Introduction
In April 2012, Maryland became the first state in the nation to enact legislation restricting employers from asking prospective and current employees for access to password-protected material on their personal social media accounts. Since then, nine additional states have enacted such laws: Arkansas, California, Colorado, Illinois, Michigan, New Mexico, Oregon, Utah, and Washington. More than two dozen other states are considering similar legislation.
This movement to protect the privacy of employees’ personal social media accounts is occurring despite the lack of evidence of widespread abuses by employers. As discussed below, full consideration has not been given to the many special circumstances where heightened screening and monitoring of employees and job applicants has long been recognized.
Federal legislation is being considered as well. Meanwhile, the securities industry claims that many of the state laws conflict with securities firms’ obligations under federal law to monitor their representatives’ personal social media communications to ensure that they do not involve abusive sales practices.
Employers who want to review employees’ personal social media accounts must also take into account privacy requirements under common-law principles. This is particularly the case in states that have not enacted statutes in this area.
In short, the legal landscape is evolving, uncertain, and conflicting. This article reviews the new state laws, identifies the principal variances among them, and flags some of the key issues of interpretation and application that are bound to arise.
Enacted State Laws
The new state laws bear many common elements. They generally (1) bar employers from asking or requiring employees or job applicants to provide passwords for access to personal social media accounts; (2) bar any adverse action or retaliation by the employer, based on the employee’s or applicant’s refusal to provide such access; (3) enumerate a list of exceptions, which allow employers in certain circumstances to request or require employees to provide access, primarily involving investigations into employee misconduct; and (4) permit an employer to monitor social media communications on the employer’s system or devices or those available generally to the public.
There are, however, important differences among the new state laws. The states have not uniformly defined the scope of personal social media accounts that are subject to privacy protection. For example, most states’ laws extend protection to personal email accounts, but the Illinois statute expressly excludes email from such protection.
The scope of recognized exceptions also varies. The Illinois statute permits an employer to monitor usage of its own equipment and electronic mail system, but it does not contain exceptions relating to investigations into employee misconduct involving personal social media accounts. This appears to be an oversight that the Illinois legislature is working to correct through several proposed amendments.
Most states permit an employer to require employees to provide access to their personal social media accounts if the employer has separately obtained information about work-related misconduct on such accounts. However, the required amount of evidence to trigger this exception varies among states: in California and Arkansas, the employer must have a “reasonable belief” of misconduct; in Maryland, Colorado, and Washington, the employer must be in “receipt of information” of misconduct; and in Michigan, Oregon, and Utah, the employer must have “specific information” of misconduct.
New Mexico’s law extends its privacy protections only to job applicants, not current employees, and it does not apply to federal, state, or local law enforcement agencies. Utah also exempts employers who are screening applicants for a law enforcement position. Colorado generally exempts state and local law enforcement agencies from its statute.
Arkansas, Michigan, and Utah also carve out specific exceptions for companies that have obligations to screen and/or monitor employees established by federal law or a self-regulatory organization under the 1934 Securities and
Michigan, Utah, and Washington expressly provide a private right of action in the event of a violation, although the other states are silent on this point. However, the statutory penalty in Michigan is limited to $1,000 per occurrence, plus reasonable attorneys’ fees and costs. Utah limits an award to no more than $500 upon proof of a violation. Washington allows actual damages and reasonable attorneys’ fees, plus a penalty of $500. Although the damages recoverable in Michigan and Utah are relatively small in an individual plaintiff case, in the event of a class action lawsuit, damages can add up easily. Michigan also potentially subjects an employer to a misdemeanor fine of not more than $1,000. Colorado allows employees or applicants to file administrative complaints with a state agency.
Arkansas, California, Michigan, New Mexico, and Utah also have adopted similar policies applicable to inquiries made by colleges and universities to students or prospective students. Other states (including Oregon) are considering such measures, too.
Pending State Legislation
More than two dozen other states are considering similar legislation. Those efforts are cataloged in the National Conference of State Legislatures’ website.
Final approval of a law in New Jersey happened Aug. 28, with enactment to occur soon. Vermont has enacted a law providing for the establishment of a committee to study possible legislation, with participation from state legislators, state officials, and the American Civil Liberties Union. The committee’s recommendations are due by Jan. 15, 2014.
