Proceed at Your Peril: Questions Abound With New State Laws Restricting Employer Access to Employees’ Personal Social Media Accounts
By Daniel I. Prywes and Jena M. Valdetero, Bryan Cave LLP
In April 2012, Maryland became the first state in the nation to enact legislation restricting employers from asking prospective and current employees for access to password-protected material on their personal social media accounts. Since then, nine additional states have enacted such laws: Arkansas, California, Colorado, Illinois, Michigan, New Mexico, Oregon, Utah, and Washington. More than two dozen other states are considering similar legislation.
This movement to protect the privacy of employees’ personal social media accounts is occurring despite the lack of evidence of widespread abuses by employers. As discussed below, full consideration has not been given to the many special circumstances where heightened screening and monitoring of employees and job applicants has long been recognized.
Federal legislation is being considered as well. Meanwhile, the securities industry claims that many of the state laws conflict with securities firms’ obligations under federal law to monitor their representatives’ personal social media communications to ensure that they do not involve abusive sales practices.
Employers who want to review employees’ personal social media accounts must also take into account privacy requirements under common-law principles. This is particularly the case in states that have not enacted statutes in this area.
In short, the legal landscape is evolving, uncertain, and conflicting. This article reviews the new state laws, identifies the principal variances among them, and flags some of the key issues of interpretation and application that are bound to arise.
Enacted State Laws
The new state laws bear many common elements. They generally (1) bar employers from asking or requiring employees or job applicants to provide passwords for access to personal social media accounts; (2) bar any adverse action or retaliation by the employer, based on the employee’s or applicant’s refusal to provide such access; (3) enumerate a list of exceptions, which allow employers in certain circumstances to request or require employees to provide access, primarily involving investigations into employee misconduct; and (4) permit an employer to monitor social media communications on the employer’s system or devices or those available generally to the public.
There are, however, important differences among the new state laws. The states have not uniformly defined the scope of personal social media accounts that are subject to privacy protection. For example, most states’ laws extend protection to personal email accounts, but the Illinois statute expressly excludes email from such protection.
The scope of recognized exceptions also varies. The Illinois statute permits an employer to monitor usage of its own equipment and electronic mail system, but it does not contain exceptions relating to investigations into employee misconduct involving personal social media accounts. This appears to be an oversight that the Illinois legislature is working to correct through several proposed amendments.
Most states permit an employer to require employees to provide access to their personal social media accounts if the employer has separately obtained information about work-related misconduct on such accounts. However, the required amount of evidence to trigger this exception varies among states: in California and Arkansas, the employer must have a “reasonable belief” of misconduct; in Maryland, Colorado, and Washington, the employer must be in “receipt of information” of misconduct; and in Michigan, Oregon, and Utah, the employer must have “specific information” of misconduct.
New Mexico’s law extends its privacy protections only to job applicants, not current employees, and it does not apply to federal, state, or local law enforcement agencies. Utah also exempts employers who are screening applicants for a law enforcement position. Colorado generally exempts state and local law enforcement agencies from its statute.
Arkansas, Michigan, and Utah also carve out specific exceptions for companies that have obligations to screen and/or monitor employees established by federal law or a self-regulatory organization under the 1934 Securities and Exchange Act (like the Financial Industry Regulatory Authority, discussed below). Despite intensive efforts by the securities industry, its efforts to have a similar exception included in the new California statute were unsuccessful. In Washington, the statute provides a broader exception stating that nothing in the law prevents an employer from “complying with the requirements of state or federal statutes, rules or regulations, case law, or rules of self-regulatory organizations.” Oregon has a similar exception.
Michigan, Utah, and Washington expressly provide a private right of action in the event of a violation, although the other states are silent on this point. However, the statutory penalty in Michigan is limited to $1,000 per occurrence, plus reasonable attorneys’ fees and costs. Utah limits an award to no more than $500 upon proof of a violation. Washington allows actual damages and reasonable attorneys’ fees, plus a penalty of $500. Although the damages recoverable in Michigan and Utah are relatively small in an individual plaintiff case, in the event of a class action lawsuit, damages can add up easily. Michigan also potentially subjects an employer to a misdemeanor fine of not more than $1,000. Colorado allows employees or applicants to file administrative complaints with a state agency.
Arkansas, California, Michigan, New Mexico, and Utah also have adopted similar policies applicable to inquiries made by colleges and universities to students or prospective students. Other states (including Oregon) are considering such measures, too.
Pending State Legislation
More than two dozen other states are considering similar legislation. Those efforts are cataloged in the National Conference of State Legislatures’ website.
Final enactment of a law in New Jersey is expected soon (12 PVLR 840, 5/13/13). Vermont has enacted a law providing for the establishment of a committee to study possible legislation, with participation from state legislators, state officials, and the American Civil Liberties Union (see related report). The committee’s recommendations are due by Jan. 15, 2014.
