On September 27, 2012, California became the third state to enact legislation protecting employees, job applicants, university students and prospective students against coerced disclosure of usernames, passwords and other information related to personal social media accounts, such as Facebook, MySpace and Twitter accounts, text messages, private email accounts, blogs and podcasts. Governor Edmund G. “Jerry” Brown signed Assembly Bill 1844 (AB 1844) and Senate Bill 1349 (SB 1349), increasing privacy protections for California social media users. The new laws go into effect January 1, 2013. AB 1844 will be codified as California Labor Code Section 980. [The two other states with similar laws are Maryland (effective October 1, 2012) and Illinois (effective January 1, 2013). Similar legislation has been proposed in the U.S. House and Senate as well as in Michigan and Minnesota. ]
The new laws are a response to allegations and news reports that some employers required employees or applicants, and some universities required students or prospective students, to divulge passwords to their social media accounts for the purpose of making employment and enrollment decisions. Among the reported employer and university abuses that fueled the legislation are allegations that:
- In 2011, a Michigan school district suspended a teacher’s aide for refusing to divulge her Facebook password during investigation of a parent complaint that the aide posted a photograph on her private Facebook account of a co-worker’s pants around her ankles. The parent was a Facebook “friend” of the suspended aide.
- In 2010, an applicant with the Maryland Department of Public Safety and Correctional Services was forced to provide his Facebook user name and password to apply for a position as an officer, so that the agency could verify he was not affiliated with any gangs.
- Universities have allegedly hired people to “friend” students – particularly student athletes – to follow what they read and write on social media.
In the wake of such allegations, the Social Networking Online Protection Act was introduced in the US House and at least 14 states enacted or are considering similar measures (for example, Michigan and Minnesota). Maryland became the first state to enact a law in May 2012, with an effective date of October 1, 2012. Illinois’ version was approved by that state’s governor August 1, 2012 and, like the California law, becomes effective January 1, 2013. Meantime, both houses of the US Congress are considering the Password Protection Act of 2012 that would prohibit employers from demanding passwords for access to non-workplace computers.
There is plenty of room to argue whether these few, isolated reports of employer and university social media abuse justified the ensuing media coverage and legislative action. Indiscriminate or sweeping access to employee and applicant “personal” social media accounts was already problematic, under existing employment discrimination or other laws. These expanding, often vaguely written, state regulatory efforts suggest even more rigor and self-restraint are required, in drawing lines between personal social media activity, and legitimate corporate oversight where employers have duties (i.e., under FINRA) or other legitimate business or legal justification (i.e., internal investigations of sexual harassment or Foreign Corrupt Practices Act or other allegation potential wrongdoing) to supervise employee electronic communications on these public platforms. Nevertheless, the passage of specific legislation changes the landscape for employers and requires the exercise of greater caution. Even though the existing practice of the overwhelming majority of employers recognizes employee privacy rights with respect to private, password-protected social media accounts, we recommend that employers undertake a careful review of their social media policies and practices.
Under Labor Code Section 980, California employers are prohibited from “requiring or requesting” an employee or applicant (1) disclose a username or password for the purpose of accessing personal social media, (2) access personal social media in the presence of the employer or prospective employer, or (3) divulge any personal social media. Employers are forbidden to discharge, discipline, threaten to discharge or discipline, or otherwise retaliate against an employee or applicant who refuses to comply with a demand for access to private social media that violates Section 980.
There are two important exceptions to the prohibitions of Section 980. First, an employer may require disclosure of social media content that is “reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations.” Even if the exception for coerced disclosure of social media content relevant to an investigation of misconduct applies, the employer is constrained from using the disclosed content for any purpose other than the investigation or a related proceeding. Second, Section 980 does not prevent employers from requiring that employees disclose usernames and passwords for the purpose of accessing employer-issued electronic devices.
Section 980 does not include penalties or specific damage remedies; but this new law will enable employees to bring civil suits for invasion of privacy and wrongful discharge in violation of public policy on the basis of alleged violations of Section 980.