On December 13, 2012, the Michigan Legislature passed House Bill HB 5523 known as the Internet Privacy Protection Act (IPPA). On December 28, 2012, Governor Snyder signed the IPPA, which took effect immediately. Similar to recently enacted laws in Maryland, Illinois, and California, Michigan’s IPPA prohibits employers from requesting that an employee or applicant grant access to, allow observation of, or disclose information that allows access to or observation of “personal internet accounts,” such as Gmail, Facebook and Twitter. Under the IPPA, an employer may not discharge, discipline, fail to hire, or otherwise penalize an employee or applicant declining such requests.
There are, however, several noted exceptions. Under the IPPA, an employer may:
Request or require an employee to disclose access information to gain access to or operate:
- an electronic communications device paid for, in whole or in part, by the employer; and
- an account or service provided by the employer, obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes.
- Discipline or discharge an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal internet account without the employer’s authorization.
Conduct an investigation or require an employee to cooperate in an investigation in any of the following circumstances:
- if there is specific information about activity on the employee’s personal internet account, for the purpose of ensuring compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct.
- if the employer has specific information about an unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to an employee’s personal internet account.
- Restrict or prohibit an employee’s access to certain websites while using an electronic communications device paid for, in whole or in part, by the employer or while using an employer’s network or resources, in accordance with state and federal law.
- Monitor, review, or access electronic data stored on an electronic communications device paid for, in whole or in part, by the employer, or traveling through or stored on an employer’s network, in accordance with state and federal law.
- Comply with a duty to screen employees or applicants prior to hiring or to monitor or retain employee communications that is established under federal law or by a self-regulatory organization as defined in the Securities and Exchange Act of 1934.
- View, access, or utilize information about an employee or applicant that can be obtained without any required access information or that is available in the public domain.
In addition, the IPPA does not create a duty for an employer to search or monitor the activity of a personal internet account. And, an employer is not liable under the IPPA for failing to request or require that an employee or applicant grant access to, allow observation of, or disclose information that allows access to or observation of their personal internet account.
Violators of the IPAA are guilty of a misdemeanor punishable by a fine of not more than $1,000. Individuals may bring a civil action to enjoin the violation and may recover not more than $1,000 in damages plus reasonable attorney fees and court costs. Before filing a civil action, however, an individual must serve the violator with a written demand of the alleged violation for not more than $1,000 and include reasonable documentation of the violation. Finally, it is an affirmative defense to an action under the IPPA that the employer acted to comply with requirements of a federal law or a law of this state.
Note: Although not discussed in this Alert, the IPPA similarly prohibits educational institutions from requiring the same information from a student or prospective student and prohibits an educational institution from expelling, disciplining, failing to admit, or otherwise penalizing those failing to grant access to personal internet accounts. Click herefor more information on the portion of the IPPA pertaining to educational institutions.