Common Questions About State Laws
The new state laws, and those that may yet be enacted, raise several questions.
How should employers address the lack of uniformity? Although the new state laws bear many similarities, there are material differences. Those employers with workers in only one state must simply comply with that one state’s privacy laws. However, those with employees in several states may face important variations. When hiring decisions are made in one state for positions in a different state, employers must also determine which state’s laws apply. These sources of complexity are likely to increase as the number of state statutes proliferates.
We expect that many employers will identify the most restrictive state law that applies to any area of its operations and apply that law for use in screening job applicants and supervising employees. Other employers will likely adopt policies banning all current employees’ use of personal social media sites for business purposes and then seek to avail themselves of applicable state-law exceptions on a case-by-case basis to probe suspected violations involving employee misconduct.
What is sufficient to trigger an investigation? As noted above, most states permit an employer to require employees to provide access to their personal social media accounts if the employer has separately received information about work-related misconduct on such accounts.
The state laws, however, are vague about the threshold of suspicion or proof that must be met before such access can be required by the employer. California, for example, requires only a “reasonable belief” that the personal social media account is “relevant to an investigation of allegations of employee misconduct.”
Can an employer demand access on the basis of an anonymous tip alone? Can the employer demand access to a specific employee’s social media account when there is only a reasonable suspicion that wrongdoing has occurred by someone among a large group of employees, with no specific grounds to suspect any one of them individually? These practical questions are ripe for litigation and await judicial interpretation. As a practical matter, the severity of the potential infraction is likely to drive employers’ determination when to require access, particularly in states where the remedy for a violation is a low money payment or fine.
How does the federal Stored Communications Act affect the exceptions recognized in the state laws? The federal Stored Communications Act (SCA), 18 U.S.C. §§ 2701et seq., generally prohibits anyone from obtaining unauthorized access to a person’s private social media account. It has been interpreted by one court to prohibit not only unauthorized access, but also an employer’s actions in coercing an employee to provide access when the employee fears that his or her lack of consent will have adverse employment consequences.1
If this interpretation prevails generally, then the “right” of an employer recognized in some of the state statutes to “require” an employee to provide access to private social media accounts for the employer’s investigatory or monitoring purposes may collide with the Pietrylo prohibition on access obtained by coerced employee consent. Because federal law in the SCA would necessarily control under preemption principles, the exceptions in the state statutes may prove illusory if other courts follow Pietrylo and apply it broadly. In individual cases, however, employers may be able to rely on the defense, recognized in 18 U.S.C. § 2707(e)(1), that they had a good-faith belief that their action in requiring an employee to provide access was legislatively authorized.
Are the limited exceptions in the new state laws sufficient to protect public safety and important legal objectives? Many of the new state laws list very few circumstances in which employers are permitted to require access to employees’ or applicants’ personal social media accounts for general screening or monitoring purposes (such as for federal securities law compliance in Arkansas, Michigan, and Utah, and for screening law enforcement personnel in New Mexico and Utah).
Many industries involve employees who carry out sensitive responsibilities, however, and thus have traditionally been subject to more intrusive background checks or monitoring than other types of employees. These include public safety positions (e.g., police, security, or corrections guards; first responders); jobs involving vulnerable populations (e.g., child care workers, nursing home staff), and those responsible for major infrastructure facilities.
In addition, there are many situations in which an employer may have a reasonable interest in accessing an employee’s personal social media account, such as in the case of allegations of discrimination, sexual harassment, fraud, or embezzlement. It seems odd that certain states, such as Maryland, do not permit the employer to require an employee to provide access to a personal social media account in investigating such concerns, but they do permit such a requirement in the much narrower class of cases involving an investigation into violations of a “securities or financial law, or regulatory requirements.”
We therefore expect that the new state laws will be subject to multiple amendments as the need for additional exceptions come to the fore with the light of experience. This is already occurring in Illinois.
What should employers do if they obtain access to an employee’s personal social media account by means other than a request to the employee? Under the SCA and common law privacy principles, employers should be cautious about using an employee’s password or other access information found on an employer-owned computer or network to gain unauthorized access to that employee’s private social media account. Such conduct involving emails has been found to violate the SCA.2 The Arkansas law expressly prohibits an employer from using such password information to access the employee’s account.
An employer may receive a copy of an employee’s social media communications from another employee, or a third party, who has lawful access to the social media account, such as approved friends on Facebook. When the source of this information provides it on an unsolicited basis, the employer should be permitted to review it as long as it is not privileged. However, employers should be wary of requesting that other employees provide such information, lest the request be deemed “coercive” and thus a violation of the SCA as found by the court in Pietrylo.
Nothing in the new state laws prohibits employers from reviewing social media information in the public domain, including public-profile information collected by third-party vendors.
