With social media pervading all facets of society (no less than 67 percent of Americans are regular users), businesses have long been concerned with their employees’ potentially detrimental social media activities. As these concerns proliferated among Virginia’s business community, many employers saw fit to demand access to their applicants’ and employees’ social media accounts. Privacy activists cried foul and, in response, Virginia joined dozens of other states last month by imposing limits on employer access to such accounts. This new law demands careful response by employers and those advising them.

Virginia’s Restrictions on Social Media Passwords and “Friendships”

Under this new law, codified at Virginia Code § 40.1-28.7:5, an employer may not require current or prospective employees to disclose their social media usernames or passwords. The law also aimed to limit employer monitoring by prohibiting employers from requiring that current or prospective employees add supervisors, administrators, or other employees to their social media contact lists.

Because the law defines “social media” as all electronic media where “users may create, share, or view user-generated content,” the law applies to a broad range of online media, from Facebook and Instagram to personal blogs and podcasts. It therefore bolsters employee privacy in online communications, but stops short of prohibiting employers from viewing publicly-available content.

In this way, the restrictions imposed by Virginia’s new law are limited. Employers are not prohibited from requesting to follow an employee on social media, but employers may not require that employees accept their requests. Importantly, employers may still demand access to a social media account pursuant to a formal investigation into an employee’s alleged violation of federal or state law or an employer’s written policy. Thus, Virginia’s new law does not compel employers to take a completely laissez-faire approach towards employees’ social media behavior—it merely tempers the extent to which employers may intrude upon their employees’ online presences.

Social Media and the EEOC

The Equal Employment Opportunity Commission held a meeting last year to discuss the impact of social media on employers’ oversight responsibilities (as reported in its press release, U.S. Equal Employment Opportunity Commission, Social Media Is Part of Today’s Workplace but its Use May Raise Employment Discrimination Concerns(March 12, 2014). The Commission conceded that the law remained unsettled, but noted that an employer’s responsibility to monitor and remedy workplace harassment could extend to social media. For example, if an employee uses a company laptop to post discriminatory comments about a coworker on Facebook or if an employer becomes aware of a harassing post made outside of work hours, the employer may not escape liability under Title VII of the Civil Rights Act of 1964 merely because the harassment occurred online.

The EEOC also warned that employers could run afoul of Title VII if they scrutinized social media too closely. Many employers screen applicants’ social media profiles to determine their fitness for a position, but social media also can reveal a person’s protected characteristics, such as race, sex, or religion. As such, employers should segregate the employees tasked with reviewing an applicants’ social media presence from their hiring committees. The designated social media screener, whether a third-party agency or a company employee, can then report any relevant concerns to the hiring committee without disclosing an applicant’s protected characteristics.

Concerted Activity Under the NLRA

Employers naturally prefer that their employees refrain from online public criticism of their employers, workplaces, or working conditions, but restrictions on employee speech about work must be crafted carefully. Under Section 7 of the National Labor Relations Act, employees in both union and nonunion workplaces have a right to engage in concerted activity regarding the terms and conditions of their employment. Section 8(a)(1) of the NLRA prohibits work rules that would “reasonably tend to chill employees in the exercise of their Section 7 rights.” (Lafayette Park Hotel, 326 NLRB 824, 825 (1998)) The National Labor Relations Board frequently invalidates overly broad social media policies that prohibit “disparaging” or “inappropriate” comments about the company. (NLRB, Operations Memorandum 12-59 (May 30, 2012)) The NLRB also rejects blanket bans on disclosing “confidential information” because employees have a right to discuss their salaries and wages under Section 7. (NLRB, Operations Memorandum 12-59 (May 30, 2012)) Given these limitations, the best way to avoid liability under the NLRA is to develop detailed, specific policies that prohibit content like bullying, threats, false statements about the company, or the disclosure of trade secrets.

Section 7 also protects employees from discipline based on social media posts, even if an employer’s social media policy is otherwise legal. Because concerted activity “encompasses employee initiation of group action,” it is critical for employers to determine when a comment crosses the boundary from unprotected “griping” and becomes a call for support from fellow employees. (NLRB, Operations Memorandum 12-31 (January 24, 2012)) A Facebook post referring to one’s boss as a jerk may qualify as unprotected griping in one instance, but if the employee tags coworkers in the posts or adds a phrase like “we should do something about this,” Section 7 rights may be triggered and the speech earns protection.

Guidance for Employers

  • DO NOT require employees or applicants to provide access to their social media accounts. As a general rule, if the public cannot access these accounts, neither can employers.
  • DO remember that the Virginia law permits employers to request access to employee social media accounts if that account is “reasonably believed to be relevant to a formal investigation or related proceedings” pertaining to allegations of an employee’s violation of federal, state, or local laws or of the employer’s written policies. However, the username or password provided in this context may not be used for unrelated purposes.
  • DO NOT allow hiring committee members to conduct an informal social media investigation on prospective employees. Final decision makers should not access information about protected classes or activities that they could not legally ask about during an interview.
  • DO outsource social media screening duties to individuals outside of hiring committees. Information contained on an applicant’s social media profiles may be valuable, but such information can only be used in connection to hiring if limited to relevant factors that will not raise inferences of discrimination.
  • DO NOT craft broad social media policies. Employees are allowed to discuss the terms and conditions of their employment on social media, even if that means criticizing management. The mere existence of an overly broad policy violates the law.
  • DO be specific. Social media policies can help protect companies from liability for a variety of legal issues, including harassment or discrimination. Prohibit specific content like threats, bullying, or the disclosure of trade secrets.
  • DO NOT discipline employees for posting negative comments on social media without seeking legal advice. Even comments that do not appear to qualify as concerted activity may fall under the NLRA’s prohibitions depending on the circumstances.
  • DO take complaints about an employee’s social media use seriously. Employers have a responsibility to investigate social media behavior if they become aware of alleged misconduct. The difficulties of navigating social media laws do not excuse employers from exercising due diligence to protect other employees.

A version of this article first appeared in Virginia Lawyer Magazine.

Reilly Moore is a law student at the University of Richmond School of Law who participated in the summer associate program in the Richmond office of Ogletree Deakins.