parties to the call consents. Consent may be express or implied. Therefore, a party's consent to the taping of their telephone calls may be inferred from their knowledge that such conversations would be monitored.2 However, without the consent of one party, employers may not wiretap their own telephones in order to intercept a conversation between an employee and another person, even for the purpose of determining whether the employee was being unfaithful, disloyal, or dishonest to the employer.3
Similarities with other States' laws
With SB 2628 having entered into effect, New York follows similar requirements in Connecticut and Delaware. New York's law largely mimics the construction and enforcement of Connecticut and Delaware law, but it displays certain differences in scope and application.
Like New York's new law, §31-48D of Chapter 557 of Title 31 of Volume 9 of the Connecticut General Statutes ('the Connecticut Employee Electronic Monitoring Law') requires employers to provide prior written notice to employees about the types of monitoring which may occur. Employers in Connecticut must conspicuously post a notice of electronic monitoring practices, but the notice requirement is not specific to new hires, and does not require affirmative acknowledgment. The Connecticut Employee Electronic Monitoring Law encompasses both private and state employers, and more broadly defines 'electronic monitoring' as covering all information 'on an employer's premises concerning employees' activities or communications by any means other than direct observation'.
The Connecticut Employee Electronic Monitoring Law permits an employer to conduct electronic monitoring without giving prior notice if it has reasonable grounds to believe that employees are violating the law, violating the legal rights of the employer or other employees, or creating a hostile workplace environment. The Connecticut Employee Electronic Monitoring Law is enforced by the Connecticut Labor Commissioner, who may levy civil penalties ranging from $500 to $3,000.
§705 of Subchapter I of Chapter 7 of Title 19 of the Delaware Code ('Del. C.') also requires employers to provide prior written notice regarding monitoring of phone transmissions, email, and internet access or usage. Like in Connecticut, 19 Del. C. §705 covers both private and state employers. Uniquely, 19 Del. C. §705 allows employers to choose between two methods of notification: either by providing daily notice when the employee accesses employer-provided systems or the internet, or by providing a one-time written or electronic notice to the employee and obtaining employee acknowledgement electronically or in writing. Employers who violate 19 Del. C. §705 may be subject to a $100 civil penalty for each violation, which can be filed in any court of competent jurisdiction.
More broadly, we may see a split in how states address employee privacy in the coming years. The California Consumer Privacy Act of 2018 ('CCPA'), and subsequent California Privacy Rights Act of 2020 ('CPRA'), extends to employees the same privacy rights afforded to consumers (such as the right to access, correct, and delete one's personal information), although California postponed the effective date for employees to exercise such rights until 2023. By contrast, the Virginia Consumer Data Protection Act ('CDPA') and Colorado Privacy Act ('CPA') exclude employees when enacting similar rights for consumers. These distinct approaches could reflect a difference in opinion as to whether businesses need more flexibility in collecting and using employees' personal information.
Implications of SB 2628
For now at least, SB 2628 reflects a growing legislative push in New York for more transparency in data privacy practices. New York City recently amended its administrative code in the summer of 2021, placing new regulations on businesses' use of biometric information and requiring formal notice to all customers regarding the collection of such information.4 Shortly after, the City also passed the Tenant Data Privacy Act, through Bill No. 1760-2019, requiring owners of smart access buildings to notify and obtain express consent from all tenants to use their biometric information. These laws demonstrate a preference for consent and transparency, rather than imposing restrictions on business practices. Indeed, creators of SB 2628 note the law's purpose of helping businesses 'avoid lawsuits and litigation regarding invasion of privacy' by keeping employees informed of surveillance practices.5
Legislative focus on transparency also indicates an intent to spare employers from the burden of stringent regulations requiring them to change their practices amongst the uncertainty of the pandemic. Electronic surveillance of employees serves as a valuable tool for employers to monitor the operations of their business despite decreased face-time with employees. In a period where many are attending work virtually from within their homes, businesses may find the line between their employees' personal and professional online use gets blurred during work hours. Drafters of SB 2628 referred to the 2007 Electronic Monitoring and Surveillance Survey by the Management Association and The ePolicy Institute, which found managers who fired employees for internet misuse cited the two main reasons as violation of company policy and excessive personal use. By making the guidelines clearer, legislators reason, "employees will be less likely to undermine company standards".
The entry into effect of SB 2628 and other New York privacy legislation in the past year demonstrates an increased mindfulness for the delicate balance between business productivity and employee privacy rights. The law seeks to support both interests by requiring employers to address and disclose their existing electronic monitoring practices while encouraging employee awareness of privacy limits in the remote workplace.
1. Video surveillance of restrooms, locker rooms, or designated changing room spaces is prohibited separately under §203-C of Article 7 of Chapter 31 of the Labor Law of the Consolidated Laws of New York.
2. See, e.g., People v. Jackson, 125 A.D.3d 1002, 1004.
3. See 1957 Opinions of the Attorney General 272, 1957 WL 86789.
4. See §§22-1201 to 1205 of the New York City Administrative Code.
5. See at: https://www.nysenate.gov/legislation/bills/2021/s2628/