Executive Summary: Accessing information about employees and applicants via their social media accounts just got a bit more complicated in Tennessee. This past legislative session, the Tennessee General Assembly passed the "Employee Online Privacy Act of 2014" aimed at protecting employees and applicants from being forced by an employer to turn over access to their social media accounts. The Act makes Tennessee part of a growing number of states enacting similar legislation. Although the Act, which takes effect January 1, 2015, can be seen as a win for employee privacy, it is not an absolute bar to employers using social media as a tool to monitor their employees' and applicants' actions. The law still leaves several permissible purposes for which employers may utilize social media in the employment context.
Background: The Employee Online Privacy Act of 2014 applies to any person or entity with one or more employees and also applies to state agencies or political subdivisions. It specifically prohibits an employer from:
- requesting or requiring an employee or applicant to disclose a password to his or her "personal internet account";
- compelling an employee or applicant to add the employer to his or her list of contacts associated with the account;
- compelling the employee or applicant to access the account in the employer's presence in a way that would allow the employer to review the contents of the account; or
- taking any adverse employment action against an employee or refusing to hire an applicant for failing to disclose information requested in violation of the Act.
The Act broadly defines "personal internet account" to include "an online account that is used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer" which includes "any electronic medium or service where users may create, share, or view content." The statute specifically lists "emails, messages, instant messages, text messages, blogs, podcasts, photographs, videos, or user-created profiles" as examples of protected accounts. Therefore, this language almost certainly would include an employee's personal Twitter, Facebook, and LinkedIn accounts, as well as a personal e-mail account or messaging application such as Snapchat.
The Act also has several exceptions. For instance, the Act does not prohibit employers from conducting investigations of a personal internet account or requiring an employee to cooperate in an investigation if (1) the employee's account contains specific information related to the employer's compliance with certain regulations or to any work-related employee misconduct; or (2) the employer has specific information that the employee is using the personal internet account for the unauthorized transfer of the employer's proprietary, confidential, or financial information. Another important exception allows employers to require employees to disclose a username and/or password required to gain access to a computer, laptop, cell phone, or other electronic communications device paid for wholly or in part by the employer, or an account or service provided by the employer as part of the employment relationship or used for the employer's business purposes. Therefore, under this statute, an employer may lawfully require the employee responsible for maintaining or updating the employer's Facebook or LinkedIn page or Twitter account to turn over the information relating to those accounts. There are several additional exceptions, which are all generally geared to ensuring that employers can continue to monitor employee use of company-owned electronic communication devices to ensure employees are not accessing improper websites and to allow employers to remain in compliance with applicable law.
Importantly, the statute does not prohibit employers from viewing employee social media pages that are accessible to the public or voluntarily associating ("following," "friending," "linking," etc.) with employees on any social media website. However, employers should proceed with caution in this regard as the burden of proving that a social media connection with an employee was voluntary likely will fall on the employer.
Employers' Bottom Line:
In the ever-expanding world of social media, the new protections created by the Employee Online Privacy Act are sure to affect how managers and employees relate in the workplace. Employers should take note of the Act's provisions and review all employee handbooks and relevant policies that may be affected to ensure they are in compliance. Employers should also train managers and supervisors on what constitutes a "personal internet account" and the limitations on the information that can be required from employees relating to these accounts. Failing to get out ahead of the Act by auditing your company's practices as soon as possible could lead to major problems when the new law goes into effect on January 1, 2015.