Making Sense Of The Complex Patchwork Created By Nearly One Dozen New Social Media Password Protection Laws

The legislative torrent has been virtually unprecedented in the area of workplace privacy. In a single season, spring 2013, seven states enacted social media password protection legislation, bringing the total number of states to 11 since Maryland enacted the first such law in May 2012. Bills are pending in more than 20 other states. The current roster of states, dominated by the Rocky Mountain Region and the Far West, is as follows: Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah and Washington. New Jersey appears poised to join this group as the state's legislature amends a bill conditionally vetoed by Governor Christie in May.

The 11 states have created an unwieldy legislative patchwork that will leave many multi-state employers struggling to create a uniform policy. Nonetheless, a thorough review of the legislative hodgepodge does lead to several useful conclusions for employers. These conclusions will be described in detail below.

What conduct by employers do these laws generally prohibit?

One of the only points of uniformity is the basic prohibition: all of these laws prohibit employers from requesting or requiring that applicants or employees disclose their user name, password, or other information needed to access a personal social media account. The notable exception is New Mexico, which applies the prohibition only to applicants.

The states with the most expansive legislation — Illinois, Michigan and Washington — also prohibit employers from requiring that applicants or employees (a) accept a request, such as a Facebook "friend request," that would permit access to restricted content; (b) permit the employer to observe their restricted social media content after they have logged in, i.e., "shoulder surfing"; and (c) change their privacy settings in a manner that would permit the employer to access their restricted social media content. Arkansas and Colorado do not expressly prohibit shoulder surfing. California, Michigan and Oregon do not expressly prohibit requiring an applicant or employee to change privacy settings to permit employer access to restricted social media content. It remains an open question whether state courts will read these slightly narrower statutes and those statutes that prohibit only compelled disclosure of log-in credentials to encompass other methods for circumventing user-created restrictions on access to personal social media.

A majority of states expand on their access prohibition by applying it not only to social media but also to any personal online account. For example, the most recently enacted law (Nevada) defines "social media account" to mean "any electronic service or account or electronic content, including, without limitation, videos, photographs, blogs, video blogs, podcasts, instant and text messages, electronic mail programs or services, online services or Internet website profiles." The states that most broadly define social media are Arkansas, California, Colorado, Maryland, Michigan, Nevada and Utah. By contrast, Illinois, New Mexico, Oregon, and Washington appear to apply their password protection laws only to social media accounts, excluding other personal online services from their laws' purview.

...