Tag Archives: social media

July 22, 2013

Myriad of Social Media Privacy Laws Create Havoc for Multi-State Employers

By Elizabeth Dunning 

ComputerDoes your company request that your employees and applicants provide user names and passwords to their personal social media accounts?  Do you require applicants to log onto their online accounts in your presence so that you can view their content?  Perhaps you ask employees to “friend” their supervisors.  If you haven’t followed new developments in state employment laws, you may not realize that such activities are unlawful in some states.  In just two years, eleven states have passed social media privacy laws that prevent employers from accessing employees’ and applicants’ personal online accounts.  Each state law differs in certain respects, making it difficult for multi-state employers to adopt a uniform and consistent social media policy.  To help sort things out, we highlight here the primary differences in the state social media privacy laws. 

States with Workplace Social Media or Internet Privacy Laws 

The eleven states that have enacted social media or internet privacy laws affecting employers to-date are:  Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah and Washington.  All but one of these states protect the access information for both current and prospective employees, with New Mexico only protecting the log-in information of applicants. 

Differences in State Social Media Laws 

Generally, all of these states prohibit an employer from requesting or requiring an employee or applicant to disclose his or her user name, password or other means of accessing his or her personal social media accounts. Many of these states also make it unlawful to discipline, discharge, discriminate against or penalize an employee, or fail to hire an applicant who refuses to disclose his or her access information to personal social media accounts.  However, that’s where the uniformity in the laws generally ends.  The following chart highlights numerous key differences between the state laws. 

Legal Provision

States Recognizing Provision

Prohibits employers from requesting that employee add employer representative or another employee to his or her list of contacts (e.g., “friend”)

Arkansas, Colorado, Oregon and Washington

Prohibits employers from requesting employee to access his or her personal social media account in the presence of the employer (“shoulder surfing”)

California, Michigan, Oregon and Washington

Prohibits employers from requesting employee to change the privacy settings on his or her personal social media accounts

Arkansas, Colorado and Washington

Specifically permits employers to view and access social media accounts that are publicly available

Arkansas, Illinois, Michigan, New Mexico, Oregon and Utah

Exception when access required to comply with laws or regulations of self-regulatory organizations

Arkansas, Nevada, Oregon and Washington

Exception for investigations of employee violation of law or employee misconduct

Arkansas, California, Michigan, Oregon, Utah and Washington (Colorado and Maryland limit this exception to investigation of securities or financial law compliance)

Exception for investigation of unauthorized downloading of employer’s proprietary, confidential or financial data

Colorado, Maryland, Michigan, Utah and Washington

Inadvertent acquisition of personal log-in information while monitoring employer systems not a violation but employer not permitted to use the log-in information to access personal social media accounts

Arkansas, Oregon and Washington

As you can see, the differences in the laws exceed the similarities, making it difficult for an employer operating in more than one covered state to comply with all applicable provisions.  Even the definition of covered social media accounts varies by state, creating even more inconsistencies. 

Would a Federal Law Help? 

With eleven laws in place and almost 20 additional states considering social media privacy bills, the issue seems ripe for a federal bill that would bring some uniformity to the protections offered to employees and applicants.  In February 2013, the Social Networking Online Protection Act, which offers such workplace protections, was introduced into the U.S. House of Representatives.  Unfortunately, it has languished in committee and is not expected to pass.  In addition, a federal law on the issue will likely only simplify the web of state laws if it specifically preempts state law.  Without federal preemption, we might face two sources of law on the issue, federal and state, which might muddy the waters even more.  In any event, it does not appear that a federal law will be enacted before additional states enact their own laws, leaving employers to struggle with the variances in state law. 

Best Practices for Complying with Social Media Privacy Laws 

With the vast amount of information available on social media and the increased use of social networking platforms for business purposes, it is likely that most employers will at some point need to access or review content on an employee’s or applicant’s social media account.  Perhaps it will be for an investigation of an employee who downloaded proprietary information or perhaps it will be to confirm derogatory statements about the company made by an employee.  Whatever the reason, the first step is to recognize that these laws exist and you will need to review which, if any, apply to your company and/or the employee involved.  Remember that you are generally free to access publicly available social media content.  However, if one of these state laws applies, consult with legal counsel before accessing (or requesting access to) any personal social media accounts to determine what restrictions and exceptions are applicable to your particular circumstances. 

Establish a social media policy specifying that employees are not permitted to disclose or post proprietary or confidential company information on their personal social media accounts.  Make a clear delineation between company/business-related social media accounts where you control who speaks on behalf of your organization, and personal accounts where employees do not represent the views of the company. Be careful that your social media policy does not run afoul of the National Labor Relations Act by interfering with employees’ right to discuss their wages and working conditions in a concerted manner.  Communicate your policy to your employees through normal channels, such as your employee handbook, online policy/intranet, etc. 

Train your supervisors, managers and human resources staff on these laws.  Sometimes supervisors or HR folks think it is acceptable to ask an employee to “friend” them online, or to ask for their log-in information to view pictures or other benign posts.  Despite good intentions, company representatives could get you into legal trouble so advise them of these laws and your restrictions on requesting access to personal social media accounts.


