In the last eighteen months, legislatures in at least 35 states have introduced and, in some cases, adopted, legislation intending to prohibit or significantly restrict an employer’s ability to access an employee’s personal social media accounts. See National Conference of State Legislatures, “Employer Access to Social Media Passwords,” which can be accessed here (2012 Legislation) and here (2013 Legislation). Such legislation raises significant questions regarding the ability of registered institutions to fulfill their mandated supervisory and surveillance functions. FINRA’s lobbying efforts to amend both proposed and adopted employee social media legislation have largely been unsuccessful.
Under the guise of privacy protection, various federal and state laws have been enacted to prohibit private-sector employers from accessing an employee or applicant’s social media account. See, e.g., Stored Communications Act, 18 U.S.C. 121 §§ 2701–2712. In response, some employers and prospective employers simply request the employee or applicant to authorize or consent to access. However, there are risks to an employer seeking such consent, as at least one court has recognized the absence of any meaningful choice when confronted by an employer or prospective employer with a request for access to a social media account. See Pietrylo v. HIllstone Rest. Group, Civil No. 06-5754, 2009 U.S. Dist. LEXIS 88702 (D.N.J. Sept. 25, 2009) (8 PVLR 1474, 10/12/09).
New and Pending Social-Media Privacy Legislation
In an effort to protect employee and applicant privacy, as well as to avoid the “Hobson’s Choice” of whether to consent to access to one’s social media site, numerous states have proposed, if not adopted, legislation prohibiting employers from accessing employees’ personal social media accounts, subject to limited exceptions. For example, California’s social-media privacy law, which went into effect on January 1, 2013, states that “an employer shall not require or request an employee or applicant for employment to do any of the following: (1) [d]isclose a username or password for the purpose of accessing personal social media; (2) [a]ccess personal social media in the presence of the employer; [or] (3) [d]ivulge any personal social media” except in the context of an investigation into allegations of employee misconduct or violation of applicable laws and regulations. California 2012 Cal ALS 618 (Chapter 2.5 § 980).
Some states that have introduced such legislation have carved out exceptions that specifically address the duty of employers in the securities industry to monitor employees’ social media accounts. For example, Delaware’s bill explicitly states that “[t]his Act shall not prohibit employers in the financial services industry, who are subject to the laws and regulations of the SEC, FINRA or other financial regulators, from conducting internal investigations into employee wrong doing, complying with the supervision requirements of the SEC, FINRA or other financial regulators, or achieving waiver of the personal communications protections in employment contracts.” Delaware H.B. 308.
However, the Securities Industry and Financial Markets Association (SIFMA) has suggested that these carve-outs are inadequate, as they may not be interpreted to allow securities firms to access employees’ social media accounts for general supervisory use. With the burgeoning popularity of the use of social media for advertising and publicity purposes, securities firms have found that access to their employees’ social media accounts, like Twitter and Facebook, are critical to fulfilling their supervisory duties. Because statements that Investment Adviser Firms (or their representatives) make to the public on social media are subject to the SEC’s books-and-records rules, and communications that Broker-Dealers make to the public on social media are activities governed by the Exchange Act, any impediment to supervising employees’ activity on social media presents a major compliance headache for financial firms.
Potential Preemption Challenge
Notwithstanding the uncertainty surrounding the scope and effect of any “carve-out” provisions, we expect that these social media privacy laws will face a preemption challenge similar to that presented in McDaniel v. Wells Fargo Investments, LLC. 1 In McDaniel, former securities-brokerage employees brought putative class actions against brokerages for allegedly violating California’s forced patronage statute by forbidding employees from opening self-directed trading accounts outside the firm. The Ninth Circuit Court of Appeals affirmed the lower courts’ finding that that the Exchange Act and related rules “preempt any state law that ‘stands as an obstacle to the accomplishment and execution of [the federal laws’] full purposes and objectives.’”2 Because the forced-patronage statute limited securities firms’ “full discretion to utilize [SEC-granted authority] to restrict … associated persons’ private securities activities,” federal law preempted the statute.3 Further, there was no way to interpret the statute to avoid the conflict.4
Similarly, here, a court could find that social-media privacy laws are preempted because they obstruct securities firms’ ability to implement policies in fulfillment of their SEC-directed duty to monitor employees’ communications with the public in an effort to prevent the misuse of material, nonpublic information. However, this is still an unsettled area of law.