Latest Compliance News

New York Adds Electronic Personal Account Protections

[EDNcf:IfExists:PubDate] [EDNcf:PubDate] [EDNcf:EndIf:PubDate]

Author: ADP Admin/Wednesday, October 4, 2023/Categories: Compliance Corner

New York has enacted legislation (Senate Bill S2518A), which prohibits employers from accessing certain electronic personal accounts. Senate Bill S2518A takes effect on March 12, 2024.

The Details

Senate Bill S2518A protects an employee’s right to privacy for an account or profile on an electronic medium where users may create, share, and view user-generated content (personal accounts). This includes uploading or downloading videos or still photographs, blogs, video blogs, podcasts, instant messages, or internet website profiles or locations that are used by an employee or an applicant exclusively for personal purposes.

The law prohibits employers from requesting, requiring or coercing an employee or applicant to:

  • Access the employee or applicant’s personal account in the presence of the employer;
  • Disclose a username, password or other authentication information to access a personal account through an electronic communications device; or
  • Reproduce photos, videos or other information contained within a personal account obtained with unlawful methods.

However, an employer may request or require an employee to disclose access information to an account:

  • Known to the employer to be used for business purposes; and
  • Provided by the employer that is used for business purposes, if the employee received notice of the employer’s right to request or require the access information.

Employers may also take the following actions under the law:

  • Access electronic communications devices that the employer paid for (in whole or in part) where the provision of or payment for the device was conditioned on the employer’s right to access the device, and the employee had notice of that right and explicitly agreed to such conditions.

Note: Employers are prohibited from accessing personal accounts on such devices.

  • Comply with a court order that requires them to obtain or provide information from or access to an employee’s account.
  • Restrict or prohibit access to certain websites while an employee uses the employer’s network or a device (paid in whole or in part) by the employer, provided the provision of or payment for the device was conditioned on the employer’s right to restrict access and the employee had notice and explicitly agreed to such conditions.
  • View, access or utilize information about an employee or applicant that:
  • Access information obtained from an employee or applicant voluntarily adding the employer, agent of the employer or employment agency to their list of contacts associated with their personal account.

Nonretaliation

Under the law, an employer cannot:

  • Discharge, discipline, penalize or threaten to take such actions against employees who refuse to disclose access information to their personal accounts; or
  • Refuse to hire an applicant for refusing to disclose their personal account information.

Note: Employers may require an employee to disclose a username, password or other access means for accounts that are not personal and provide access to the employer’s internal computer or information systems.

Next Steps

  • Review data privacy and social media policies and practices to ensure compliance with Senate Bill S2518A by March 12, 2024.
  • Train supervisors on the law.

Resource Corner