Common Questions About State Laws
The new state laws, and those that may yet be enacted, raise several questions.
How should employers address the lack of uniformity? Although the new state laws bear many similarities, there are material differences. Those employers with workers in only one state must simply comply with that one state’s privacy laws. However, those with employees in several states may face important variations. When hiring decisions are made in one state for positions in a different state, employers must also determine which state’s laws apply. These sources of complexity are likely to increase as the number of state statutes proliferates.
We expect that many employers will identify the most restrictive state law that applies to any area of its operations and apply that law for use in screening job applicants and supervising employees. Other employers will likely adopt policies banning all current employees’ use of personal social media sites for business purposes and then seek to avail themselves of applicable state-law exceptions on a case-by-case basis to probe suspected violations involving employee misconduct.
What is sufficient to trigger an investigation? As noted above, most states permit an employer to require employees to provide access to their personal social media accounts if the employer has separately received information about work-related misconduct on such accounts.
The state laws, however, are vague about the threshold of suspicion or proof that must be met before such access can be required by the employer. California, for example, requires only a “reasonable belief” that the personal social media account is “relevant to an investigation of allegations of employee misconduct.”
Can an employer demand access on the basis of an anonymous tip alone? Can the employer demand access to a specific employee’s social media account when there is only a reasonable suspicion that wrongdoing has occurred by someone among a large group of employees, with no specific grounds to suspect any one of them individually? These practical questions are ripe for litigation and await judicial interpretation. As a practical matter, the severity of the potential infraction is likely to drive employers’ determination when to require access, particularly in states where the remedy for a violation is a low money payment or fine.
How does the federal Stored Communications Act affect the exceptions recognized in the state laws? The federal Stored Communications Act (SCA),
If this interpretation prevails generally, then the “right” of an employer recognized in some of the state statutes to “require” an employee to provide access to private social media accounts for the employer’s investigatory or monitoring purposes may collide with the Pietrylo prohibition on access obtained by coerced employee consent. Because federal law in the SCA would necessarily control under preemption principles, the exceptions in the state statutes may prove illusory if other courts follow Pietrylo and apply it broadly. In individual cases, however, employers may be able to rely on the defense, recognized in
Are the limited exceptions in the new state laws sufficient to protect public safety and important legal objectives? Many of the new state laws list very few circumstances in which employers are permitted to require access to employees’ or applicants’ personal social media accounts for general screening or monitoring purposes (such as for federal securities law compliance in Arkansas, Michigan, and Utah, and for screening law enforcement personnel in New Mexico and Utah).
Many industries involve employees who carry out sensitive responsibilities, however, and thus have traditionally been subject to more intrusive background checks or monitoring than other types of employees. These include public safety positions (e.g., police, security, or corrections guards; first responders); jobs involving vulnerable populations (e.g., child care workers, nursing home staff); and those responsible for major infrastructure facilities.
In addition, there are many situations in which an employer may have a reasonable interest in accessing an employee’s personal social media account, such as in the case of allegations of discrimination, sexual harassment, fraud, or embezzlement. It seems odd that certain states, such as Maryland, do not permit the employer to require an employee to provide access to a personal social media account in investigating such concerns, but they do permit such a requirement in the much narrower class of cases involving an investigation into violations of a “securities or financial law, or regulatory requirements.”
We therefore expect that the new state laws will be subject to multiple amendments as the need for additional exceptions come to the fore with the light of experience. This is already occurring in Illinois.
What should employers do if they obtain access to an employee’s personal social media account by means other than a request to the employee? Under the SCA and common law privacy principles, employers should be cautious about using an employee’s password or other access information found on an employer-owned computer or network to gain unauthorized access to that employee’s private social media account. Such conduct involving emails has been found to violate the SCA.
An employer may receive a copy of an employee’s social media communications from another employee, or a third party, who has lawful access to the social media account, such as approved friends on Facebook. When the source of this information provides it on an unsolicited basis, the employer should be permitted to review it as long as it is not privileged. However, employers should be wary of requesting that other employees provide such information, lest the request be deemed “coercive” and thus a violation of the SCA as found by the court in Pietrylo.
