On May 21, 2013, Washington Governor Jay Inslee signed into law Senate Bill 5211, which with certain exceptions prohibits mandatory employee disclosure of ‘personal’ social-networking account information and profiles. The revised bill passed the Washington house and senate unanimously, and will go into effect on July 28, 2013. Washington thus became the ninth state to pass such legislation, which is intended to protect employee privacy in their non-public social networking activities.
On February 6th, we blogged about SB 5211’s introduction and original text, and we expressed concern that it was too broad to protect legitimate employer interests in their proprietary and physical assets. For example, the bill as originally written did not exempt good-faith employer investigations of employee misconduct, or legitimate employer monitoring of its own networks and hardware.
Since then, the legislature re-wrote several provisions, and the final bill as passed strikes a better balance between employee privacy and employer property rights.
In its final form, the law still prohibits employers from “requesting, requiring, coercing, or causing” employees or job applicants to turn over login information, open their online profiles in the employer’s presence, add an employer representative to their accounts, or alter their privacy settings. The law also prohibits employer retaliation for employees’ refusals to comply with those unlawful requests. A violation of the law exposes the employer to liability for actual damages, injunctions, equitable remedies, a $500 penalty, and paying the employee’s attorneys’ fees. In short, the law has teeth to protect employee privacy.
Even so, employers are protected, too. The law does not prohibit employers from requesting the content (but not logins) of its employees’ profiles during legitimate employer investigations, and it allows employers to (1) access and monitor its own intra- and extra-net communities, (2) require logins for job-required social networking accounts and employer-owned devices, (3) enforce personnel policies (consistent with the law’s prohibitions), and (4) require logins to comply with other applicable law. The law also has an “innocent discovery” rule, which says that an employer is not liable if it unintentionally receives protected employee logins during permitted monitoring activities.
Permitted investigations and accompanying requests for profile content (and again, not login info) must be (1) in response to the employer’s receiving information regarding employee networking activity, and (2) for the purposes of determining (a) compliance with applicable law, or (b) whether employer proprietary assets or confidential data was improperly transferred to the employee’s social network account.
So, the law has ingredients which both employees and employers like. If Washington had to pass this law (apparently so), it did so responsibly. Nevertheless, an unresolved issue still lurks. The law does not define what constitutes a ‘personal’ account. Does it apply to hybrid accounts – those used for personal and employment purposes? Indeed, the law permits mandatory login disclosure for “an account or service provided by virtue of the employee’s employment relationship with the employer.” RCW 49.44.__,§ 3(b). An employer aware of the decisions that we blogged on some time ago, including Eagle v. Morgan and PhoneDog v. Kravitz, may try to end-run around the new law by writing into its employees’ job descriptions the mandatory usage of employer-‘provided’ features and services in new or pre-existing accounts. After all, in each of those cases (though neither of which were decided in Washington courts), the court held that the employer could have some level of ownership in the employee’s social-networking account, where the employer required employee usage of the account, and provided substantial assistance in developing and maintaining the account. Thus, by merely including mandatory usage in its job descriptions, and “providing” account assistance, an employer might be able to make the exception the rule.