On May 12, 2013, Colorado’s governor signed H.B. 1046 into law to forbid employers from requiring or requesting that prospective and current employees disclose their username and password to their personal social media accounts. Several other states have codified similar laws, including Maryland, Illinois, California, Michigan, Utah, New Mexico (which ostensibly applies to prospective employees only), and Arkansas. A number of other states and the U.S. Congress have introduced such legislation. To understand the new Colorado law, this alert discusses its coverage, prohibitions, exceptions, and remedies.
The coverage of the new Colorado law is expansive, as the term "employer" means a person engaged in a business, industry, profession, trade, or other enterprise in the state (or a unit of the state or local government), including an agent, representative, or designee thereof.
Under the new Colorado law, an employer may not request or require that an employee or applicant disclose any user name, password, or other means for accessing his or her personal account or service through his or her electronic communications device.
An employer also may not discharge, discipline, or otherwise penalize (or threaten to discharge, discipline, or otherwise penalize) an employee for his or her refusal to disclose any information protected under the new Colorado law.
Moreover, an employer may not fail or refuse to hire an applicant because he or she refuses to disclose any information protected under the new Colorado law.
The new Colorado law allows an employer to require an employee to disclose any user name, password, or other means for accessing non-personal accounts or services that provide access to the employer’s internal computer or information systems.
This new Colorado law also does not prevent an employer from:
- conducting an investigation to ensure compliance with applicable securities or financial law or regulatory requirements based on the receipt of information regarding the use of a personal Web site, Internet Web site, Web-based account, or similar account by an employee for business purposes; or
- investigating an employee’s electronic communications based on the receipt of information regarding the unauthorized downloading of the employer’s proprietary information or financial data to a personal Web site, Internet Web site, Web-based account, or similar account.
An aggrieved applicant or employee may institute a civil action in a court of competent jurisdiction within one year after the date of the alleged violation, and is entitled to
- injunctive relief;
- compensatory and consequential damages; and
- reasonable attorney fees and court costs.
The new Colorado law’s coverage, prohibitions, and exceptions are analogous to the social media laws adopted in other states, and the bills pending in the U.S. Congress and numerous state legislatures. It should be noted, however, that the new Colorado law arguably offers more lucrative remedies than any of its counterparts. As Colorado’s new plaintiff-friendly law continues a growing national trend, it is imperative that employers within the state and across the nation proceed with caution and prepare accordingly.