Whether Employers Like It or Not, Social Media Privacy Laws Are Catching Fire

Author: Beth P. Zoller, XpertHR Legal Editor

Whether employers like it or not, social media privacy laws are the latest trend in protecting employee privacy. A handful of state legislatures have enacted laws prohibiting employers from requesting or requiring that employees and applicants provide access to personal internet accounts and social media websites. The federal government and other states have proposed similar laws. The underlying purpose of this legislation is to prevent employers from obtaining information about individuals' private and personal off-duty activities and associations, which could form the basis for an adverse employment action and lead to discrimination and/or harassment claims. In light of these new and proposed laws, it is imperative that employers revisit their employment policies and practices.

State Measures Pending and Passed

In 2012, a number of state legislatures either proposed or passed measures that explicitly protect employee privacy in social media use and prohibit employers from requesting or requiring that employees provide their social media passwords and account information. Earlier in the year, California, Illinois, and Maryland enacted such laws. The Maryland law took effect in October 2012. The Illinois and California laws took effect January 1, 2013. In November 2012, the New Jersey Senate passed such a measure, which should soon be signed by Governor Chris Christie. Various other measures seeking to protect social media privacy have been proposed by legislators in Massachusetts, Missouri, Ohio, and South Carolina.

On December 28, 2012, Michigan Governor Rick Snyder signed the Internet Privacy Protection Act, which specifically bans employers from requesting or requiring that employees or applicants grant access to, allow observation of or disclose information that allows access to or observation of personal internet accounts. +2011 Bill Text MI H.B. 5523; +2011 Bill Tracking MI H.B. 5523. The law took effect immediately. A personal internet account refers to an account with an internet-based service such as Facebook, Twitter, Gmail, etc. Further, the Michigan law prohibits employers from terminating, disciplining, failing to hire or penalizing an individual who refuses to provide such information.

The Michigan law is notable as it is much more detailed than some of the other state laws, and contains several exceptions clearly intended to shield employers from liability and protect employers in certain situations. For example, the law does not prohibit employers from requesting social media passwords and account information:

When an employee misappropriates or transfers the employer's "proprietary or confidential information or financial data";
When an account or service is provided by the employer and obtained by virtue of the employee's employment relationship with the employer, or used for the employer's business purposes;
When the employer pays for the communications device in whole or in part;
In the course of conducting a workplace investigation, if the employer has specific information about activity or misconduct on the employee's personal internet account; or
When the employer is monitoring, reviewing or accessing electronic data stored on an electronic communications device paid for by the employer or traveling through the employer's network.

An employer that violates Michigan's new law will be guilty of a misdemeanor and fined not more than $1,000. Individuals may bring a civil action to stop the employer from continuing to violate the law if they serve the employer with a written demand of the alleged violation and include reasonable documentation. In a civil action, an individual may recover not more than $1,000 in damages plus reasonable attorneys' fees and court costs. An employer may defend against such an action if it acted to comply with federal or state law requirements.

Federal Legislation Pending

On the federal level, two bills have been introduced in the US Congress addressing privacy rights in personal internet accounts and social media websites: the Social Networking Online Protection Act (SNOPA), introduced in the House in April 2012, and the Password Protection Act of 2012 (PPA), introduced both in the House and Senate in May 2012.

Specifically, SNOPA would prohibit employers from requiring or requesting that an employee or applicant for employment provide a user name, password or any other means for accessing the employee's or applicant's private email or social networking account. +2012 H.R. 5050; +2012 Bill Tracking H.R. 5050.

The PPA would prohibit employers from requiring or requesting log-in credentials of the and also would prohibit employers from compelling or coercing employees and applicants to provide access to--and subsequently retrieving information from--the online servers on which private user information is stored, if the user secures that information against general public access. +2012 S. 3074; +2012 Bill Tracking S. 3074.

It remains to be seen whether this legislation will advance when the new Congress is sworn in and a new Congressional term begins in January 2013.

Advice for Employers

As a result of these new laws, employers in states such as California, Illinois and Michigan, should immediately review and revise their social media policies to comply with the new restrictions. Further, employers should make sure to train all supervisors and those with hiring responsibilities on the new legal requirements and explicitly prohibit them from requesting that employees and applicants provide user names and passwords to social media websites. Additionally, in states in which measures have been proposed and on the federal level, employers should pay close attention to any legislative movement that would require changes in the employer's policy and practices.