STATE OF NEW YORK
________________________________________________________________________
1320
2025-2026 Regular Sessions
IN ASSEMBLY
January 9, 2025
___________
Introduced by M. of A. SIMON, SEAWRIGHT, ZINERMAN, SANTABARBARA, McDO-
NOUGH, JACKSON, DAVILA, RAGA -- read once and referred to the Commit-
tee on Labor
AN ACT to amend the labor law, in relation to the "uniform employee and
student online privacy protection act"
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as the "uniform
2 employee and student online privacy protection act".
3 § 2. The labor law is amended by adding a new article 33-A to read as
4 follows:
5 ARTICLE 33-A
6 UNIFORM EMPLOYEE AND STUDENT
7 ONLINE PRIVACY PROTECTION ACT
8 Section 965. Definitions.
9 966. Protection of employee online accounts.
10 967. Protection of student online accounts.
11 968. Civil action.
12 969. Uniformity of application and construction.
13 970. Relation to electronic signatures in global and national
14 commerce act.
15 § 965. Definitions. As used in this article:
16 1. "Content" means information, other than login information, that is
17 contained in a protected personal online account, accessible to the
18 account holder, and not publicly available.
19 2. "Educational institution" means a person that provides students at
20 the postsecondary level an organized program of study or training which
21 is academic, technical, trade-oriented, or preparatory for gaining
22 employment and for which the person gives academic credit. The term
23 includes both a public or private institution and also applies to any
24 agent or designee of the educational institution.
25 3. "Electronic" means relating to technology having electrical,
26 digital, magnetic, wireless, optical, electromagnetic, or similar capa-
27 bilities.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD00072-01-5
A. 1320 2
1 4. "Employee" means an individual who provides services or labor to an
2 employer in exchange for salary, wages, or the equivalent or, for an
3 unpaid intern, academic credit or occupational experience including
4 independent contractors. The term includes a prospective employee who:
5 (a) has expressed to the employer an interest in being an employee; or
6 (b) has applied to or is applying for employment by, or is being
7 recruited for employment by, the employer.
8 5. "Employer" means a person that provides salary, wages, or the
9 equivalent to an employee in exchange for services or labor or engages
10 the services or labor of an unpaid intern. The term includes an agent
11 or designee of the employer.
12 6. "Login information" means a user name and password, password, or
13 other means or credentials of authentication required to access or
14 control of a protected personal online account or an electronic device,
15 which the employee's employer or the student's educational institution
16 has not supplied or paid for in full, that itself provides access to or
17 control over the account.
18 7. "Login requirement" means a requirement that login information be
19 provided before an online account or electronic device can be accessed
20 or controlled.
21 8. "Online" means accessible by means of a computer network or the
22 internet.
23 9. "Person" means an individual, estate, business or nonprofit entity,
24 public corporation, government or governmental subdivision, agency, or
25 instrumentality, or other legal entity.
26 10. "Protected personal online account" means an employee's or
27 student's online account that is protected by a login requirement. The
28 term does not include an online account or the part of an online account
29 that is publicly available. The term also does not include an online
30 account or the part of an online account that the employer or educa-
31 tional institution has notified the employee or student might be subject
32 to a request for login information or content, and which:
33 (a) the employer or educational institution supplies or pays for in
34 full; or
35 (b) the employee or student creates, maintains, or uses primarily on
36 behalf of or under the direction of the employer or educational institu-
37 tion in connection with the employee's employment or the student's
38 education.
39 11. "Record" means information that is inscribed on a tangible medium
40 or that is stored in an electronic or other medium and is retrievable in
41 perceivable form.
42 12. "Student" means an individual who participates in an educational
43 institution's organized program of study or training. The term includes:
44 (a) a prospective student who expresses to the institution an interest
45 in being admitted to, applies for admission to, or is being recruited
46 for admission by, the educational institution; and
47 (b) a parent or legal guardian of a student under the age of eighteen.
