Washington State has joined this spring’s flood of password-protection legislation.  Since mid-March of this year, legislatures in Arkansas, Colorado, New Jersey, New Mexico, and Utah also have passed bills restricting employers’ access to applicants’ and employees’ personal social media accounts.

The Washington bill (currently awaiting signature by Governor Inslee) broadly prohibits employers from accessing employees’ and applicants’ social networking accounts.  Employers are prohibited from: (a) requiring disclosure of log-in information; (b) asking for access to the account in the employer’s presence, i.e., shoulder surfing; (c) requiring the acceptance of a “friend” request from the employer; (d) requiring a change in privacy settings to make the account accessible to the employer; and (e) using log-in credentials inadvertently obtained through the employer’s monitoring of corporate electronic resources.  Employees or applicants subject to an unlawful demand can recover actual damages in a private lawsuit as well as a $500 penalty, and an award of attorney’s fees and costs. 

The Washington bill contains a significant exception for workplace investigations.  Employers can require that employees share content from their personal social media accounts in connection with an investigation into workplace misconduct if the investigation is undertaken in response to information received about the employee’s personal social media content and the content is relevant to a factual determination made in the course of the investigation.  Even in that scenario, the employer may not ask for the employee’s log-in information.  The new law’s prohibitions do not apply to employer-provided accounts or devices.