Last month, California became the third (and largest) state to regulate employer access to the social media accounts of applicants and employees. The law, A.B. 1844, will take effect on January 1, 2013, and is intended to protect California employees and applicants from “unwarranted invasions of their personal social media accounts.” However, when the California legislature tries to solve one employment problem it can create several others, and A.B. 1844 contains many undefined and unclear provisions that create potential landmines for California employers.
We have seen a renewed legislative interest in some employers’ practice of asking their employees and applicants to divulge social media passwords, permitting employers to review social media profiles for suspicious or inappropriate activity. The media, advocacy groups, legislators, and the general public have refocused attention on the subject—an area that implicates individual privacy rights and the limits of an employer’s ability to access the social media information of its current and prospective employees. Before California’s passage of A.B. 1844, both Maryland and Illinois passed similar laws regulating employer access to applicant and employee social media account information.
The recent increase in interest can be traced partially to a 2010 incident in which the Maryland Division of Corrections demanded Facebook log-in credentials from a corrections officer, Robert Collins, following his return from leave. Mr. Collins was not, however, the first employee to be subject to such a request by a government agency. Since 2006, the sheriff’s office of McLean County, Illinois, has requested social media log-in information from all job applicants. In 2009, the city of Bozeman, Montana, required all applicants to provide social media log-in information (a practice it has since discontinued). In 2011, a Michigan teacher’s aide was fired when she refused to provide her employer with her Facebook log-in information, including her password.
Earlier this year, Facebook issued a statement condemning the practice of requesting social media log-in information from job applicants, stating in part, “This practice undermines the privacy expectations and the security of both the user and the user’s friends. It also potentially exposes the employer who seeks this access to unanticipated legal liability.” In addition, Facebook has made it a violation of the company’s Statement of Rights and Responsibilities to share or solicit a Facebook password. In line with this cautionary note from Facebook, many employer attorneys have counseled against this practice. Nonetheless, the California legislature has decided to create a legislative “solution” to a problem that may not have been a widespread one in California to begin with.
California’s New Law – A.B. 1844
A.B. 1844 prohibits an employer from requiring or requesting an employee or applicant for employment to do any of the following: (1) disclose a username or password for the purpose of accessing personal social media; (2) access personal social media in the presence of the employer; or (3) divulge any personal social media information, except as provided for in the bill. The law clarifies that employers’ existing rights and obligations to request personal social media information remains intact if that information is reasonably believed to be relevant to an investigation of allegations of employee misconduct or an employee’s violation of applicable laws and regulations, and only if the social media is used solely for purposes of that investigation or a related proceeding. A.B. 1844 does allow employers to require or request a username, password, or other method of accessing an employer-issued electronic device. The law also prohibits any discharge, discipline, threat to discharge or discipline, or other retaliation against an employee who fails to provide information requested in violation of the law.
Open Issues under A.B. 1844
California’s new law does not address many important areas and, as a result, creates potential pitfalls for employers, including the following:
“Bring Your Own Device” Policies. A.B. 1844 specifically allows employers to require or request an employee to disclose a username, password, or other information for the purpose of accessing an employer-issued electronic device. However, the line between an employer-issued device and a personal device connected to the employer’s information systems is becoming blurred. Indeed, many companies have enacted so-called “bring your own device” (BYOD) policies that enable employees to use personal devices for professional purposes as a company policy. In addition, employers often permit their employees to use their own electronic devices to connect to company networks or other electronic systems. It is not unusual, for example, for an employee to use his or her smartphone to access work email or other network services. Depending on what constitutes an “employer-issued” device under A.B. 1844, employers may not have access to those personal devices. This ambiguity could be especially problematic if, for example, an employer is required to comply with a “litigation hold” or a discovery request in litigation, but is not able to retrieve or preserve the necessary information.
Investigation of Employee Misconduct/Violation of Applicable Laws. A.B. 1844 allows an employer to require or request social media credentials if it reasonably believes them to be relevant to an investigation of employee misconduct or an employee’s violation of applicable laws and regulations, but only if the social media is used solely for purposes of that investigation or a related proceeding. The statute’s language is not clear as to who can be asked for social media credentials, whose social media can be reviewed, and what relation that social media use must have to an investigation in order to meet the requirements of the law. For example, if an employer investigates allegations of trade-secret theft, fraud, or sexual harassment by Employee A, can the employer ask Employee B for Employee B’s social media credentials to monitor or review Employee A’s online behavior? Or is the employer limited to asking Employee A for Employee A’s credentials? Additionally, this exception for the use of social media is limited to only two types of investigations: (1) employee misconduct and (2) employee violation of an applicable law or regulation. One can imagine other scenarios in which an employer might wish to review employee social media for reasons that may not rise to the level of these exceptions, including insubordination or even poor performance. Seeking social media credentials for such uses, however, likely is complicated by California’s law.
Incongruity of Defined Terms. A.B. 1844 defines “social media” as “an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.” Essentially, any online activity—including email—is considered social media for the purposes of the statute. However, the statute does not define “personal social media,” which is the type of social media protected throughout the statute. Consequently, employers are left somewhat in the dark as to what is restricted by the prohibitions on requiring an applicant or employee to “access personal social media in the presence of the employer” or “divulge any personal social media,” except as otherwise provided in the statute. The legislation also leaves unanswered what “personal” means when social media blends into the increasingly popular forms of web-based business-related networking. For example, recently an employer had to defend its action to take control of a social media account that the company claimed it owned from a terminated employee who had used the social media account as her own. Such cases underscore the need for clear, written policies establishing ownership of such business-related social media accounts, and they also indicate that the ambiguity created by California’s new law could have very real consequences.
What is clear following California’s passage of A.B. 1844 is that the social media landscape continues to evolve in the employment context. Competing interests exist. Employers often wish to inspect and monitor social media activity as it relates to matters affecting the workplace. Employees, on the other hand, have certain reasonable expectations of privacy and do not believe an employer may encroach on territory deemed personal. The National Labor Relations Board’s recent activity and ruling regarding social media policies speaks to yet other interests at play (e.g. those interested in preserving concerted activity) with respect to the use of social media in the workplace. California’s statute demonstrates that states are not waiting for employers or the federal government to act with respect to the practice of requesting social media credentials from applicants and employees. Employers therefore must act cautiously and prudently as they address the increasing number of social media issues arising in the workplace, especially with respect to the policies and practices dealing with social media use.
Wilson Sonsini Goodrich & Rosati is following developments around the country with respect to social media law. Attorneys in the firm’s employment and trade secrets litigation group are available to discuss or review social media policies and related practices, as well as other employment policies. For more information, please contact Fred Alvarez, Rico Rosales, Marina Tsatalis, Laura Merritt, Charles Tait Graves, or another member of the firm's employment and trade secrets litigation practice.