Nevada and Colorado recently passed employee social networking privacy laws. Both laws prohibit employers from requiring disclosure of employees’ or applicants’ personal social-networking account login information, and from retaliating against them for refusing to provide that information.  But one or both of these statutes are somewhat different from other states’ social networking laws in that:

  1. The Colorado law does not allow employees or applicants to sue employer for violations. The law only permits employees to file complaints with the Department of Labor and Employment, which after investigation may fine or sue employers on employees’ behalves. It does not appear that other parts of the Colorado labor / employment code authorize employee lawsuits.
  2. Similarly, it is unclear what remedies Nevada employees and applicants have under that state’s new law. The social media statute itself says nothing about remedies, even though its companion law passed at the same time – which prohibits mandatory employee credit information disclosure – does contain specific administrative remedies for employer violations. Perhaps employees will be able to file complaints with the Nevada Equal Rights Commission under NRS 233, but that is unclear, and if that were the case, their remedies seem to be limited to cease-and-desist orders, reinstatement, and back pay and benefits. Perhaps the law will be amended prior to its 10/1/13 effective date to clarify its remedies.
  3. The Nevada law has no exceptions for employer investigations. It only says that it does not prohibit mandatory disclosure of non-personal-social-media account or device passwords in order to access employer-owned devices and networks. The Colorado law, on the other hand, contains the carve-outs and exceptions we see in other states’ social media laws regarding employer investigations into alleged employee misconduct, proprietary- or financial-information theft, violations of other law, for compliance purposes, and lawful personnel-policy enforcement.

In addition, both of these laws have the same problems as most other social-media laws in effect:  though they both prohibit mandatory disclosure of ‘personal’ SM account logins and information, neither defines ‘personal account.’  We’ve blogged a number of times on these definition gaps in the other SM privacy laws, as well as on the cases which say that the employer ‘owns’ its employee’s SM account content, at least where the employer required SM account usage and assisted in the account’s development, maintenance, and monitoring.  An employer may be able to circumvent the law by requiring new or existing SM account usage and maintenance as a condition of employment, even though employees may use such accounts for personal reasons as well.  Legislatures would do well to clarify the difference between ‘personal’ and ‘employment-related’ accounts.