Nothing in the new state laws prohibits employers from reviewing social media information in the public domain, including public-profile information collected by third-party vendors.
However, in the case of applicants for employment, the employee may have rights under the Federal Credit Reporting Act (FCRA) to have notice of such public profile information and an opportunity to correct it. An online data broker named Spokeo Inc. was forced to pay an $800,000 fine to the Federal Trade Commission in 2012 for not complying with FCRA while selling employee background checks that relied on unverified information obtained from job applicants’ social media accounts.
To what extent will the state laws limit access by law enforcement personnel to employees’ personal social media accounts? None of the enacted statutes prohibits law enforcement authorities from accessing employees’ personal social media accounts. However, in doing so, law enforcement authorities must comply with the constitutional and statutory restrictions on their investigatory activities.
What use can be made of information discovered by an employer during an investigation? When an employer conducts an investigation into a particular type of wrongdoing that is subject to a statutory exception (e.g., violation of securities laws in Maryland), the employer may find evidence of other wrongdoing. A similar circumstance occurred in City of Ontario v. Quon,
Most of the new state laws do not contain language that precludes an employer from disciplining a current employee based on social media communications revealing one type of misconduct discovered in the course of a permitted investigation into other types of conduct. The California and Arkansas laws, however, provide that social media information obtained from a permitted investigation may be used only for the purpose of that investigation and related proceedings, and not for other purposes.
However, the employer must still be mindful of legal restrictions that apply. For example, the National Labor Relations Board takes the position that an employer may not discipline employees for social media communications that involve in some way the terms and conditions of employment. The NLRB general counsel issued a memorandum in May 2012 summarizing its position.
Do the state laws preclude claims, or limit remedies, in private suits brought under common law privacy principles? Common law privacy principles also have been invoked to challenge employers’ efforts to access personal social media accounts or emails.
This will be significant in those states that have prescribed relatively low limits on damages (e.g., Michigan and Utah), as these limits would presumably displace any larger remedies that might have been available in common law privacy suits. In other states that did not expressly enact a private cause of action, it remains to be seen whether the state courts permit such private suits and, if so, whether they continue to allow common law privacy claims.
Pending Federal Legislation
Attempts are underway at the federal level to restrict employers from requesting social media user names and passwords.
A bill in committee in the House of Representatives (H.R. 537), the Social Networking Online Protection Act (SNOPA), would prohibit employers and certain other entities from requiring or requesting that employees and certain other individuals provide a user name, password, or other means of accessing a personal account on any social networking website. The bill was introduced by Rep. Eliot L. Engel (D-N.Y.), and it is still under consideration in committee. It largely mirrors the prohibitions of the state statutes but provides no exceptions. SNOPA, as proposed, would subject the employer to a civil penalty of not more than $10,000, which is significantly higher than the penalties set forth in the Michigan and Utah statutes.
Prior efforts to enact legislation at the federal level have failed.
Federal Securities Law
The Financial Industry Regulatory Authority (FINRA) is a securities industry self-regulatory body with responsibility for regulating more than 630,000 registered securities representatives. FINRA and several securities industry trade associations have expressed concern that the new raft of state laws will conflict with securities firms’ obligations under the federal securities laws and FINRA rules to monitor and retain records of their representatives’ communications with customers conducted through personal social media accounts. FINRA fears that the state laws, if followed by securities firms, may permit abuses in which representatives tout specific investment opportunities in improper and undocumented ways. FINRA’s policies on social media are contained in its Regulatory Notices No. 10-06 (issued in January 2010) and No. 11-39 (issued in August 2011), as well as in FINRA Rule 2210 (effective February 2013).
The securities industry has encouraged states to include in their new laws exceptions that would allow securities firms to monitor their representatives’ personal social media activity. Michigan, Arkansas, Utah, Oregon, and Washington permit compliance with monitoring requirements of a self-regulatory organization such as FINRA. The other state statutes do not permit securities firms to monitor their employees’ private social media accounts, except that access can be requested in most of the other states after the firm has received other information of misconduct that triggers its right to investigate private social media accounts.
