New social media privacy protection laws take effect for the New Year

It’s a happier new year in California, Michigan and Illinois, where the privacy of social networking sites gains new legal protection today.

Effective January 1, it’s illegal for employers in those three states to demand the login or password information for employees’ or applicants’ personal social media pages. And in Michigan and California, the ban also protects students’ privacy to varying degrees as well.

Thanks to House Bill 5523, Michigan now has the nation’s best law protecting students at all levels — from kindergarten through grad school, private and public alike — against demands for their social media logins.

Under Michigan’s new law, no school or college may ask a present student or applicant to turn over information allowing access to social media accounts, to log into a social media account in the presence of a school employee, or to impose discipline for refusing an unlawful demand for access. There are no exceptions to the law, not even for investigations of student misconduct.

A student or applicant whose rights are infringed is given the express right to sue for $1,000 money damages, plus attorney fees, for each violation. Importantly, schools and colleges are given liability protection so that they can’t be held legally responsible for failing to detect something that was on a secured, nonpublic portion of a student’s site.

California Senate Bill 1349 by Sen. Leland Yee, D-San Francisco/San Mateo, applies only at the college level and not to K-12 schools, and its protections are somewhat narrower.

The California law prohibits colleges from requiring students, applicants or student groups — and this includes student media — to divulge the login information for their social networking sites. Nor can college employees force a student to log into his own social networking site to examine its contents.

Unlike in Michigan, the California law provides an exception where access to nonpublic social media information would otherwise be permissible as part of a criminal or disciplinary investigation. How colleges apply that exception will require close watching, as the legal threshold for initiating a disciplinary case is quite low, and college discipline lacks all of the due-process formalities of the criminal justice system.

The law also requires private colleges — which normally are not subject to state public-disclosure laws — to post their social media policies online.

As for employee protection, the new statutes in California, Michigan and Illinois all have comparable protection — they prohibit an employer from requiring that a current or prospective employee provide social media login information or log into a personal social media site with the employer watching — but each has a few distinctive wrinkles.

Michigan House Bill 5523 is the most detailed and carefully drafted. It provides narrow exceptions that allow an employer to demand access to an employee’s password where, for instance, there is specific evidence that the employee has used a social media account for pirating the employer’s proprietary information.

Michigan’s law also attempts to deal with the increasingly common predicament of the quasi-professional/quasi-personal social media presence, like the Twitter feed that a telecom technology blog sued its former employee over, claiming ownership of the account’s 20,000-plus followers.

Under the new law, an employer can require an employee to surrender the password for an account that is “obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes.” Michigan courts will be left to decide how much business usage transforms an account from a personal to a professional one. Until they do, employees should be mindful that this is yet another of the risks of mixing business and pleasure.

Illinois House Bill 3782 is arguably the broadest of the  comparable protections and limits, because it provides no safe harbor for employers to require disclosure of social media passwords even when they’re investigating wrongdoing.

Interestingly, the Illinois law expressly states that email accounts are not covered by the new privacy protections, which suggests that an employer might be able to require access to personal email as a condition of getting hired or staying employed. But such a demand might well run afoul of existing privacy laws anyway.

Virtually every state recognizes some type of common-law claim for invasion of privacy, and demanding to read someone’s love notes, correspondence with physicians or other intimate personal information without substantial legal justification would expose the employer to civil liability. The reason that a new privacy law was needed for social media sites but not for email is that an invasion-of-privacy claim will not hold up once it’s shown that information has been shared with dozens of Facebook friends.

As one legal commentator observed in connection with Illinois’ new law, too much information also can be a dangerous thing for employers. Suppose a supervisor learns when reading an employee’s personal messages that the employee belongs to an unconventional religious sect, or that a disabling medical condition runs in the employee’s family. Once seen, that information can’t be “un-seen.” And any punitive decision taken against the employee will then be tainted with the suspicion of discrimination.

The California law, AB 1844, applies only to private employers and not to the government, but a state Assembly member filed legislation Dec. 3 that would patch that loophole, extending the same privacy rights to city, county and state workers and applicants.

In July 2012, Delaware became the first state to prohibit social media snooping by colleges. HB 309 not only restricts colleges (both public and private) from requiring disclosure of social media passwords, but also prohibits them from requiring that college employees be “friended” to gain access to nonpublic pages on a student’s site.

Last month, New Jersey joined the club. AB 2879 took effect when Gov. Chris Christie signed it Dec. 3. In addition to prohibiting demands for access to social media login information, it prohibits public or private colleges even from asking whether a student or applicant has a social networking profile.

So far, the primary targets of colleges’ social-media snooping have been athletes. Of the new laws, only New Jersey’s explicitly outlaws conditioning extracurricular activities on waiving social-media confidentiality — though the California and Delaware laws certainly appear intended to put a stop to such “mandatory waivers.”

Maryland became the first state to ban employers, both private and governmental, from asking current or prospective employees for their passwords, a law that also prohibits employees from downloading employers’ confidential information to their personal websites. HB 964, signed into law in May, took effect Oct. 1, 2012.

While it’s understandable — and legal — for employers to look at the publicly accessible portions of an applicant’s social media page, obtaining the password conveys access even to one-on-one messages that were never intended to be shared. An employer, college or school has no more business reading private messages than it does bugging people’s telephones.

Importantly, nothing in any of these new laws gives anyone a “privacy right” in the parts of social media pages that are unsecured. It is not an “invasion of privacy” for a school, employer or anyone else to view material that has been voluntarily put on public display — so discretion and a slow trigger finger are still advisable.

For more on the issue of social media privacy and how student job applicants have been affected by employers’ demands, see Sydni Dunn’s account in the Fall 2012 edition of SPLC Report.

For more on colleges’ demands for athletes’ social media passwords, see Nick Glunt’s story in the Spring 2012 issue of SPLC Report.