New Jersey’s New Social Media Privacy Law: Balancing Employee Rights And Employer Protections

New Jersey has now joined the growing list of jurisdictions seeking to regulate the extent to which employers can monitor their workers’ social media presence. Currently, eleven other states – Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Mexico, Oregon, Utah, Nevada, and Washington – have social media privacy laws. Gov. Chris Christie signed the New Jersey measure into law last week after the Legislature unanimously accepted the governor’s amendments to a bill he conditionally vetoed last May. The law goes into effect on December 1, 2013.

The new law prohibits employers from requesting or requiring current or prospective employees to disclose their usernames, passwords, or any other access information for any “personal account” on a social media Internet site such as Facebook and Twitter. It also renders void any agreement to waive the new privacy protections and makes it unlawful for an employer to take adverse action against employees who refuse to provide information the employer is prohibited from requesting or against those who report alleged violations.

The statute’s prohibition is limited to inquiries about “personal accounts.” A “personal account” is defined as an account that the employee or applicant uses “exclusively for personal communications unrelated to any business purpose of the employer” and does not extend to any account, service or profile created, maintained, used or accessed by a current or prospective employee for either business purposes of the employer or to engage in business-related communications. The law’s language plainly does not extend to accounts created and maintained by the employer that relate to its business. It is less clear, however, whether the protections of the statute extend to accounts created and maintained by the employee that relate to both personal and business matters. For example, many people use their LinkedIn accounts to maintain personal and business contacts. It is not clear whether the statute would allow an employer to require an applicant or employee to provide access to all of his or her LinkedIn contacts, or only business contacts, or none at all.

The law further provides that employers may access any information available in the public domain about current or prospective employees. Thus, it prohibits the online equivalent of an employer eavesdropping on private social media communications, while still allowing companies to use information the employee chooses to make public. The statute also does not prohibit employers from inquiring whether an employee or applicant has social media accounts.

The statute also provides that, under certain circumstances, the prohibition against accessing personal social media accounts will not apply. For example, the law states that if an employer receives “specific information about activity on a personal account by an employee” that indicates the employee has engaged in “work-related misconduct,” or transferred the employer’s confidential information to a personal account without authorization, or otherwise failed to comply with applicable law, nothing in the act “shall prohibit the employer from conducting an investigation” into such conduct. Although the statute does not expressly say so, it appears the Legislature intended that such an investigation may include requiring an employee to provide access to his or her personal account for purposes of investigating the “specific information” the employer received that triggered the investigation.

This provision appears to provide a safe harbor for employers who receive complaints or other information about employee wrongdoing on social media and wish to investigate the allegations. Indeed, under New Jersey law, employers may have a duty in some circumstances to reasonably investigate certain allegations – such as reports of discriminatory harassment taking place through social media. Employers must be mindful, however, that recent decisions from the United States District Court in New Jersey suggest that access to a worker’s social media account such as Facebook as part of an investigation of alleged wrongdoing may violate the federal Stored Communications Act. Accordingly, investigatory conduct that may be permissible under New Jersey’s new social medial law may violate federal law if done improperly. Employers should exercise extreme caution and consult with counsel before requesting access to or accessing any employee’s social media account for investigative or other purposes.

In its original form, the state’s social medial law contained broad remedies for aggrieved employees. The changes suggested by the governor and approved by the Legislature, however, considerably temper the remedies available. As enacted, the statute does not provide the right to a private cause of action for job applicants and current workers. Instead, aggrieved employees may report violations to the New Jersey Commissioner of Labor and Workforce Development. Employers who violate the law are subject to $1,000 fines for first offenses and $2,500 fines for subsequent violations.

Although the statutory remedies are limited, it remains to be seen whether the New Jersey courts will recognize a common-law cause of action with much broader remedies for employees who are fired for refusing to provide access to personal social media accounts. New Jersey, like many other states, recognizes a common-law cause of action for wrongful termination in violation of “a clear mandate of public policy” and provides broad remedies for employees terminated in violation of a public policy expressed in a statute or regulation. Employees fired for refusing to provide access to their personal accounts in violation of this statute may well argue that the termination violates a clear mandate of public policy.

Employers have until December 1, 2013, to comply with the legislation, but they should begin reviewing current practices and revising relevant policies immediately to minimize legal risks. Social media policies or IT practices that compel disclosure of information prohibited by this new law should be discontinued. A review of hiring due diligence and candidate screening procedures is also in order.