A MoFo Privacy Minute Q&A: New NY State Employee Social Media Monitoring Restrictions

This is “A MoFo Privacy Minute,” where we will answer the questions our clients are asking us in sixty seconds or less.

Question: My company does not ask employees or job applicants for access to their personal social media accounts because of workplace social media privacy laws in various states. Does the new workplace privacy law in New York (Senate Bill S2518A), which took effect on March 12, 2024, add any further requirements that we should know about?

Answer: New York became the latest state to prohibit private employers from asking current and prospective employees to provide access to their personal online accounts. The New York law generally prohibits an employer from requesting or requiring an employee or applicant to:

• share their username and password, or any other authentication information for accessing a personal account (i.e., one that is used exclusively for personal purposes);
• access their personal account in the employer’s presence; or
• reproduce information contained in their personal account.

New York joins more than two dozen states that have passed similar laws since 2012 to protect workers’ privacy. While several of these state laws restrict access to an employee’s or applicant’s “social media account,” the term is often defined to cover a variety of electronic accounts beyond traditional social media platforms, including personal email, e-commerce, messaging services, and more.

Like several other state laws, the New York law does not prohibit an employer from viewing information about an employee or applicant that is publicly available on the internet or from requiring an employee to disclose access information for accounts known to be used for business purposes.

New York, along with a minority of states, exempts company-issued devices and certain personal (BYOD) devices from the prohibitions. However, New York uniquely limits this exemption, requiring the employer (i) to provide advance notice to the employee of its right to access the device, and (ii) to obtain the employee’s explicit agreement to the notice. Consequently, companies should ensure that they have a mobile device policy that sets out the terms and conditions for use of company-issued or BYOD devices for work purposes, including access to the device by the company, and that they maintain evidence of employees’ agreement to the policy.

The New York law also expressly prohibits an employer from accessing an employee’s personal accounts on such devices. Employers should be mindful of this distinctive provision of the New York law when they collect electronic data for purposes of conducting an internal investigation or responding to litigation or a regulator inquiry. For example, this prohibition is potentially problematic in light of a business’s duty to preserve relevant communications sent or received through non-business messaging applications in the context of a government investigation, as addressed by the Department of Justice (DOJ) Criminal Division’s Evaluation of Corporate Compliance Programs (ECCP).

Of note, the DOJ revised its ECCP in March 2023 to establish a clear expectation that companies will design and implement policies that best maximize their ability to access data on BYOD devices and personal messaging applications. Companies that do not provide a means to retain and access business communications on personal devices and third-party messaging applications could face a loss of cooperation credit and increased criminal penalties following DOJ investigations. Businesses in New York will need to carefully draft their mobile device policies and their third-party messaging policies to navigate the potential conflict between the March 2023 ECCP and the New York law. They will also need to develop thoughtful practices that enable them to comply with both the New York law and the DOJ’s retention policies for business communications.

Carson Martinez, Associate, contributed to the drafting of this alert.