However, in the case of applicants for employment, the employee may have rights under the Federal Credit Reporting Act (FCRA) to have notice of such public profile information and an opportunity to correct it. An online data broker named Spokeo Inc. was forced to pay an $800,000 fine to the Federal Trade Commission in 2012 for not complying with FCRA while selling employee background checks that relied on unverified information obtained from job applicants’ social media accounts.3
To what extent will the state laws limit access by law enforcement personnel to employees’ personal social media accounts? None of the enacted statutes prohibits law enforcement authorities from accessing employees’ personal social media accounts. However, in doing so, law enforcement authorities must comply with the constitutional and statutory restrictions on their investigatory activities.
What use can be made of information discovered by an employer during an investigation? When an employer conducts an investigation into a particular type of wrongdoing that is subject to a statutory exception (e.g., violation of securities laws in Maryland), the employer may find evidence of other wrongdoing. A similar circumstance occurred in City of Ontario v. Quon, 130 S. Ct. 2619 (2010) (9 PVLR 893, 6/21/10), where an internal police review of expenses for a paging system led to evidence of sexually explicit messages.
Most of the new state laws do not contain language that precludes an employer from disciplining a current employee based on social media communications revealing one type of misconduct discovered in the course of a permitted investigation into other types of conduct. The California and Arkansas laws, however, provide that social media information obtained from a permitted investigation may be used only for purpose of that investigation and related proceedings, and not for other purposes.
However, the employer must still be mindful of legal restrictions that apply. For example, the National Labor Relations Board takes the position that an employer may not discipline employees for social media communications that involve in some way the terms and conditions of employment. The NLRB general counsel issued a memorandum in May 2012 summarizing its position (11 PVLR 888, 6/4/12).
Do the state laws preclude claims, or limit remedies, in private suits brought under common law privacy principles? Common law privacy principles also have been invoked to challenge employers’ efforts to access personal social media accounts or emails.4 The new state statutes will presumably displace the application of these privacy principles to topics expressly covered in the statutes.
This will be significant in those states that have prescribed relatively low limits on damages (e.g., Michigan and Utah), as these limits would presumably displace any larger remedies that might have been available in common law privacy suits. In other states that did not expressly enact a private cause of action, it remains to be seen whether the state courts permit such private suits and, if so, whether they continue to allow common law privacy claims.
Pending Federal Legislation
Attempts are underway at the federal level to restrict employers from requesting social media user names and passwords.
A bill in committee in the House of Representatives (H.R. 537), the Social Networking Online Protection Act (SNOPA), would prohibit employers and certain other entities from requiring or requesting that employees and certain other individuals provide a user name, password, or other means of accessing a personal account on any social networking website (12 PVLR 236, 2/11/13). The bill was introduced by Rep. Eliot L. Engel (D-N.Y.), and it is still under consideration in committee. It largely mirrors the prohibitions of the state statutes but provides no exceptions. SNOPA, as proposed, would subject the employer to a civil penalty of not more than $10,000, which is significantly higher than the penalties set forth in the Michigan and Utah statutes.
Prior efforts to enact legislation at the federal level have failed.
Federal Securities Law
The Financial Industry Regulatory Authority (FINRA) is a securities industry self-regulatory body with responsibility for regulating more than 630,000 registered securities representatives. FINRA and several securities industry trade associations have expressed concern that the new raft of state laws will conflict with securities firms’ obligations under the federal securities laws and FINRA rules to monitor and retain records of their representatives’ communications with customers conducted through personal social media accounts. FINRA fears that the state laws, if followed by securities firms, may permit abuses in which representatives tout specific investment opportunities in improper and undocumented ways. FINRA’s policies on social media are contained in its Regulatory Notices No. 10-06 (issued in January 2010) and No. 11-39 (issued in August 2011), as well as in FINRA Rule 2210 (effective February 2013).
The securities industry has encouraged states to include in their new laws exceptions that would allow securities firms to monitor their representatives’ personal social media activity. Michigan, Arkansas, Utah, Oregon, and Washington permit compliance with monitoring requirements of a self-regulatory organization such as FINRA. The other state statutes do not permit securities firms to monitor their employees’ private social media accounts, except that access can be requested in most of the other states after the firm has received other information of misconduct that triggers its right to investigate private social media accounts.
So far, no conflict between a state statute and an obligation binding under the federal securities laws has reached the courts. In the event of an irreconcilable conflict, the federal requirements are likely to prevail under preemption principles.
As the number of moving parts in a machine grows, more things can go wrong. That maxim will probably apply to the new raft of state laws, as questions of interpretation and application proliferate. Employers, state governments and regulators, and courts will have to figure out how all these laws apply not only individually, but whether they can be harmonized with other laws, common law principles, and statutory requirements. The issues identified in this article are likely only the tip of the iceberg.
Daniel I. Prywes is a partner with the law firm of Bryan Cave LLP in Washington. Jena M. Valdetero is an associate in Bryan Cave’s office in Chicago. Both are members of the firm’s Data Privacy and Security Team.
© 2013 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.