Social media melee: state laws gain steam, feds may follow, new issues emerge
Social media privacy continues to be a hot topic and more state legislatures are taking action to limit, if not prohibit, employer access to personal accounts of employees and prospective employees. According to the National Conference of State Legislatures, as of April 22, 2013, such legislation has been introduced or is pending in at least 35 states. The issue continues to gain steam as three states, Arkansas, New Mexico, and Utah, enacted social media privacy laws in March and April. Social media is also being addressed at the federal level, and employers are well advised to monitor this rapidly developing area of law and tailor their practices accordingly.
State law: Arkansas, New Mexico, and Utah join the fray. On April 22, Arkansas’ governor signed Act 1480, which prohibits employers from requiring that employees and job applicants: (1) disclose usernames and passwords to their social media accounts (including Facebook, Twitter, LinkedIn, MySpace and Instagram); (2) add an employee, supervisor, or administrator to the contacts associated with such accounts; or (3) change the privacy settings of such accounts. In addition, employers may not retaliate against employees or refuse to hire applicants who exercise their rights under this law. Employers will not be prohibited from viewing information that is publicly available on the Internet. Arkansas session laws generally take effect 90 days after the legislature adjourns.
New Mexico’s recently enacted SB 371 is more limited, applying to the social networking accounts of applicants but not current employees. The law, which takes effect June 14, 2013, makes it illegal for an employer to request or require a prospective employee to provide a password in order to gain access to that person’s account or profile on a social networking website, or to demand access in any manner to such account or profile. Employers are not prevented from having workplace policies on the use of the internet, social networking sites, and email; monitoring use of the employer’s equipment; or obtaining information in the public domain. The law will not apply to federal, state or local law enforcement agencies.
Under Utah’s Internet Employment Privacy Act, effective May 14, 2013, employers may not ask an employee or applicant to reveal a username or password that allows access to the individual’s personal Internet account; nor penalize or discriminate against the person for not disclosing such information. The law does not restrict the viewing or using of online information that the employer can obtain without usernames or passwords. It also does not prohibit employers from requesting usernames or passwords to access employer-provided devices or to access accounts or services provided by the employer that are obtained by virtue of the employment relationship and used for the employer’s business purposes.
Federal law may be around the corner. In February 2013, Congressman Eliot Engel (D-NY) announced the reintroduction of the Social Networking Online Protection Act (SNOPA), HR 537. The Act would prohibit employers from: (1) requiring or requesting that an employee or applicant for employment provide a user name, password, or any other means for accessing a private email or social networking account; or (2) discharging, disciplining, discriminating against, denying employment or promotion to, or threatening to take any such action against any employee or applicant who refuses to provide such information, files a complaint or institutes a proceeding under the Act, or testifies in any such proceeding. It provides for civil penalties as well as legal and equitable relief. SNOPA awaits action in the House Education and Workforce Committee.
Emerging issues: concerted activity, account ownership, tension with other laws. In light of the changing legal landscape, there really is no current one-size-fits-all social media policy that employers can follow to ensure legal compliance. Some emerging issues that will likely effect how things play out include:
- Do policies prohibiting certain comments on social media (e.g., disparaging the employer) run afoul of the NLRA, which protects concerted activity? An NLRB fact sheet suggests they can. Indeed, in UPMC (April 19, 2013, No. 06–CA–081896) an administrative law judge found that a restriction on describing any affiliation with the employer could be reasonably read to prohibit employees on Facebook, Twitter, etc., from telling anyone where they work, which would severely inhibit any discussion of terms and conditions of their employment.
- Who “owns” social media accounts set up by an employee at the behest of the employer to further employment activities, such as marketing? In a March 12, 2013, decision, a federal court in Pennsylvania found that a company committed three separate torts (unauthorized use of name, invasion of privacy, and misappropriation of publicity) by taking over a discharged executive’s LinkedIn account for two weeks and posting her successor’s information on the page (Eagle v Morgan, No. 11-4303).
- Do the new state laws impede employers from fulfilling other legal duties by restricting their ability to monitor employee behavior? For example, if an employee reports that a coworker is harassing her on social media, what steps can the employer lawfully take to investigate?
Some issues arise only for certain types of employers. In response to a social media bill proposed in Rhode Island, for example, the Securities Industry and Financial Markets Association sent a March 22, 2013 letter to the state senate majority leader expressing concern over the impact on brokerage firms’ ability to abide by FINRA rules and state laws. It noted that many people use the same account for both personal and business activity and that the proposed bill should have an exemption allowing broker-dealers to supervise business communications to comply with their legal obligation to monitor activities that could put customers at risk (e.g., insider trading).
Source: By Lorene D. Park, J.D.