Michigan's New 'Internet Privacy Protection Act' Sets Limitations For Employers And Employees

On December 28, 2012, Michigan joined California,1 Illinois,2 and Maryland3 in enacting a social media password protection law when Governor Rick Snyder signed the "Internet Privacy Protection Act" (IPPA or the "Act"). In an accompanying statement, the governor declared that "cyber security is important to the reinvention of Michigan, and protecting the private internet accounts of residents is a part of that," and that "potential employees and students should be judged on their skills and abilities, not private online activity." To accomplish these objectives, the IPPA, like the other states' social media legislation, generally prohibits employers from gaining access to applicants' or employees' personal social media accounts. The Act, however, also permits employers to access employees' use of employer equipment and systems and allows for investigations, under certain circumstances, of employees' personal social media accounts. While relatively straightforward, the Act will require businesses operating in Michigan to grapple with a range of interpretive challenges.

Initially, the IPPA applies to Michigan public and private educational institutions and public and private sector employers. The emphasis of this ASAP is on the Act's application to Michigan employers, defined by the Act as a "person, including a unit of state or local government, engaged in a business, industry, profession, trade, or other enterprise in this state and includes an agent, representative, or designee of the employer." Thus, all employers, regardless of size, are subject to the Act.

The IPPA regulates employers' access to an applicant's or employee's "personal internet account," which is defined as "an account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user's account information, profile, display, communications, or stored data." Accordingly, the Act applies not just to social media accounts but to all internet-based accounts, including e-mail and cloud storage accounts.

The Act identifies three straightforward prohibitions on employers with respect to such accounts. First, employers cannot request an applicant or employee to grant it "access information," i.e., "user name, password, login information, or other security information that protects access to a personal internet account," in order to gain access to any...