On August 29, 2013, New Jersey Governor Chris Christie signed into law Assembly bill no. 2878 (fourth reprint), which prohibits employers from asking or insisting that their employees provide access to their personal social networking accounts. New Jersey is the thirteenth state to enact some form of employee social media networking legislation.
Once the law goes into effect, New Jersey employers will no longer be able, subject to exceptions described below, to ‘request or require’ employees or job applicants to turn over their account logins, disclose account content, or sign a waiver of any rights under the statute. (Section 7 of the statute says its effective date is the ‘first day of the fourth month following enactment.’ Because the bill was signed on 8/29/13, December 1, 2013 is probably that day (December 29th will be the ‘fourth month’ after passage). At the latest, the law will take effect on January 1, 2014). Any such waiver will be void. Nor may employers discipline employees or refuse to hire applicants based on their refusal to provide account access or content, or for reporting violations. Employers found in violation of the law are subject to civil penalties of up to $1,000 for the first violation, and up to $2,500 for each subsequent violation.
The law has plenty of concessions for employers, though. Only employees’ and applicants’ “personal” accounts are off limits. The law defines such accounts as those used “exclusively for personal communications unrelated to any business purposes of the employer,” and excludes accounts that are “created, maintained, used or accessed” by employees or applicants “for business purposes of the employer or to engage in business related communications.” Thus, accounts are fair game when employers require that employees open and use them for company business, and even arguably when an employee or applicant posts anything employer-related on his/her otherwise “personal” account.
Further, the law will not prohibit employers from complying with state or federal law, including the rules of self-regulatory organizations (i.e. NASD and FINRA). Employers may also regulate work-device and work-account usage, and may also require personal account access when the employer receives information that employees have used such accounts for work-related misconduct or to store employer proprietary assets or financial data without authorization. And employers will be free to find and use any information about employees and applicants in the public domain.
Perhaps most importantly for employers, the law only allows employees to report violations to the state Department of Labor and Workforce Development, which may then file a ‘summary proceeding.’ The fines mentioned above, if levied, go to the state, not to the complaining employees or applicants. Governor Christie conditionally vetoed the original version of the law, which allowed employees and applicants to file lawsuits for their own damages, back pay, benefits, injunctions, attorneys’ fees, and costs. The governor struck that provision without specific comment (he only commented on the exceptions for required access), and the Assembly and Senate both unanimously passed the version without the lawsuit provisions.
New Jersey’s limited remedies provisions are not uncommon. Of the thirteen states with social networking privacy laws, only Oregon’s and Washington’s statutes authorize civil lawsuits without capping damages. Other states either cap lawsuit damages at no more than $1,000, or do not authorize lawsuits, instead limiting remedies to complaints with state agencies and fairly nominal penalties. And New Jersey’s narrow definition of “personal” accounts is also consistent with most other states’ laws, which limit their reach to personal accounts either expressly or by implication.