So far, no conflict between a state statute and an obligation binding under the federal securities laws has reached the courts. In the event of an irreconcilable conflict, the federal requirements are likely to prevail under preemption principles.
Conclusion
As the number of moving parts in a machine grows, more things can go wrong. That maxim will probably apply to the new raft of state laws, as questions of interpretation and application proliferate. Employers, state governments and regulators, and courts will have to figure out how all these laws apply not only individually, but whether they can be harmonized with other laws, common law principles, and statutory requirements. The issues identified in this article are likely only the tip of the iceberg.
State Statutes
Arkansas
On April 22, Arkansas enacted a law restricting employers’ access to employees’ social media accounts. Ark. Code. Ann. § 11-2-124. The Arkansas statute specifically identifies as a “social media account” such popular websites as Facebook, Twitter, LinkedIn, Myspace, and Instagram, but it also includes any personal account with an electronic medium or service where users may create, share, or view user-generated content. Like the other states to pass such measures, Arkansas excludes company email accounts or software programs owned or operated exclusively by an employer.
The Arkansas statute prohibits employers from requiring current or prospective employees to disclose their user name or password for their personal accounts, friend the employer, or change the account’s privacy settings. The statute prohibits retaliation by the employer where an employee refuses to take such acts. In the event of inadvertent disclosure of the employee’s user name and password, the employer cannot use that information to gain access to the employee’s social media account. However, the employer can view information about the employee or applicant that is publicly available on the internet.
The Arkansas statute includes some key exceptions, including one for compliance with the requirements of federal, state, or local laws or rules of a self-regulatory organization (such as FINRA). Additionally, the employer can request access to the account if the employee’s social media account is “reasonably believed” to be relevant to a formal investigation or related proceeding into allegations of the employee’s violation of the law or the employer’s written policies. In that instance, the access can be used only for the purpose of the formal investigation or related proceeding.
California
California was one of the first states to prohibit employer access to employees’ social media accounts, with the passage of an amendment to the Labor Code Sept. 27, 2012. Cal. Lab. Code § 980. The California act defines “social media” broadly to mean an electronic service or account or electronic content, including videos, photographs, blogs, podcasts, instant and text messages, emails, online services accounts, or internet website profiles or locations.
California prohibits a private employer from requiring an employee or job applicant to disclose a social media user name and password. California contains an exception for employer investigations that are “reasonably believed” to be relevant to allegations of employee misconduct or employee violations of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding. The law also provides for employer access to employer-issued electronic devices. California also prohibits retaliation if the employee or applicant refuses to comply with a request by the employer that violates the law. California is considering a bill that would expand its law to cover public employers, although the bill is in committee.
Colorado
On May 11, the Colorado governor signed into law a new electronic privacy statute, to be codified at Colo. Rev. Stat. § 8-2-127. The Colorado statute does not apply to state or local law enforcement agencies (including corrections departments).
Otherwise, the law prohibits an employer from requiring employees or applicants to disclose their user name and password used to access a personal account or service through the employee’s or applicant’s electronic communications device. An employer also may not require an employee or applicant to add anyone to that person’s approved list of contacts on a social media site, or to require a change in privacy settings. The statute permits an employer to require disclosure of a user name and password that would access an employee’s nonpersonal accounts on the employer’s internal computer or information systems.
The statute carves out exceptions permitting an employer to conduct investigations (a) to ensure compliance with applicable securities or financial law or regulatory requirements based on the “receipt of information” about the use of a personal account for business purposes, or (b) to investigate “upon receipt of information” that an employee has improperly downloaded the employer’s proprietary information or financial information to a personal account.
An employee or applicant may file a complaint about violations with the Colorado Department of Labor and Employment, which is to investigate and issue findings after a hearing.
Illinois
Illinois amended the Right to Privacy in the Workplace Act effective Jan. 1, 2013, to prohibit employers from requesting that employees or applicants provide any password or account information that would allow access to their social networking profile or account. 820 Ill. Comp. Stat. 55/10. Employers may still create policies concerning the use of internet, email, and social networking sites at work, and may monitor the usage of the employer’s email system. Employers may also obtain information about employees or prospective employees that is publicly available.
