On March 21, 2013, New Jersey's state legislature passed A2878 to prohibit employers from requiring or requesting that prospective and current employees disclose their user names and passwords to their personal social media accounts. Governor Chris Christie conditionally vetoed the bill on May 6, 2013, proposing a series of modifications to "more properly balance" the plaintiff-friendly legislation. On August 19, 2013, the legislature agreed to the Governor's changes and passed the amended bill, which Christie signed into law on August 29, 2013.
New Jersey joins eleven other states granting similar social media protections: Maryland, Illinois, California, Michigan, Utah, New Mexico (which seemingly covers prospective employees only), Arkansas, Colorado, Washington, Oregon, and Nevada. What is more, dozens of other states and the U.S. Congress are considering comparable legislation. To help employers navigate through New Jersey's new law, which takes effect on December 1, 2013, this alert discusses its coverage, prohibitions, exceptions, and remedies.
The coverage of New Jersey's new law is expansive. With the exception of state and county corrections departments, the state parole board, and state and local law enforcement agencies, the term "employer" encompasses any employer, as well as any agent, representative or designee thereof.
Pursuant to New Jersey's new law, an employer may not require or request that a current or prospective employee provide or disclose any user name or password to a personal account1 or in any other way provide the employer access to a personal account through an electronic communications device.2
New Jersey's new law also expressly prohibits an employer from retaliating or discriminating against an individual for:
refusing to provide or disclose any user name or password, or in any way provide access to a personal account;
reporting an alleged violation of the new law to the Commissioner of Labor and Workforce Development;
testifying, assisting, or participating in any investigation, proceeding or action concerning a violation of the new law; or
otherwise opposing a violation of the new law.
New Jersey's new law explicitly prohibits employers from requiring an individual to waive or limit any of its protections as a condition of employment, rendering any such agreement void and unenforceable as against public policy.
New Jersey's new law does not prevent an employer from:
implementing and enforcing a policy pertaining to the use of an employer-issued electronic communications device, or any accounts or services provided by the employer or that the employee uses for business purposes;
complying with the requirements of federal, state or local laws, regulations or rules (including the rules of self-regulatory organizations), or case law;
conducting an investigation: (1) for the purpose of ensuring compliance with applicable laws, regulatory requirements or prohibitions against work-related employee misconduct based on the receipt of specific information about the employee's activity on a personal account; or (2) based on the receipt of specific information about the employee's unauthorized transfer of an employer's proprietary information, confidential information or financial data to a personal account; or
viewing, accessing, or utilizing information available in the public domain about a current or prospective employee.
Under New Jersey's new law, the Commissioner of Labor and Workforce Development may subject an employer to a civil penalty of no more than $1,000 for the first violation and $2,500 for each subsequent violation.
New Jersey's new law, as modified by Governor Christie, is far less protective of plaintiffs than the one originally passed by the legislature. The prior incarnation of the bill did not include exceptions found in many of the other state laws, and arguably provided broader prohibitions and more generous remedies than any of its counterparts. Despite its non-waiver clause, New Jersey's new law is now more in line with the majority of social media laws across the country.
Although New Jersey's new law is not as generous to plaintiffs as originally intended, employers in the state still must tread with caution when monitoring their applicants' and employees' social media activity. Indeed, employers may face more than fines under New Jersey's new law for requesting or requiring that applicants and employees divulge their passwords to their personal social media accounts. In fact, recent New Jersey case law suggests that employers who engage in such conduct may run afoul of common law privacy rights (and, as a result, may incur damages in court). Further, an employee may try to seek damages in a whistleblower suit pursuant to New Jersey's Conscientious Employee Protection Act on the grounds that he or she was retaliated against for objecting to a violation of New Jersey's new law. Given these risks, New Jersey employers should make sure to adopt a clear and compliant workplace policy on the use of social media.