With the potential “tendency of many to ‘overshare,’ documenting everything from their breakfast to their favorite Marvel villain” on social media, as recognized in at least one court opinion[1], perhaps unsurprisingly, some employers might consider social media to be a valuable source for insight about applicants or employees.  Assembly Bill A836/Senate Bill S2518A (the “Personal Accounts Law”), signed into law by Governor Kathy Hochul on September 14, 2023, however, will soon place new limits on New York employers that seek access to an employee’s or applicant’s “personal account,” such as an account on a social media or messaging platform.  After attempts to pass versions of this bill failed in prior legislative sessions, New York joins numerous other states, including California, Connecticut, Illinois, Michigan, and New Jersey, that have passed laws regulating access to employees’ and applicants’ social media and/or other personal accounts—some of which are now more than a decade old.  

Under the Personal Accounts Law, a covered employer[2] may not request, require, or coerce an applicant or employee to: (a) disclose “authentication information,” including a password or username and password, “for accessing a personal account through an electronic communications device”; (b) access a personal account in the employer’s presence; or (c) reproduce information “contained within a personal account obtained by the means prohibited” in the Personal Accounts Law.  An employer also may not refuse to hire an applicant or “discharge, discipline, or otherwise penalize” an employee for failing or refusing to disclose such information or provide such access and may not threaten to do so.  That an employer acted to comply with a federal, state, or local law’s requirements “shall be an affirmative defense to an action” under the Personal Accounts Law.  

An employer may require an employee to disclose “means for accessing nonpersonal accounts that provide access to the employer’s internal computer or information systems.”  Moreover, under the Personal Accounts Law, “access” will not preclude an applicant or employee from “voluntarily adding an employer, agent of the employer, or employment agency” to the contact list “associated with a personal internet account.” 

The Personal Accounts Law will not apply if the employee or applicant uses the account or profile, in whole or in part, for business purposes because an employee’s or applicant’s “personal account” is defined as “an account or profile on an electronic medium where users may create, share, and view user-generated content” that is used “exclusively for personal purposes.”  

Furthermore, the Personal Accounts Law expressly identifies five scenarios that it does not prohibit:

  1. Prior Notice: As long as the employer provided “prior notice of the employer’s right to request or require such access information,” an employer may request or require an employee to disclose access information to an employer-provided account that is used “for business purposes” (e.g., a work email account).
  2. Business Purposes: An employer may request or require that an employee provide access information to an account that the employer knows is used “for business purposes.”
  3. Employer-Funded Devices: An employer may access an “electronic communications device” or “any device that uses electronic signals to create, transmit, and receive information, including, but not limited to[,] computers, telephones, personal digital assistants and other similar devices” (e.g., a smartphone or laptop) where the employer paid for it in whole or in part, provided that “the provision of or payment for such electronic communications device was conditioned on the employer’s right to access such device” and provided that the employee received prior notice of, and “explicitly agreed to,” the conditions.  Nonetheless, an employer still may not access a “personal account” (e.g., a social media account that meets the definition) on such an employer-funded device unless another exception applies.
  4. Court Order: If a court order so requires, an employer may obtain or provide information from, or access to, an employee’s accounts.
  5. Firewalls: An employer may restrict or prohibit access to certain websites—for example, social media websites—when the employee is using an employer’s network or using an employer-funded device if “the provision of or payment for such electronic communications device was conditioned on the employer’s right to restrict such access” and the employee received prior notice of, and “explicitly agreed to,” the conditions.

The Personal Accounts Law contains several additional exemptions for employers: 

  • Employers are not prohibited “from complying with a duty to screen” applicants or employees, or “to monitor or retain employee communications,” imposed by federal law or a self-regulatory organization, as defined by the Securities Exchange Act of 1934, 15 U.S.C. 78c(a)(26), such as the Financial Industry Regulatory Authority.
  • The Personal Accounts Law specifically exempts accessing, viewing, and utilizing public information about an applicant or employee or information that can be obtained without “access information.”
  • In the context of an investigation, employers are not prohibited from accessing information including messages, photographs, and video, that another employee, a client, or other third party voluntarily shared, where the employee subject to such an investigation “has voluntarily given access to” such third party.

Although the Personal Accounts Law will not become effective until March 12, 2024, employers should begin reviewing their personnel policies and handbooks to ensure that BYOD (i.e., bring-your-own-device) policies; electronic communications policies, including social media and email; and related policies are clear and compliant.  Employers should also examine their practices and procedures that the Personal Accounts Law could implicate, including those related to the recruiting and hiring process and to certain functions (e.g., social media marketing).  As appropriate, employers should consider including a discussion of these policies, practices, and procedures in employee trainings, especially for managers, supervisors, and others involved in the hiring process.       

Daniel J. Glicker, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s New York office, contributed to the preparation of this blog post.

[1] Allen v. PPE Casino Resorts Maryland, LLC, 543 F. Supp. 3d 91, 92 (D. Md. 2021).

[2] “‘Employer’ means (i) a person or entity engaged in a business, industry, profession, trade or other enterprise in the state; (ii) the state of New York; (iii) a county, city, town, village or any other political subdivision or civil division of the state; (iv) a school district or any government entity operating a public school, college, or university; (v) a public improvement or special district; (vi) a public authority, commission or public benefit corporation; or (vii) any other public corporation, agency, instrumentality or unit of government which exercises governmental power under the laws of the state; and (viii) shall include an agent, representative or designee of the employer.”  The Personal Accounts Law will not apply “to any law enforcement agency, a fire department or a department of corrections and community supervision.” 

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.