On September 27, 2012, California became the third state to enact legislation protecting employees, job applicants, university students and prospective students against coerced disclosure of usernames, passwords and other information related to personal social media accounts, such as Facebook, MySpace and Twitter accounts, text messages, private email accounts, blogs and podcasts. Governor Edmund G. “Jerry” Brown signed Assembly Bill 1844 (AB 1844) and Senate Bill 1349 (SB 1349), increasing privacy protections for California social media users. The new laws go into effect January 1, 2013. AB 1844 will be codified as California Labor Code Section 980.
The new laws are a response to allegations and news reports that some employers required employees or applicants, and some universities required students or prospective students, to divulge passwords to their social media accounts for the purpose of making employment and enrollment decisions. Among the reported employer and university abuses that fueled the legislation are allegations that:
- In 2011, a Michigan school district suspended a teacher’s aide for refusing to divulge her Facebook password during investigation of a parent complaint that the aide posted a photograph on her private Facebook account of a co-worker’s pants around her ankles. The parent was a Facebook “friend” of the suspended aide.
- In 2010, an applicant with the Maryland Department of Public Safety and Correctional Services was forced to provide his Facebook user name and password to apply for a position as an officer, so that the agency could verify he was not affiliated with any gangs.
- Universities have allegedly hired people to “friend” students – particularly student athletes – to follow what they read and write on social media.
In the wake of such allegations, the Social Networking Online Protection Act was introduced in the US Congress, and at least 14 states enacted or are considering similar measures. Maryland became the first state to enact a law in May 2012, with an effective date of October 1, 2012. Illinois’ version was approved by that state’s governor August 1, 2012 and, like the California law, becomes effective January 1, 2013.
There is plenty of room to argue whether these few, isolated reports of employer and university social media abuse justified the ensuing media coverage and legislative action. Accessing employees and applicants’ social media was already risky. Social media often contains information, such as sexual orientation, that employers should not be gathering, and existing privacy law in some jurisdictions already provided protection for employees against coerced sharing of social media. Nevertheless, the passage of specific legislation changes the landscape for employers and requires the exercise of greater caution. Even though the existing practice of the overwhelming majority of employers recognizes employee privacy rights with respect to private, password-protected social media accounts, we recommend that employers undertake a careful review of their social media policies and practices.
Under Labor Code Section 980, California employers are prohibited from “requiring or requesting” an employee or applicant (1) disclose a username or password for the purpose of accessing personal social media, (2) access personal social media in the presence of the employer or prospective employer, or (3) divulge any personal social media. Employers are forbidden to discharge, discipline, threaten to discharge or discipline, or otherwise retaliate against an employee or applicant who refuses to comply with a demand for access to private social media that violates Section 980.
There are two important exceptions to the prohibitions of Section 980. First, an employer may require disclosure of social media content that is “reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations.” Even if the exception for coerced disclosure of social media content relevant to an investigation of misconduct applies, the employer is constrained from using the disclosed content for any purpose other than the investigation or a related proceeding. Second, Section 980 does not prevent employers from requiring that employees disclose usernames and passwords for the purpose of accessing employer-issued electronic devices.
Section 980 does not include penalties or specific damage remedies; but this new law will enable employees to bring civil suits for invasion of privacy and wrongful discharge in violation of public policy on the basis of alleged violations of Section 980.