The Illinois definition of social networking website expressly excludes email. Instead, a social networking website is defined as an internet-based service that allows individuals to construct a public or semipublic profile; create a list of other users with whom they share a connection; and view and navigate their list of connections and those made by others within the system.
Several bills are being considered that would amend the terms of the Illinois statute. The proposed amendments would create several exceptions permitting employer access to employer-owned devices or accounts, and would permit the company to request access to personal accounts where it has specific information about activity on an online account that might violate laws or regulations or constitute employee misconduct. The amendments also would permit an employer to take actions to comply with laws or rules of a self-regulatory organization.
Maryland
In May 2012, Maryland became the first state in the nation to pass a law that prohibits employers from asking job applicants or employees for access to their personal social media accounts. The legislation was prompted by reports that the Maryland Department of Corrections was requiring applicants for prison jobs to disclose their Facebook passwords so that the department could check them for gang relationships. In retrospect, the Department of Corrections’ concerns were not idle ones. In April 2013, 13 prison guards at a Baltimore prison were indicted for allowing gang members to smuggle drugs and cellphones into the prison, and four female guards were impregnated by an imprisoned gang leader.
The Maryland law, codified at Md. Code Ann., Lab. & Empl. § 3-712, states that “an employer may not request or require that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service through an electronic communications device.” It further prohibits an employer from refusing to hire “any applicant as a result of the applicant’s refusal to disclose” the password or user name information needed to access the personal account.
The Maryland law also protects persons, once employed, against discharge, discipline, or penalties (as well as threats of such action) for failure to provide information needed to access their social media accounts.
The law provides only two limited exceptions, both of which relate to current employees but not applicants. First, “based on the receipt of information about the use of a personal Web site” by an employee for “business purposes,” the employer may conduct an “investigation for the purpose of ensuring compliance with applicable securities or financial law, or regulatory requirements.” Second, “based on the receipt of information about the [employee’s] unauthorized downloading of an employee’s proprietary information or financial data” onto an internet site, the employer may investigate the employee’s actions.
Employees are also subject to limitations. The Maryland statute prohibits an employee from downloading “unauthorized employer proprietary information or financial data to an employee’s personal Web site.” An employer may also require an employee to disclose any user name or password for accessing “nonpersonal accounts” or services that provide access to the employer’s internal computer or information systems.
The Maryland law does not specify whether a private cause of action exists for violations, or any penalty for violations.
Michigan
Effective Dec. 28, 2012, Michigan enacted the Internet Privacy Protection Act, Mich. Comp. Laws § 37.271 et seq., which similarly bars employers from requesting that employees or applicants grant access to, allow observation of, or disclose information from their personal internet account. “Personal internet account” means an account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data. It is unclear whether this definition includes personal email accounts, although the exceptions indicate that it may.
The Michigan statute contains a long list of exceptions, which narrow its impact. The employer may still require an employee to disclose access to an electronic communications device or account paid for or provided by the employer or used for the employer’s business purposes. The employer may discipline or discharge an employee for the unauthorized transmission of the employer’s proprietary or confidential information or computer data to the employee’s personal internet account. The employer may conduct an investigation if there is specific information about misconduct on the employee’s personal internet account, or if the employer has specific information about an unauthorized transfer of the employer’s proprietary or confidential information. Additionally, the employer may restrict access to websites while using an employer’s network, and may monitor, access, or review electronic data stored on a device paid for by the employer or traveling through the employer’s network. The employer can also screen employees or applicants prior to hiring or monitor or retain employee communications pursuant to federal law or FINRA. Finally, the employer can still view information available in the public domain.
A violation of the statute subjects the employer to a misdemeanor fine of not more than $1,000. It also creates a private right of action permitting the employee or applicant to seek an injunction and recover not more than $1,000 in damages, plus reasonable attorneys’ fees and costs. Sixty days prior to filing a civil action for money damages, the employee or applicant must make a written demand to the employer for not more than $1,000.
