Key points:

  • Effective July 1
  • Employers barred from demanding personal account information 

Effective July 1, 2015, employers in Virginia will be prohibited from requiring, requesting, or causing a current or prospective employee to disclose the username and password to the individual’s social media account. The new law, signed by Governor Terry McAuliffe on March 23, 2015, also prohibits employers from requiring an employee to add another employee, a supervisor, or an administrator to the list or contacts associated with the individual’s social media account or changing the privacy settings.

Under the new law, “social media account” means a personal account with an electronic medium or service where users may create, share, or view user-generated content, including, without limitation, videos, photographs, blogs, podcasts, messages, emails, or website profiles or locations. 

However, “social media account” does not include an account: 

  1. opened by an employee at the request of an employer; 
  2. provided to an employee by an employer, such as the employer’s email account or other software program owned or operated exclusively by an employer; 
  3. set up by an employee on behalf of an employer; or 
  4. set up by an employee to impersonate an employer through the use of the employer’s name, logos, or trademarks.

An employer taking or threatening to discharge, discipline, or otherwise penalize any employee in retaliation for his or her refusal to comply with a request or demand that violates the new law is in violation of the law. Failing or refusing to hire a prospective employee for exercising his statutory rights also is a violation.

What the Law Does Not Prohibit

The new law does not limit an employer’s right to obtain information that is in the public domain, conduct an investigation, or comply with the requirements of state or federal statutes, rules or regulations, case law, or rules or regulations of self-regulatory organizations. The employee’s username and password can be used only for the purpose of the formal investigation or a related proceeding.

An employer may enforce lawful workplace policies (e.g., on Internet and electronic mail use) governing use of the employer’s electronic equipment, monitor use of the employer’s electronic equipment and electronic mail, and request or require an employee to disclose access information to an account or service provided by virtue of his or her employment relationship with the employer or an electronic communication device or online account paid for or supplied by the employer.

If an employer inadvertently receives an employee’s username and password to, or other login information associated with, the employee’s social media account through an employer-provided electronic device or a program that monitors the employer’s network, the employer would not be liable for having the information as long as the employer does not use the information to gain access to the employee’s social media account.

Employers may have legitimate need to access employee or applicant personal social media or other online accounts, as in cases involving theft of trade secrets, disclosures of confidential information, and similar reasons. However, with more than a dozen states already imposing limitations on employer access of personal social media accounts, employers, particularly those operating in more than one state, should be careful in determining what they are permitted to do in each state.