Social media has come to play an increasingly important role in how businesses operate. Because social media sites allow users to share information, ideas, personal messages, and other content faster than ever before, employers have sought to harness the power of social media to remain relevant in the global marketplace. In addition, a majority of employers report using social media to screen potential candidates during the hiring process.  

Not content with acquiring just publicly available social media information, some employers are even requiring applicants to provide personal login information for Facebook and other social media sites. In some cases, employers for sensitive positions seek to insulate themselves from later complaints that they overlooked a red flag. In other cases, the employers are simply zealous investigators. The response from state and federal legislators, however, has been to propose new laws that would definitively ban the practice.  

Recent Reports of Employers Requesting Social Media Passwords

In March 2012, the Associated Press reported a story about a New York City statistician being asked for his Facebook username and password during an interview because the employer wanted to access his private profile.1 This story, along with a number of others like it, has sparked public outcry from privacy groups including the American Civil Liberties Union claiming that such requests are an invasion of privacy. These groups worry that although the statistician chose to withdraw his application because he did not want to work for a company that would seek such personal information, other prospective job candidates who confront the same request may not be able to afford to refuse.

Facebook has issued a statement emphasizing that its terms of service forbid “anyone from soliciting the login information or accessing an account belonging to someone else.”2 Additionally, Facebook’s Chief Privacy Officer has said that the practice of asking an applicant for his or her login information “undermines the privacy expectations and the security of both the user and the user’s friends. It also potentially exposes the employer who seeks this access to unanticipated legal liability.”3 The US Department of Justice has stated, however, that although it considers entering a social networking site in violation of the terms of service to be a federal crime, it would not prosecute such violations.4

Legislative Response

Reports of employers requesting social media passwords from job applicants have also drawn the attention of state and federal legislators. Notably, on March 26, 2012, US Senators Charles Schumer and Richard Blumenthal asked the US Department of Justice and the US Equal Employment Opportunity Commission (EEOC) to investigate whether the practice violates federal law while they draft legislation “that would fill in any gaps in federal law that allows employers to require personal login information from prospective employees to be considered for a job.” Although a similar provision was recently voted down as part of an amendment to the Federal Communications Commission reform package in the US House of Representatives, Senator Blumenthal’s office is currently drafting a bill to present to the US Senate. As the Senators emphasized in their letter to the EEOC, one of their primary concerns is that employers, by obtaining social media login information from applicants, could access private and protected personal information “under the guise of a background check [that] may simply be a pretext for discrimination.”  

In April 2012, Maryland became the first state to pass a bill, the User Name and Password Privacy and Protection Act,5 prohibiting employers from asking employees or job applicants for social media login information. If the bill is signed into law as expected, it will take effect on October 1, 2012.6 Once in effect, Maryland employers will be barred from requesting or requiring that an employee or job applicant disclose login information for “any personal account or service” accessed through “computers, telephones, personal digital assistants, and other similar devices.”  

Although targeted at social media, the bill’s prohibitions also include personal e-mail accounts, credit card accounts, and online banking accounts, among others. Additionally, the bill prohibits employers from taking or threatening any form of adverse action based on an employee’s or applicant’s refusal to provide a user name or password to a personal account accessed through a communications device. Notably, however, the bill does not authorize applicants or employees to sue employers who violate the Act, nor does it provide for civil or criminal penalties. However, an employee who is terminated in violation of the Act could presumably have a claim for wrongful discharge in violation of public policy. Furthermore, the bill contains specific exceptions which permit employers to require employees to disclose log-in credentials “for accessing nonpersonal accounts or services that provide access to the employer’s internal computer or information systems,” and while performing an investigation to ensure compliance with financial and securities laws.  

Although no other state has passed a bill banning employers from asking for social media login information, similar legislation has been proposed, or is currently being drafted, in several states including California, Illinois, Michigan, Minnesota, New Jersey, New York, and Washington.7 Like their federal counterparts, the state legislators proposing these bills argue that asking employees or job applicants for social media passwords is a back-door attempt to learn about protected personal information and some argue that penalties are needed to discourage the practice. For example, the proposed Michigan bill provides for civil and criminal penalties against the employer and also permits an aggrieved party to bring a civil action to recover damages of at least $1,000.00 and reasonable attorneys’ fees and costs.8 The proposed New York bill provides for similar relief.9

  Other Legal Considerations in Using Social Media to Review Applicants

Employers that use social media to screen applicants also need to be aware of the legal risks associated with the practice, whether or not the employer requests and uses the login information to view private profiles. One such risk is a potential claim that a decision not to hire an applicant was unlawful discrimination or retaliation for activity that is protected by law. Existing federal laws, including Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, and the Age Discrimination in Employment Act prohibit employers from basing employment decisions on factors such as age, race, national origin, religion, and marital status. Many state laws protect these classes, as well as sexual orientation and gender status, and some provide statutory or common law privacy protections and protection for legal off-duty activities.  

Finally, both state and federal laws protect employees from a refusal to hire due to protected complaints or lawsuits, workers’ compensation claims, arrests, and whistleblower activity. Because this type of information is often mixed in with other information readily available on social media sites, using these sites to screen candidates poses a risk that the employer will obtain information about protected class status or protected activity. If the protected information reaches the decision maker, directly or indirectly, an employee may use that fact to challenge a hiring decision in a subsequent state or federal law action.

Employers should also be cognizant that using social media to screen applicants may also implicate the Stored Communications Act, which generally prohibits intentional access to electronic information without authorization. While it remains an open question, an employer that accesses an applicant’s social media profile with the individual’s personal username and password may be doing so without authorization. For more information on the Stored Communications Act and other legal issues associated with social media, please see the second edition of Mayer Brown’s The Social Media Revolution: A Legal Handbook.10

Given the recent national focus and proposed legislation seeking to prohibit employers from asking job applicants for social media login information during the screening process, this is a rapidly developing area to which employers should pay close attention. Although Maryland is the first state to pass a bill prohibiting employers from requesting social media login information, other states appear to be close behind. Additionally, employers should be aware—even if the practice is not expressly outlawed in their jurisdiction—that accessing a public or private social media profile page carries the risk of rejected applicants claiming they were rejected for an illegitimate reason such as their race, age, or marital status.