social media privacy laws

By Pam Greenberg | Vol . 22, No. 16 / April 2014

NCSL NewsDid you know?

A 2012 Jobvite survey of 1,266 adults found:

  • 52 percent of job seekers use Facebook to help find work, 38 percent use LinkedIn and 34 percent use Twitter.
  • 15 percent of Facebook users modified privacy settings with work in mind, versus 7 percent of LinkedIn users and 5 percent of Twitter users.
  • 17 percent of Facebook users, 9 percent of LinkedIn users and 10 percent of Twitter users provided their profile on a job application or during an interview.

For many employees and employers, what used to be a clear boundary between home and work life is now blurred. Employees use social media sites, computers and mobile devices (their own, their employers’ or both) for work and personal reasons, during and outside of work hours. Social media sites also allow people to share their personal lives with others at work and school in new and expanded ways. However, this new culture has raised questions about how to balance the privacy concerns of applicants, employees and students with legitimate needs of employers or schools to evaluate candidates or protect the business or institution.

Only a few studies are available about the prevalence of school administrators or employers reviewing social media profiles or requesting passwords. In a Kaplan Test Prep survey of college admissions officers in 2013, 26 percent said they check an applicant’s Facebook page. A CareerBuilder survey of 2,100 hiring managers in 2013 found that 39 percent of employers used social networking sites to research job applicants, and 43 percent reportedly found information that caused them not to hire a candidate. In a 2011 survey of 500 human resources professionals by the Society for Human Resource Management, 18 percent said they use social networking sites to screen employees. A much smaller percentage of employers report requesting passwords from applicants. In a 2012 survey of 1,000 large companies by law firm Littler Mendelson, only 1 percent of company representatives said they requested social media logins. Still, concerns about the practice have led lawmakers to introduce legislation to protect the privacy of their constituents.

State Action

Lawmakers began introducing legislation in 2012 that would prohibit employers or educational institutions from requiring employees, applicants or students to turn over passwords to social media accounts. In 2013, 36 states introduced legislation, and at least 28 states are considering legislation in 2014. Fourteen states have enacted laws prohibiting requests for passwords or usernames of personal social media accounts.

Features of State Laws. Although the state laws vary, many prohibit:

  • Employers or educational institutions from requesting user names or passwords from employees, applicants or students.
  • Retaliation for refusal to provide access to a social media account.
  • Requiring an employee, applicant or student to “friend” the employer or school official or using a cohort to gain access to an otherwise private account.
  • “Shoulder surfing”—situations where an employee or student is required to log into a social media account so the employer or school official can view the account.

Some state laws allow an employer or administrator to request access to an account if:

  • Credible evidence exists that the employee or student violated the law or policy and there is reason to believe the social media account may be relevant, such as in cases of threats, bullying or harassment of a co-worker, or to prevent an employee from downloading proprietary, financial or other confidential data belonging to the employer.
  • It is necessary to comply with state or federal rules or self-regulatory organizations, such as the Securities Industry and Financial Markets Association (SIFMA) and the Financial Industry Regulatory Authority (FINRA).
  • The employer owns the accounts or electronic equipment.

Most state laws that protect students apply only to public and private postsecondary educational institutions. Michigan’s law, however, also applies to elementary or secondary schools. Illinois law requires elementary or secondary schools to notify a student and parent or guardian that a password may be requested in cases where a student has violated a school rule or policy. Penalties also vary. Several states specifically allow for civil lawsuits. Other states impose fines. Colorado’s law has an administrative fine of up to $1,000 for the first offense and up to $5,000 for each subsequent offense, and Michigan’s law is a misdemeanor with fine of up to $1,000.

Pros and Cons. Those in favor of legislation say that requesting access to a person’s social media account violates privacy and is akin to asking to read a diary or monitoring activities off the job. In addition, gaining access to social media sites can expose not only information about an employee, student or applicant, but also about friends, family and others who communicate or share photos with that person. Employers viewing social media sites also can encounter information that is unlawful to consider when making decisions about applicants or employees, such as race, religion, age and disability, for example. Advocates also say legitimate screening processes such as background and reference checks can uncover needed information without requiring access to social media.

Opponents say employers have a legitimate interest in social media behaviors that could affect performance or reflect on the company. They say illegal acts and misconduct can expose employers to liability for those actions when connected to the workplace, and legislation prevents employers from monitoring or providing a safe environment for other workers. In addition, some jobs, such as public affairs or social media marketing positions, require social networking experience and skills or involve public safety. Opponents say prohibiting employers from asking to see a social media site in these cases could hinder their ability to evaluate candidates

Federal Action

At least three bills have been introduced in Congress to prohibit employers from requesting passwords to personal Internet accounts from employees or applicants. In addition, the Stored Communications Act (enacted in 1986—well before social networking) has provisions that could protect the privacy of an employee’s electronic communications that are configured to be private. A limited number of federal court cases have applied the act’s protections to online communications or social media sites.

PDF Version