Disclaimer: This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice and are not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.


Print Friendly and PDF

April 25, 2013

Tips for Complying with Utah’s Internet Employment Privacy Act

By Elizabeth Dunning

Effective May 14, 2013, Utah employers may not request employees or applicants to disclose information related to their personal Internet accounts.  The Internet Employment Privacy Act(IEPA), recently signed into law by Utah Governor Gary R. Herbert, prohibits employers from asking an employee or applicant to reveal a username or password that allows access to the individual’s personal Internet account.  In addition, employers may not penalize or discriminate against an employee or applicant for failing to disclose a username or password.  A similar restriction applies to higher educational institutions through passage of the Internet Postsecondary Institution Privacy Act. 

With enactment of the IEPA, Utah becomes the fifth state to pass legislation that limits an employer’s access to social media accounts, joining California, Illinois, Maryland and Michigan.  New Mexico passed a similar law shortly after Utah and New Jersey’s law passed the legislature and is awaiting the governor’s signature.  A bill introduced in February in the U.S. House of Representatives called the Social Networking Online Protection Act (H.R. 537) is stuck in committee. 

Public Online Accounts Are Fair Game under the IEPA 

The IEPA does not restrict or prohibit employers from viewing or using online information about employees and applicants that the employer can obtain without the employee’s username or password.  Any online information that is available to the public may be accessed and viewed by employers without violating the IEPA.  Consequently, individuals who set privacy settings on their online accounts to allow “public” access effectively opt themselves out of any protections offered by this new law. 

Utah Restriction Applies to Accounts Used Exclusively for Personal Communication 

In prohibiting employers from requiring disclosure of online usernames and passwords, the IEPA draws a distinction between personal Internet accounts and those used for business related communications.  The law only restricts employer access to personal online accounts that are used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer.  It does not, however, restrict access to accounts created, maintained, used or accessed by an employee or applicant for business related communications or for a business purpose of the employer.  

In practice, the line between personal and business related accounts may be blurred as many employees use their personal online presence to network and communicate for business reasons.  Consider the sales person who uses his or her LinkedIn account to communicate with potential buyers within a particular industry, or the CPA who posts tax reminders on his or her Facebook page.  Are those accounts accessible under the IEPA since they are not used “exclusively” for personal communications?  A plain reading of the law suggests that may be the case, thereby watering down the potential protections offered by the IEPA to applicants and employees.   

Steps for Complying with the IEPA 

Utah employers should review their HR forms, policies and practices to ensure that they do not ask applicants and/or employees to provide a username or password to their personal Internet accounts.   Train supervisors and managers not to ask for this information as well.  In fact, take the opportunity to remind supervisors and managers not to “friend” subordinates on personal online platforms, such as Facebook.  In addition, reinforce that employees and applicants may not be penalized or treated adversely for failing to provide a username or password for personal online accounts.   

Remember, too, that even though the IEPA does not prohibit accessing an employee’s or applicant’s public social media accounts, viewing such information creates other risks.  Employers may view information regarding the individual’s religion, race, national origin, disability, age, or other protected group status that could give rise to a discrimination claim.  Furthermore, online information is unreliable and ever-changing, meaning that employers should not rely on what they see online when making employment decisions.  To stay out of trouble, consult with legal counsel before viewing or using social media in the employment context.

For more information about permissible actions and potential damages under the Utah Internet Employment Privacy Act, please see our Client Alert.

February 26, 2013

Who Owns Your Employees’ LinkedIn Profiles? The Answer Might Surprise You.

By Mark B. Wiletsky

If your employees use LinkedIn to establish and maintain contacts for business purposes (such as sales), what happens to those accounts—and contacts—when the employee quits or is fired?  Can an employer who has access to an employee’s LinkedIn profile change her password and replace information in her profile following her termination?  No, says at least one federal judge in Pennsylvania recently, though that case is not yet over.  As explained below, employers should be careful before assuming that they own their employees’ LinkedIn profiles. 

Employer Access to High Level Executive Profiles

Edcomm, Inc., a banking education company, strongly urged its employees to create LinkedIn accounts using their company email addresses as a business networking tool.  It had employee policies governing online postings and specified that if employees identified themselves as an Edcomm employee, they needed to use a specific template that contained pre-approved content about the company and referred to the company’s website.  The company provided a photographer to take professional photos for employee use on their LinkedIn accounts.  It also allowed some Edcomm employees to access, develop and administer the LinkedIn accounts of senior management, such as responding to invitations, inviting new contacts and researching good news stories to include on their LinkedIn pages.

After being acquired by another company, Edcomm, Inc. terminated its company president and founder, Linda Eagle, as well as several other top executives. After her termination, Edcomm locked Eagle out of her LinkedIn profile by changing her password.  It then changed the information on the profile to that of the new acting CEO.

