Joining a dozen other states, Tennessee has enacted legislation which protects employees’ privacy rights in personal, non-business related online information. The Employee Online Privacy Act of 2014[1] (“EOPA”) became effective on January 1, 2015 and protects information related to an employee’s “personal Internet account.” As defined by the EOPA, a personal Internet account is an online account which the employee uses exclusively for personal communications, unrelated to the employer’s business.[2]

Under the EOPA, an employer may not:

  • Request or require an employee or applicant to disclose a password allowing access to a personal Internet account;
  • Require an employee or applicant to add the employer to a contacts list associated with a personal Internet account;
  • Require an employee or applicant to access a personal Internet account in the employer’s presence; and
  • Take any adverse action, refuse to hire, or otherwise penalize an employee or applicant for refusing to comply with an employer’s request which violates the EOPA.[3]

By protecting only personal Internet accounts, the EOPA balances the employee’s privacy rights with the employer’s obligations to maintain a safe work environment, protect intellectual property, and comply with applicable laws. The EOPA’s protections do not extend to an online account created, maintained, used or accessed by an employee for the employer’s business.[4] The EOPA also allows an employer to access any smart phone or other “electronic communications device” and any online account which the employer provides.[5]

Recognizing the employer’s need protect its intellectual property and confidential information, the EOPA also allows an employer to:

  • Discipline, including terminate, an employee for transferring the employer’s confidential information to the employee’s personal Internet account;[6]
  • Conduct an investigation and require an employee’s cooperation in an investigation of work-related employee misconduct and the transfer of the employer’s confidential information to the employee’s personal Internet account;[7]
  • Restrict or prohibit the employee’s access to certain websites while using cell phones or other electronic communication devices provided by the employer or while using the employer’s network resources; [8]
  • Monitor, review, access, or block electronic data stored on an electronic communication device supplied by the employer or stored on an employer’s network;[9] and
  • View or access the employee or applicant’s personal online information that is available in the public domain.[10]

Under its current version, the EOPA does not provide for any specific penalties against an employer who violates the EOPA. Having established employee protections, however, we will likely see claims such as discrimination, wrongful termination and retaliatory discharge based on the protections provided by the EOPA.

In light of the EOPA’s new protections, employers should take the opportunity to review employment policies and practices related to (1) requesting or requiring an employee and applicant’s personal online account information; (2) expectations of privacy communicated to employees using employer-provided electronic devices and online services; (3) confidential information agreements with employees; (4) employee access to certain websites when using employer-provided electronic devices and online services; and (5) discipline and termination for violation of the employer’s social media policy and confidential information agreements.