Following the lead of Maryland and Illinois, California’s legislature, last week, sent to the governor for signature the nation’s third “password protection” law. Unlike the Maryland and Illinois laws, California’s pending statute takes into account employers’ legitimate business interests.

The Illinois law broadly prohibits employers from requesting or requiring that applicants or employees disclose their personal social media log-in credentials. Maryland’s law has two narrow exceptions for investigations into suspected securities violations or misappropriation of trade secrets, without any legislative findings explaining why these two categories of workplace misconduct should be exempted from the statute’s purview while other forms of workplace misconduct, such as a threat posted on social media to kill co-workers, is not. Earlier versions of the California bill, like the Illinois law and more than one dozen bills currently pending in other states, imposed a blanket prohibition on all employer requests for personal social media log-in credentials, without consideration of employers’ legitimate need to make such requests. In a July article entitled, “Rethinking and Rejecting Social Media Password Protection Laws,” we challenged the myopic view implicit in these laws and bills, i.e., that employers rarely or never have a good reason to investigate the content of an applicant’s or employee’s restricted-access social media site.  

Subsequently, the California legislature, often hostile to employer interests, amended its then-pending bill to adopt a more balanced and reasonable approach. The approved bill does generally prohibit employers from requesting or requiring that employees or applicants (a) disclose their user name or password to gain access to personal social media content; (b) access their personal social media in the employer’s presence, i.e., permit “shoulder surfing;” or (c) divulge any personal social media, which apparently would bar an employer from asking an employee to provide the personal social media content of a co-worker who is a Facebook friend. At the same time, however, the pending law permits employers to request that “an employee divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations.”

While this exception is a vast improvement over the Illinois and Maryland laws, California employers should beware that the exception does not open the door all the way. To begin with, the exception does not apply to job applicants. Thus, even if a current employee were to report seeing racist or threatening content on a job applicant’s restricted access social media site, a California employer still could not gain access to the troublesome social media content unless the reporting employee voluntary provided it. In addition, employers remain barred from asking current employees to disclose their social media log-in credentials or to permit the employer to “shoulder surf.” Nevertheless, the exception does permit California employers to ask a co-worker to provide content from the personal social media site of an employee suspected of misconduct.

California employers also should note that the California law, like the Illinois and Maryland laws, appears to have an unintended and unsupportable consequence in the context of litigation. These statutes impose no restriction on an employer’s ability to request in civil discovery that a former employee produce personal social media, log-in credentials; however, all three statutes bar such requests in litigation with a current employee. Obtaining log-in credentials can be important in employment litigation so that employers’ counsel can confirm that the current or former employee has produced all discoverable information posted on his or her restricted-access social media page.

California’s pending password protection law has another unusual twist. The bill expressly relieves California’s Labor Commissioner from having to investigate complaints that the law has been violated, whereas the Labor Commissioner is required to investigate certain other violations of the Labor Code. The pending law itself also does not create a private right of action. Consequently, it remains unclear what remedies an employee could pursue were the Labor Commissioner to decline to investigate.

Employers should expect other states to enact this form of popular legislation. If the password protection laws that are on the horizon are to follow California’s more balanced approach rather than the draconian Illinois law, employers and employer groups will need to highlight the critical distinctions between the two laws through participation in the legislative process.