Illinois employers, take note of recent amendments to the Illinois Right to Privacy in the Workplace Act (IRPWA). The amendments, which go into effect January 1, 2017, significantly expand the scope of the law, but in doing so, also offer clarity regarding when an employer can and cannot insist upon information in a private social media account. Here is what you need to know:
Important Changes to Workplace Data Privacy in Illinois
As many employers know, IRPWA generally restricts an employer from soliciting information (e.g. user names and passwords) to gain access to an employee's social media account. Prior to these amendments, the statute, by its terms, generally only covered "social networking websites," like Facebook pages.
The amendments expand the statute's reach to now cover "personal online accounts," which is defined as all "online accounts" "used by a person primarily for their personal purposes." This definition was likely drafted intentionally over-broad in order to encompass new technologies as they develop. At a minimum, the definition of "personal online accounts" includes social networking and messaging sites that restrict access to an individual's friends or followers (e.g. Facebook, Twitter, Snapchat, etc.). The definition does not specify whether it also includes an employee's Internet-based email account (Gmail, Yahoo, etc.), but the broad definition and added prohibitions suggest the amendments are intended to cover personal Internet-based email accounts in addition to social media. If true, this is a significant expansion of the Act.
In addition to prior prohibitions, the Act now prohibits employers from: (i) requiring an employee to access the account in front of the employer; and (ii) requiring the employee to "friend" or invite the employer to access or join the personal online account. The Act also now provides for a retaliation cause of action to the extent an employee or applicant suffers an adverse employment action due to his or her refusal to share information protected by this law.
The Amendments also lend helpful guidance on how to safely navigate workplace issues and investigations without violating the Act. Specifically, employers may ask an employee to share "specific content" from a personal online account when:
- attempting to comply with applicable state and federal law;
- investigating an allegation that an employee made an unauthorized transfer of confidential or proprietary information to a personal account;
- investigating an allegation of illegal activity, a regulatory violation, or employee misconduct; or
- prohibiting an employee from operating a personal online account during business hours, while on company property, while using a company electronic device, or while using a company network.
The law likewise makes clear that nothing in its provisions prohibits an employer from creating and enforcing lawful workplace conduct policies governing the use of its equipment, email, or Internet access. Nor does it prohibit lawful policies governing employee use of social media.
The law also makes clear that it does not prohibit employers from monitoring employee use of equipment or online activity while at work. That said, an employer can run afoul of the Act if it inadvertently obtains personal online account information while conducting such monitoring and:
- fails to delete personal online account information obtained inadvertently, within a reasonably practicable time (the statute does not define "reasonably practicable");
- fails to make reasonable efforts to secure personal online account information from disclosure, when the employer has reason to know that its monitoring software likely collects this type of information; or
- uses personal information that was inadvertently retrieved (or enables another party to use this information) to access a personal online account.
Employers should train HR and supervisors on the Illinois Right to Privacy Act Amendments now, before an investigation or other issue requires your company to navigate these waters. Policies and handbooks should likewise be revised to ensure consistency with the new requirements. Finally, employers that monitor equipment or Internet use should investigate or audit the possibility that a monitoring system inadvertently caches personal online account information and revise policies and processes to address how to handle such inadvertent capture.