New York Governor Hochul signed legislation on November 8, 2021 that requires all private employers to notify their employees of their intention to monitor work phones, email, or internet use.
The law, which takes effect on May 7, 2022, will require all private employers, regardless of size, with a place of business in New York State to provide notice upon hire to new employees if the employer does or plans to monitor or intercept telephone or email communications or internet access or usage by the employee; the law does not specifically address notice requirements for current employees. The notice must be in writing or electronic format and must be acknowledged in writing or electronically by the employee.
Additionally, employers must post a notice in a “conspicuous place which is readily available for viewing by its employees.” The notice must advise employees that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems may be subject to monitoring at any and all times and by any lawful means.”
According to the “justification” section of the bill provided by the sponsors, employers “will retain the right to monitor computer usage, simply with the stipulation that employees are informed of surveillance practices,” which they say “will increase transparency within the organization,” “help to avoid lawsuits and litigation regarding invasion of privacy,” and “permit employees to make informed decisions about their internet use with full knowledge of the ramifications of their actions, while supporting companies’ ability to monitor Internet activity within their organization.”
The bill specifically provides that it does not apply to processes that (1) are designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, (2) are not targeted to monitor or intercept the activities of a particular individual, and (3) are performed solely for the purpose of computer system maintenance and/or protection.
Any employer that violates the law will be subject to a maximum civil penalty of $500 for the first offense, $1,000 for the second offense, and $3,000 for the third and each subsequent offense. The law will be enforced by the state Attorney General, not the Department of Labor, and does not provide for a private right of action.