New Mexico
On April 5, New Mexico’s governor signed into law a statute (S.B. 371) that prohibits an employer from requesting or requiring a job applicant to provide a password to gain access to the applicant’s account or profile on a social networking website, or to demand access to such a website. The law does not apply to federal, state, or local law enforcement agencies, including their background checks for employment. No Social Media Access for Employers, S.B. 371, 51st Leg., 1st Sess. (N.M. 2013). The law took effect June 14, 2013. New Mexico’s law does not prohibit an employer from obtaining information about a job applicant that is in the public domain. Thus, an employer can look at an applicant’s profile available to the general public on a social media website.
This law does not apply to employers’ requests for access to their current employees’ social media accounts. Nor does it restrict an employer from monitoring employees’ usage of the employer’s electronic mail system.
Oregon
On May 22, Oregon enacted H.B. 2654, 77th Leg. (Or. 2013) (to be codified at Or. Rev. Stat. ch. 659A). Subject to exceptions, the Oregon statute, effective Jan. 1, 2014, makes it unlawful for an employer to require or request an employee or job applicant to disclose a password or provide access to a personal social media account, and prohibits adverse action based on an employee’s or applicant’s refusal to provide such access. On the other hand, an employer cannot be held liable by a third party (as in negligence lawsuits) for its failure to request or require disclosure of such information.
The Oregon law provides several exceptions. A broad exception excludes requests needed to comply with “state and federal laws, rules and regulations and the rules of self-regulatory organizations.” Another exception permits an employer to require employees to disclose passwords or other means needed to access social media accounts “provided by, or on behalf of, the employer or to be used on behalf of the employer.”
The Oregon law permits an employer to require that employees “share content” from a personal social media account in connection with an investigation aimed at “ensuring compliance with applicable laws, regulatory requirements or prohibitions against work-related employee misconduct,” provided that the employer has received “specific information” about activity on such an account. However, the employee cannot be required to provide a user name, password, or other means for the employer to directly access the account on its own.
The new Oregon law does not address private causes of action for violation of the new prohibitions. However, the Oregon legislature is considering a bill to provide such a remedy.
Utah
On March 26, Utah’s governor signed into law the Utah Internet Employment Privacy Act, Utah Code Ann. 34-48-102 et seq.
This act prohibits an employer from requesting or requiring that an employee, or an applicant for employment, provide a password that allows access to a personal internet account, or from taking any adverse action (including failure to hire) for not disclosing such a password. The law does not apply to information in the public domain or that can be accessed by the employer without employee-provided passwords.
The statute, however, permits an employer to demand access to an employee’s personal internet account in a variety of situations. Foremost among these are investigations intended to ensure compliance with laws, regulatory requirements, or prohibitions against work-related employee misconduct, or unauthorized transfers of the employer’s proprietary data, provided that “there is specific information about activity on the employee’s personal Internet account” that is relevant.
In addition, the statute does not prohibit an employer from complying with any duty to screen employees or applicants before hiring, or to monitor or retain employee’s communications, established by federal law, by a self-regulatory organization under the 1934 Securities and
The act establishes a private right of action exists for violations, with an award of no more than $500 upon proof of a violation.
Washington
On May 21, Washington’s governor signed into law Substitute Senate Bill 5211 (Ch. 330, Laws of 2013), effective July 28, 2013. Generally, the statute prohibits employers from requesting, requiring, or coercing job applicants or employees to provide access to private social media accounts, or from taking any adverse action against people who refuse to provide such access.
The exceptions to this prohibition include the circumstance where the employer asks the employee to “share content” of a personal social media account while undertaking an investigation in response to “receipt of information” to ensure compliance with laws and prohibitions against work-related misconduct, or to investigate an “allegation” of an unauthorized transfer of the employer’s proprietary or financial information. Even in the case of such an investigation, the employer may only require the sharing of content and may not request or require that the employee provide login information.
Other exceptions permit an employer to require access needed to comply with the requirements of state or federal statutes, rules, “case law,” or rules of self-regulatory organizations. An employer also may demand access to an online account paid for by the employer or to an employer-provided account or service.
The Washington statute provides a private cause of action to employees or applicants, and allows for the award of actual damages, a penalty of $500, injunctive relief, and reasonable attorneys’ fees and costs. However, the statute also authorizes courts to award employers their reasonable attorneys’ fees and expenses upon a court finding that a lawsuit was frivolous.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.