48 § 966. Protection of employee online accounts. 1. Subject to the
49 exceptions in subdivision two of this section, an employer may not:
50 (a) require, coerce, or request an employee to:
51 (i) disclose the login information for a protected personal online
52 account;
53 (ii) disclose the content of the account, except that an employer may
54 request an employee to add the employer to, or not remove the employer
55 from, the set of persons to which the employee grants access to the
56 content;
A. 1320 3
1 (iii) alter the settings of the online account in a manner that makes
2 the login information for, or content of, the account more accessible to
3 others; or
4 (iv) access the account in the presence of the employer in a manner
5 that enables the employer to observe the login information for or
6 content of the account; or
7 (b) take, or threaten to take, adverse action against an employee for
8 failure to comply with:
9 (i) an employer requirement, coercive action, or request that violates
10 paragraph (a) of this subdivision; or
11 (ii) an employer request under subparagraph (ii) of paragraph (a) of
12 this subdivision to add the employer to, or not remove the employer
13 from, the set of persons to which the employee grants access to the
14 content of a protected personal online account.
15 2. Nothing in subdivision one shall prevent an employer from:
16 (a) accessing information about an employee which is publicly avail-
17 able;
18 (b) complying with a federal or state law, court order, or rule of a
19 self-regulatory organization established by federal or state statute,
20 including a self-regulatory organization defined in section 3(a)(26) of
21 the securities and exchange act of 1934, 15 U.S.C. § 78c(a)(26); or
22 (c) requiring or requesting, based on specific facts about the employ-
23 ee's protected personal online account, access to the content of, but
24 not the login information for, the account in order to:
25 (i) ensure compliance, or investigate non-compliance, with federal or
26 state law or an employer prohibition against work-related employee
27 misconduct of which the employee has reasonable notice, which is in a
28 record, and which was not created primarily to gain access to a
29 protected personal online account; or
30 (ii) protect against a threat to safety, a threat to employer informa-
31 tion technology or communications technology systems or to employer
32 property, or disclosure of information in which the employer has a
33 proprietary interest or information the employer has a legal obligation
34 to keep confidential.
35 3. An employer that accesses employee content for a purpose specified
36 in paragraph (c) of subdivision two of this section:
37 (a) shall attempt reasonably to limit its access to content that is
38 relevant to the specified purpose;
39 (b) shall use the content only for the specified purpose; and
40 (c) may not alter the content unless necessary to achieve the speci-
41 fied purpose.
42 4. An employer that acquires the login information for an employee's
43 protected personal online account by means of otherwise lawful technolo-
44 gy that monitors the employer's network, or employer-provided devices,
45 for a network security, data confidentiality, or system maintenance
46 purpose:
47 (a) may not use the login information to access or enable another
48 person to access the account;
49 (b) shall make a reasonable effort to keep the login information
50 secure;
51 (c) unless otherwise provided in paragraph (d) of this subdivision,
52 shall dispose of the login information as soon as, as securely as, and
53 to the extent reasonably practicable; and
54 (d) shall, if the employer retains the login information for use in an
55 ongoing investigation of an actual or suspected breach of computer,
56 network, or data security, make a reasonable effort to keep the login
A. 1320 4
1 information secure and dispose of it as soon as, as securely as, and to
2 the extent reasonably practicable after completing the investigation.
3 § 967. Protection of student online accounts. 1. Subject to the
4 exceptions in subdivision two of this section, an educational institu-
5 tion may not:
6 (a) require, coerce, or request a student to:
7 (i) disclose the login information for a protected personal online
8 account;
9 (ii) disclose the content of the account, except that an educational
10 institution may request a student to add the educational institution to,
11 or not remove the educational institution from, the set of persons to
12 which the student grants access to the content;
13 (iii) alter the settings of the account in a manner that makes the
14 login information for or content of the account more accessible to
15 others; or
16 (iv) access the account in the presence of the educational institution
17 in a manner that enables the educational institution to observe the
18 login information for or content of the account; or
19 (b) take, or threaten to take, adverse action against a student for
20 failure to comply with:
21 (i) an educational institution requirement, coercive action, or
22 request, that violates paragraph (a) of this subdivision; or
23 (ii) an educational institution request under subparagraph (ii) of
24 paragraph (a) of this subdivision to add the educational institution to,
25 or not remove the educational institution from, the set of persons to
26 which the student grants access to the content of a protected personal
27 online account.
