Employee communications and use of company devices are often key issues in trade secret and related litigation. United States law, for the most part, has been very supportive of an employer’s ability to engage in aggressive employee monitoring, as long as there is appropriate communication to employees about these activities. Accordingly, most employers have policies in place to notify employees that they do not have a reasonable expectation of privacy in company devices, communications and networks, and that the company may monitor such electronic systems for any legitimate business purpose.
At the same time, these historic practices are now facing new challenges. Employers should be aware of recent laws in several jurisdictions that require employers to give employees certain notices of electronic monitoring.
On May 7, 2022, a law requiring employers to notify employees of electronic monitoring took effect in New York. This new law—which amends the New York Civil Rights Law—applies to all private employers in New York, and it requires specific notice be provided to employees (1) upon hire and (2) in a “conspicuous place” (e.g., company intranet) that is viewable by all employees. The law requires that employees who may be subject to monitoring be advised that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems[,] may be subject to monitoring at any and all times and by any lawful means.” Employers are required to secure from all new hires (hired on or after May 7, 2022) an acknowledgment—either in writing or electronically—of the written notice. There is no private cause of action for a violation of this law, but there are escalating civil penalties, enforceable by the attorney general of New York ($500 for the first violation, $1,000 for the second violation and $3,000 for each subsequent violation of the law).
Delaware and Connecticut have similar laws that predate New York’s. Delaware requires a similar notice upon hire to employees but does not require employee acknowledgment of such notice. Like New York, Connecticut requires a notice to be posted in an employer’s workplace, but it does not require notice upon hire (or acknowledgment of the same).
In addition to the laws in New York, Delaware and Connecticut (which explicitly focus on employee monitoring), employers should also be aware of data privacy laws that may affect the type of notice they need to provide employees regarding the information they collect. Most notably, California employers that are subject to the California Consumer Privacy Act (CCPA) need to provide their employees with notice of the categories of personal information they collect as well as the purposes for their collection. Additionally, the CCPA will be replaced by the California Privacy Rights Act of 2020 (CPRA) on January 1, 2023, and employment data (which was previously exempt from the scope of the CCPA, except for the aforementioned notice requirement) will now fully be subject to the law’s requirements. Under the CPRA, covered employers (companies with annual gross revenue above $25 million in the previous calendar year; companies that collect, store, analyze, disclose or otherwise use the personal information of 100,000 or more California residents/households; or companies that derive at least 50% of annual revenue from selling or sharing personal information of California residents) will have a host of additional requirements, including providing California employees with certain individual rights relating to their data. In addition to providing employees with notice of the collection of employee personal information (including certain employee communications using an employer’s electronic systems), the CPRA gives employees the ability to access, correct, delete and restrict the use of their personal information. Additional information regarding employer obligations under the CPRA will be available shortly, with the deadline for publication of the CPRA’s final regulations set for July 1, 2022.
We encourage you to reach out to WilmerHale’s Cybersecurity and Privacy Practice and WilmerHale’s Labor and Employment Department with any questions regarding employee monitoring and privacy-related considerations.