On March 23, 2015, Virginia Governor Terry McAuliffe signed a new law, H.B. 2081, that restricts the ability of employers in Virginia to access the social media accounts of current and prospective employees—making Virginia the nineteenth state to enact such legislation. The other 18 states include Arkansas, California, Colorado, Illinois, Louisiana, Maryland, Michigan, Nevada, New Hampshire, New Jersey, New Mexico, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Washington, and Wisconsin.

Effective July 1, 2015, Virginia employers will be prohibited from requiring any current or prospective employees to disclose the usernames and passwords to the employees’ social media accounts. Additionally, employers are prohibited from requiring a current or prospective employee to “add an employee, supervisor, or administrator to the list of contacts associated with the current or prospective employee’s account.” Under the new law, an employer may not “take action against or threaten to discharge, discipline, or otherwise penalize” an employee for exercising his or her rights under the law or “fail or refuse to hire” a prospective employee for doing the same. 

The law defines a “social media account” as a “personal account with an electronic medium or service where users may create, share, or view user-generated content, including, without limitation, videos, photographs, blogs, podcasts, messages, emails, or website profiles or locations.” The law specifically excludes from the definition of a “social media account” (1) an account opened by an employee at the request of an employer; (2) an account provided to an employee by an employer; (3) an account set up by an employee on behalf of an employer; and (4) an account set up by an employee to impersonate an employer (such as through the use of company logos, names, and trademarks). 

The new law draws a clear line in the sand with respect to an employer’s ability to require full access to employees’ social media accounts. Put simply, if the social media account is personal, an employer may not require the employee to provide his or her username and password.  Similarly, the law is clear that it does not prohibit an employer from viewing any social media information that is publicly available. 

It appears that the potential gray area in the law lies within its restriction on employers requiring an employee to “add an employee, supervisor, or administrator to the list of contacts associated with the [employee’s] account.” This requirement seems to limit an employer’s ability to require employees to become “friends” or otherwise “connect” on social media. As social media users are well aware, typically a user’s “friends,” “contacts,” or “connections” are privy to information that would otherwise be private to the public. A social media user normally has the ability to accept or deny a request to become “friends” or “connections.” The new law seems to be clear that an employer may not require its current or prospective employees to become friends with a representative of the company on social media. However, the law does not specify the standard to be applied in determining whether a “friend request” is or is not “required.” It is easy to foresee an employee arguing that he or she subjectively believed a “friend request” from a supervisor was “required” to be accepted.

Although questions raised by the new Virginia law are likely to be answered in coming years, in the interim, employers should remain cautious about interactions between employees in the social media realm—where something as seemingly innocuous as a “friend request” could potentially create liability under certain circumstances. Notably, the new law does not appear to provide a private cause of action, and it is unclear at this point how the law will be enforced.