28 2. Nothing in subdivision one of this section shall prevent an educa-
29 tional institution from:
30 (a) accessing information about a student that is publicly available;
31 (b) complying with a federal or state law, court order, or rule of a
32 self-regulatory organization established by federal or state statute; or
33 (c) requiring or requesting, based on specific facts about the
34 student's protected personal online account, access to the content of,
35 but not the login information for, the account in order to:
36 (i) ensure compliance, or investigate non-compliance, with federal or
37 state law or an educational institution prohibition against education-
38 related student misconduct of which the student has reasonable notice,
39 which is in a record, and which was not created primarily to gain access
40 to a protected personal online account; or
41 (ii) protect against a threat to safety, a threat to educational
42 institution information technology or communications technology systems
43 or to educational institution property, or disclosure of information in
44 which the educational institution has a proprietary interest or informa-
45 tion the educational institution has a legal obligation to keep confi-
46 dential.
47 3. An educational institution that accesses student content for a
48 purpose specified in paragraph (c) of subdivision two of this section:
49 (a) shall attempt reasonably to limit its access to content that is
50 relevant to the specified purpose;
51 (b) shall use the content only for the specified purpose; and
52 (c) may not alter the content unless necessary to achieve the speci-
53 fied purpose.
54 4. An educational institution that acquires the login information for
55 a student's protected personal online account by means of otherwise
56 lawful technology that monitors the educational institution's network,
A. 1320 5
1 or educational institution-provided devices, for a network security,
2 data confidentiality, or system maintenance purpose:
3 (a) may not use the login information to access or enable another
4 person to access the account;
5 (b) shall make a reasonable effort to keep the login information
6 secure;
7 (c) unless otherwise provided in paragraph (d) of this subdivision,
8 shall dispose of the login information as soon as, as securely as, and
9 to the extent reasonably practicable; and
10 (d) shall, if the educational institution retains the login informa-
11 tion for use in an ongoing investigation of an actual or suspected
12 breach of computer, network, or data security, make a reasonable effort
13 to keep the login information secure and dispose of it as soon as, as
14 securely as, and to the extent reasonably practicable after completing
15 the investigation.
16 § 968. Civil action. 1. The attorney general may bring a civil action
17 against an employer or educational institution for a violation of this
18 article. A prevailing attorney general may obtain:
19 (a) injunctive and other equitable relief; and
20 (b) a civil penalty of up to one thousand dollars for each violation,
21 but not exceeding one hundred thousand dollars for all violations caused
22 by the same event.
23 2. An employee or student may bring a civil action against the indi-
24 vidual's employer or educational institution for a violation of this
25 article. A prevailing employee or student may obtain:
26 (a) injunctive and other equitable relief;
27 (b) actual damages; and
28 (c) costs and reasonable attorney's fees.
29 3. An action under subdivision one of this section does not preclude
30 an action under subdivision two of this section, and an action under
31 subdivision two of this section does not preclude an action under subdi-
32 vision one of this section.
33 4. This section does not affect a right or remedy available under law
34 other than this article.
35 § 969. Uniformity of application and construction. In applying and
36 construing the sections of this article, consideration must be given to
37 the need to promote uniformity of the law with respect to its subject
38 matter among states that enact it.
39 § 970. Relation to electronic signatures in global and national
40 commerce act. This article modifies, limits, or supersedes the electron-
41 ic signatures in global and national commerce act, 15 U.S.C. section
42 7001 et seq., but does not modify, limit, or supersede section 101(c) of
43 that act, 15 U.S.C. section 7001(c), or authorize electronic delivery of
44 any of the notices described in section 103(b) of that act, 15 U.S.C.
45 section 7003(b).
46 § 3. Effect of invalidity; severability. If any section, subdivision,
47 paragraph, sentence, clause, phrase or other portion of this act is, for
48 any reason, declared unconstitutional or invalid, in whole or in part,
49 by any court of competent jurisdiction, such portion shall be deemed
50 severable, and such unconstitutionality or invalidity shall not affect
51 the validity of the remaining portions of this act, which remaining
52 portions shall continue in full force and effect.
53 § 4. This act shall take effect immediately.
