Social-Media Privacy and Protection Laws

Pinterest LinkedIn Tumblr +

Given the prolific use of social media, many employers believe they have a duty to monitor an employee’s or applicant’s personal social-media use to protect confidential and proprietary information, monitor workplace conduct, or evaluate potential candidates for employment. Although having access to information can help validate an employer’s decision, such as in the case Jaszczyszyn v. Advantage Health Physician Network, 1 where the Sixth Circuit Court of Appeals affirmed an employer’s decision to terminate an employee for abusing Family Medical Leave Act (FMLA) leave based, in part, on Facebook photos published by the employee, access to personal social-media accounts raises significant privacy concerns. For instance, in Pietrylo v. Hillstone Restaurant Group, 2 an employer was found in violation of the federal Stored Communications Act as well as state privacy laws when a manager obtained an employee log-in and password and accessed an employee’s password-protected MySpace page.

SCOPE OF PROHIBITED EMPLOYER CONDUCT

This section highlights state legislation that has been enacted to restrict employers’ access to employees’ social-media accounts.

Maryland: On May 2, 2012, Maryland became the first state to enact legislation restricting employer access to employee social-media accounts.5 The law became effective October 1, 2012, and prohibits an employer from requesting or requiring that an employee or applicant disclose a user name, password, or other access information to a personal account or service through an electronic-communications device, defined to mean any device that uses electronic signals to create, transmit, and receive information (e.g., computers, telephones, personal digital assistants, and other similar devices).

Illinois: On August 12, 2012, Illinois amended its Right to Privacy in the Workplace Act,6 which became effective on January 1, 2013. Illinois’s amended law prohibits an employer from  requesting or requiring any employee or applicant to provide any password or other related account information in order to gain access to the individual’s social-networking website account or profile or demanding access in any manner to an employee’s or applicant’s social-networking website account or profile.

California: In September 2012, California’s governor signed into law AB 1844, Employer Use of Social Media.7 Effective January 1, 2013, this law amends California’s labor code to prohibit employers from requiring or requesting an employee or applicant to disclose a user name or password for the purpose of accessing personal social media; access personal social media in the presence of the employer; or divulge any personal social media. Social media is defined as an electronic service or account, or electronic content (e.g., videos, still photographs, blogs, video blogs, podcasts, instant and text messages, e-mail, online services or accounts, or Internet website profiles or locations).

Michigan: Effective December 28, 2012, Michigan’s Internet Privacy Protection Act ,8 not only prohibits employers from requesting that an employee or applicant grant access to the employee’s or applicant’s personal Internet account, but it also prohibits employers from requesting that an employee or applicant allow observation of or disclose information that allows access to an employee’s or applicant’s personal Internet account.

Utah: Utah’s Internet Employment Privacy Act,9 effective May 14, 2013, prohibits an employer from requesting an employee or an applicant to disclose a user name and password, or a password that allows access to the employee’s or applicant’s personal Internet account. A personal Internet account is defined as an online account used exclusively for personal communications, unrelated to any business purpose of the employer.

New Mexico: Unlike other states, New Mexico’s law regarding social-networking accounts is limited to applicants for employment only.10 Enacted on April 5, 2013, New Mexico’s law went into effect on June 14, 2013, and provides that an employer may not request or require an applicant to provide a password for or demand access in any manner to the applicant’s account or profile on a social-networking website.

Arkansas: On April 23, 2013, Arkansas enacted a law11 providing that an employer may not require, request, suggest, or cause a current or prospective employee todisclose access information (e.g., user name and password) to his or her social-media account; add (e.g., “friend”) an employee, supervisor, or administrator to the list of contacts associated with his or her social-media account; or change the privacy settings associated with his or her social-media account.

Colorado: Effective May 11, 2013, Colorado’s social-media privacy law12 provides that employers are prohibited from suggesting, requesting, or requiring an employee or applicant to disclose or causing an employee or applicant to disclose user name, password, or other personal access information utilized to access the employee’s or applicant’s personal account or service through a personal electronic communications device; compelling an employee or applicant to add (i.e., “friend”) anyone, including the employer or its agents, to the employee’s or applicant’s list of contacts associated with a social-media account; or requiring, requesting, suggesting, or causing an employee to change the privacy settings associated with a social-networking account.

Oregon: On May 22, 2013, Oregon’s governor signed House Bill 265413 into law. Effective January 1, 2014, the law prohibits employers from requiring or requesting an employee or applicant to disclose or to provide access to a personal social-media account through the employee’s or applicant’s user name, password, or other means of authentication and/or compelling an employee or applicant to add the employer or an employment agency to the employee’s or applicant’s list of contacts associated with a social-media website.

Washington: On May 22, 2013, Washington’s governor signed S.B. 521114 into law. Effective July 28, 2013, this law provides that an employer may not request, require, or otherwise coerce an employee or applicant to disclose log-in information for the employee’s or applicant’s personal social-networking account; request, require, or otherwise coerce an employee or applicant to access his or her personal social-networking account in the employer’s presence in a manner that enables the employer to observe the contents of the account; compel or coerce an employee or applicant to add a person, including the employer, to the list of contacts associated with the employee’s or applicant’s personal social-networking account; or request, require, or cause an employee or applicant to alter the settings on his or her personal social-networking account that affect a third party’s ability to view the contents of the account.

Vermont: On June 3, 2013, Vermont enacted a social-networking privacy law,15 effective as of July 1, 2013. The law provides that an employer shall not request or require that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service through an electronic communications device; or  take an action that permits the employer to gain access to the employee’s or applicant’s account or profile on a social-networking service if that information is not available to the general public.

Nevada: On June 13, 2013, Nevada became the most recent state to enact a law limiting employers’ access to employees’ personal social-media accounts. Effective October 1, 2013, this law16 prohibits employers from directly or indirectly requiring, requesting, suggesting, or causing an employee or applicant to disclose a user name, password, or other access information to his or her personal social-media account.

PERMITTED ACCESS TO EMPLOYER-PAID OR EMPLOYER-PROVIDED COMPUTER SYSTEMS OR ELECTRONIC DEVICES

Many of the state laws contain exceptions to prohibited conduct as well as highlight certain permitted conduct. Colorado, Maryland, Vermont, Nevada, and Washington permit an employer to require an employee to provide user name, password, or account-access information for non personal accounts to enable the employer to have access to its own computer or information system. California’s law permits this access in connection with employer-issued devices, and Oregon, Michigan, and Utah permit access more broadly, focusing not just on employer-issued devices and accounts, but those used on behalf of the employer or for business purposes.

Exceptions Related to Information in the Public Domain

The laws in Arkansas, Illinois, Oregon, Michigan, New Mexico, Utah, and Vermont all contain similar provisions confirming that employers are not prohibited from accessing information that is in the public domain or publicly available.

EMPLOYER PROTECTIONS: The laws in Oregon and Utah each similarly provide that an employer will not be liable for failing to require or request that an employee or applicant provide account-access information, permit observation, or disclose information permitting access to an employee’s or applicant’s personal social-media accounts. Michigan’s and Utah’s laws both declare that an employer does not have a duty to search or monitor the use of a personal Internet account.

COMPLIANCE CONSIDERATIONS: Employers operating in states with social-media privacy laws must consider the impact on the hiring process. In many instances, it will be impermissible for an employer to request or require an applicant to provide account access information or even content from a personal social-media account or service. A safer approach is to limit social-media background checks of applicants to information that is publicly available without the requirement of user or password information.

Author: Linda B. Hollinshead

Share.

Leave A Reply

one × 5 =

2021 © supplementdevotee.com