Utah and New Mexico have joined the growing number of states that prohibit employers from requesting or requiring access to job applicants’ social networking accounts. In addition, a social media privacy bill has reached New Jersey Gov. Chris Christie’s desk, and as of mid-April, 2013, measures were pending in several other states, according to the National Conference of State Legislatures (NCSL).
Utah becomes fifth state to protect accounts
Joining Maryland, Illinois, California and Michigan, Utah passed employment social media privacy legislation on March 27, 2013, when Gov. Gary Herbert signed into law the Internet Employment Privacy Act (IEPA). The law bans employers from asking employees and job applicants to provide the login information for their personal Internet accounts.
Under the IEPA, private and public employers in Utah cannot:
• Ask an employee or job applicant to disclose a username and password or a password that allows access to the employee’s or applicant’s personal Internet account.
• Take adverse action in the terms and conditions of employment, fail to hire or otherwise penalize an employee or job applicant for failing to disclose his protected Internet information.
However, under the IEPA, employers may:
• Request or require an employee to disclose a username or password required to gain access only to the employer’s electronic communications device, account or service.
• Discipline or discharge an employee for transferring the employer's proprietary or confidential information or financial data to the employee’s personal Internet account without authorization.
• Investigate other employee misconduct that involved the use of the employee’s personal Internet account.
• Restrict or prohibit employees from accessing certain websites while using the employer’s electronic communications device or computer network.
• Monitor, review, access or block electronic data and communications stored on the employer's electronic communications device or network.
• Screen employees and job applicants.
Employees and job applicants may receive up to $500 in damages from employers that violate the law.
New Mexico’s law applies only to job applicants
On April 5, 2013, New Mexico Gov. Susana Martinez signed Senate Bill 371 into law, a measure that prohibits employers from mandating access to a job applicant’s password-protected social media account. Unlike the other five states’ laws, New Mexico’s does not mention current employees.
The legislation makes it unlawful for an employer to:
• Request or require that a prospective employee divulge a password allowing access to his or her account or profile on a social networking website.
• Demand access in any other manner to an applicant’s account or profile on a social networking website.
The new law makes exceptions, expressly providing that an employer may:
• Implement policies on employee use of the Internet, social networking sites and e-mail.
• Monitor usage of the employer's electronic equipment and e-mail (subject to the prohibitions outlined in the law).
• Obtain publicly available information about a job applicant.
Unlike Utah’s law, New Mexico’s does not contain a remedial plan for damages or penalties.
Bill reaches New Jersey governor’s desk
Assembly Bill 2878 received final legislative approval on March 21, 2013, and awaits action by the governor. This bill would bar an employer from requiring or requesting that any current or prospective employee:
• Disclose his or her username or password to a personal social media account.
• Provide access to his or her personal social media account.
• Disclose whether he or she has a personal social media account.
• Waive the rights or protections of the bill.
Under the bill, a protected personal social media account is one that an applicant or employee uses exclusively for personal communications. Based on this definition, a social media account that an individual uses for both personal and business purposes likely falls outside the measure’s protections.
Further, the bill does not prohibit employers from implementing and enforcing policies on the use of employer-issued electronic communication devices.
Finally, the legislation would bar employers from retaliating or discriminating against individuals who refuse to divulge their usernames or passwords or provide access to their personal accounts, who object to violations of the law, or who file a complaint under the measure. Along with a civil penalty of $1,000 to $2,500, the bill would provide aggrieved individuals with a civil cause of action, enabling them to seek injunctive relief, compensatory and consequential damages, and attorney fees and costs.
Bills pending in other states
According to the NCSL, as of April 8, social media protection bills were pending in a number of other states, including Arizona, Arkansas, Colorado, Connecticut, Hawaii, Iowa, Kansas, Louisiana, Maine, Massachusetts, Minnesota, Missouri, Nebraska, New Hampshire, New York, Ohio, Oregon, Rhode Island, Texas, Vermont and Washington.
Joanne Deschenaux, J.D., is SHRM’s senior legal editor.
©2013 SHRM. All rights reserved.
Have HR-related questions and concerns? Get access to essential forms, policies and guides, plus a live call center, aToolkitHR.com, powered by HCN and the Society for Human Resource Management (SHRM).