Continuing a nationwide trend, both Colorado and Washington recently enacted legislation restricting employers from requesting access to the social media accounts of applicants and employees.

Under the new law in Colorado, employers may not “suggest, request, or require” or cause employees or applicants to disclose access information to an account or change their privacy settings to allow access. Employees cannot be compelled to “friend” the employer or the employer’s agent or otherwise connect on a social media site.

Retaliation based on the refusal to disclose access information or friend an employer in the form of discharge, discipline or the threat of negative employment action is also prohibited.

The law carves out exceptions for employer investigations to ensure compliance with applicable securities or financial regulations if the company receives information that the employee has used a personal account for business purposes, or if the employer receives a tip that the employee has made unauthorized downloads of proprietary information.

Employees or applicants that suspect a violation of the law can file a complaint with the state’s Department of Labor and Employment; a private right of action is unavailable under the law. Fines for violation of the law can be imposed by the state of up to $1,000 for a first offense and up to $5,000 for subsequent offenses. The new law took effect May 11.

Washington Gov. Jay Inslee signed a similar bill into law on May 21 after it passed both houses of the state legislature unanimously. Nearly identical to the Colorado bill, the Washington law similarly prohibits retaliatory actions by the employer and provides exemptions for specific employer investigative purposes.

One major difference: Washington allows for a private right of action by an aggrieved employee or applicant, who can receive injunctive or other equitable relief, actual damages, a penalty in the amount of $500, and reasonable attorneys’ fees and costs if successful.

And in New Jersey – which previously enacted a bill with protections for job applicants and university students – the legislature has already passed an amended law adding employees to the list of protected parties. In addition, the changes would prohibit retaliation based on protected activity and establish civil penalties for violations of the law (up to $1,000 for the first violation and $2,500 for each subsequent violation).

The proposed amendment unanimously passed the state’s General Assembly and now heads to Gov. Chris Christie for a likely signature. Gov. Christie vetoed an earlier version of the law which included a private right of action. In response, lawmakers switched out that provision in lieu of civil penalties.

To read the new Colorado law, click here.

To read Washington’s new law, click here.

To read New Jersey’s legislation, click here.

Why it matters: With the addition of Colorado and Washington to the list, a total of nine states have now enacted legislation protecting applicant and/or employee social networking accounts, including Arkansas, California, Illinois, Maryland, Michigan, New Mexico and New Jersey. The trend is likely to continue, as other states are currently considering similar laws. Even the feds have gotten involved, with a bipartisan group of more than 30 cosponsors introducing the Password Protection Act of 2013 in the House of Representatives. Employers should review their hiring practices as well as any monitoring of employees on social media to ensure compliance with applicable state law.