Company Argues LinkedIn Account was Akin to a Client List

Eagle sued Edcomm alleging numerous violations of state and federal law, including invasion of privacy by misappropriation of identity, misappropriation of publicity, identity theft and conversion.  Edcomm argued that the LinkedIn accounts were used to contact new clients and promote the company’s services.  As such, the company claimed that its take over of Eagle’s account was similar to the company keeping possession of a client list after an employee is terminated. 

The Judge didn’t buy it.  At a recent hearing, Judge Ronald Buckwalter stated that Edcomm likely had no right to change Eagle’s LinkedIn password and change her profile information.  He noted that the company had no internal policy that would hand over ownership of employee profiles when employees left the company and that the LinkedIn accounts belonged to the individual employees. 

Be Prepared For An Employee’s Departure

Although it is wise to implement a social media policy to address employee use of company information on personal or company-sponsored social media accounts, you need to be wary of who owns the rights to such information.  First, as indicated in the Edcomm case above, you risk potential invasion of privacy and other claims.  Second, the employee might have rights to the account independent of the employer, as established in an agreement between the service provider and the employee.  At a minimum, consider implementing specific policies that address these issues up front, and consider what services your employees are using to establish and maintain connections with clients.  The fact that contacts are connected through LinkedIn, Facebook, or some other social media site can significantly impact an argument that such contacts are protectable trade secrets.  Lastly, don’t forget that forcing access to employees’ social media can be risky.  Four states have enacted legislation to prohibit or restrict employers from asking for social media access and many other states are currently debating similar restrictions.

April 10, 2012

Maryland Protects Employees’ Social Media

By Mark Wiletsky

According to various blogs, including a post by the ACLU, Maryland has become the first state to ban employers from requiring employees or applicants to provide access to their otherwise protected social media accounts.  I have not yet seen the text of the bill that Maryland passed, but the new law is not entirely surprising in light of the furor that recently erupted–which gained national media attention–based on reports of a few employers demanding access to applicants' or employees' Facebook and other social media accounts. Whether Maryland's law protecting employees' social media accounts is the first of many state laws, or even a new federal law, remains to be seen.  Regardless, this is yet another indication to employers to be cautious about social media.  Employees' use of and access to social media–both inside and away from the workplace–raises novel issues that courts and legislatures will have to address.  Until more definitive guidance is provided, be aware that your practices may need to modified and reviewed regularly to address this evolving area of the law. 

March 27, 2012

Furor Over Facebook Continues

By Mark Wiletsky    

Following up on my post last week, the flap over employers asking applicants to turn over their passwords to social media accounts, such as Facebook, rages on.  Two senators–Sens. Richard Blumenthal (D-Conn.) and Charles Schumer (D-N.Y.)–on March 25 asked the Department of Justice and the EEOC to investigate this practice (http://blumenthal.senate.gov/newsroom/press/release/blumenthal-schumer-employer-demands-for-facebook-and-email-passwords-as-precondition-for-job-interviews-may-be-a-violation-of-federal-law-senators-ask-feds-to-investigate).  Facebook joined the fray by warning employers about this practice, and of course the ACLU has raised concerns as well (http://www.cnn.com/2012/03/23/tech/social-media/facebook-employers/index.html?hpt=hp_t3).  Is this issue being overblown?  Other than media reports about a couple of public entities, it is unclear how many employers are demanding applicants turn over passwords to social media accounts as a condition of employment (or consideration for employment).  Still, the heightened media attention is a good reminder for employers to review their hiring practices and their social media policies.  If you have not yet read the NLRB's January 25, 2012 Operations Management Memo (http://www.nlrb.gov/news/acting-general-counsel-issues-second-social-media-report), I recommend doing so.  Even though I disagree with certain aspects of the Memo, it provides some good examples of things to avoid in both social media policies and discipline/termination situations involving social media–for Union and non-Union work environments.   

March 23, 2012

Hiring and Social Media: Beware

By Mark Wiletsky

Should you require prospective employees to provide you with access to their Facebook page and other social media accounts, as a condition of being considered for the job?  Some public agencies apparently are doing so.  But Richard Blumenthal, a Democratic senator from Connecticut, is writing a bill to prohibit the practice.  (Not surprisingly, you can find more information about his proposed bill by visiting his Facebook page: http://www.facebook.com/dickblumenthal).  Relying on social media for hiring decisions can be risky, but it happens.  People Google a candidate’s name, check LinkedIn profiles, browse a Facebook page, or surf the web to see if they can learn some information about the candidate.  It’s so easy to do, and there is so much information about people on the web that it is hard to resist.  The problem is that the information on the Internet may or may not be relevant to the job.  The information also might disclose protected characteristics that you would not otherwise know from simply reviewing a job application (e.g., a person’s race, a disability, etc.).  My own thought is that for most private employers, it is not a good idea to require candidates to turn over passwords to their social media accounts.  Regardless of whether the candidate agrees to do so, it is clearly not a voluntary decision, and it raises a host of potential problems for private employers, beyond even the typical problem of not hiring someone due to a protected characteristic, e.g., what happens if someone at the company loses the password, abuses it, or protects it but is later accused of being responsible for hacking into the account?  The law in this area continues to evolve, but I would avoid becoming a “test case” for having gone too far.