Illinois' New Social Media Password Protection Law Handicaps Employers' Legitimate Business Activities

by Littler

[authors: Philip Gordon and Kathryn Siegel]

On August 1, 2012, Illinois Governor Pat Quinn signed into law a bill modifying Illinois' Right to Privacy in the Workplace Act to limit employers' access to applicants' and employees' restricted social media accounts. The Illinois bill applies to both public sector and private sector employers.

The bill's sponsor, State Representative La Shawn Ford, explained his intentions in introducing the Bill as follows in a May 23, 2012, news release: 

Social networking accounts are places where we document the personal and private aspects of our lives, and employers have realized they can get answers to questions they are already prohibited from asking by gaining unfettered access to our accounts. Who we are friends with and what organizations we choose to support outside of work have nothing to do with whether we can do the job. Responding to current changes in our society, this bill takes a reasonable approach to protect our personal privacy. 

Representative Ford's comments, however, ignore the fact that employers may have a legitimate interest in accessing applicants' or employees' restricted social media profiles — for example, to determine whether an applicant for a child care position has a proclivity for pedophilia or to investigate a post suggesting an employee's intent to engage in workplace violence.

Representative Ford explained to the Chicago Tribune that his office had received letters from a "small amount" of constituents who had been asked to provide their social media passwords to employers, and that the practice was prevalent in law enforcement and banking industries. Contrary to this non-empirical data, however, Littler Mendelson's Executive Employer Survey Report, published in June 2012, found that private employers rarely request social media log-in credentials from applicants or employees. That survey asked nearly 1,000 C-suite executives, corporate counsel, and human resources professionals from corporations throughout the United States and ranging in market capitalization from less than $1 billion to more than $4 billion the following question: "Has your organization requested social media logins as part of the hiring or onboarding process?" The response: 99% of respondents answered the question in the negative.

In any event, the law makes Illinois the second state in recent months (after Maryland) to forbid employers from requesting or requiring log-in credentials for an applicant's or employee's social networking sites. Similar bills currently are pending or proposed in 12 other states, including California, Delaware, Massachusetts, Michigan, Minnesota, Missouri, New Jersey, New York, Ohio, Pennsylvania, South Carolina and Washington, and in both houses of Congress. 

Illinois' new law makes it unlawful for an employer to:

  • "request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website[;]" or
  • "demand access in any manner to an employee's or prospective employee's account or profile on a social networking website."  

While the language in the first bullet point seems relatively straightforward, the scope of the second provision is ambiguous. At first glance, the second provision appears to be intended to prohibit "shoulder surfing." In other words, the second provision was drafted to respond to concerns that an employer might demand that an employee or applicant show the employer his or her social media profile or account, without revealing any log-in credentials, as a way of circumventing the first provision prohibiting the employer from directly asking for an employee's or applicant's log-in  credentials. 

The ambiguous language, however, could be read even more broadly. For instance, if an employee complained about a Facebook post made by a co-worker that appeared on the complaining employee's Facebook timeline, the employer arguably could not ask the complaining employee for a printout of his timeline, an email of the timeline showing the post, or to view the post on the complaining employee's timeline, even though the target of the investigation is not the complaining employee's own social media content. The provision also arguably would prohibit the employer from asking the complaining employee to print, email, or show the employer the accused employee's timeline. 

It is also not clear what "demand[ing] access in any manner" means. Facebook privacy settings may be set up in such a way that friends and "friends of friends" can see a Facebook page. If a member of an employer's management "friends" an employee's Facebook friend and gains access to the employee's Facebook page in that way, has the employer demanded access? Turning to other social media sites, if a manager uses his or her personal Twitter account and requests to follow an employee's private personal Twitter account, has the manager demanded access?

Beyond its broad and imprecise language, Illinois' new law is also concerning because it does not include any exceptions. The law merely emphasizes that it is not intended to restrict an employer's right to promulgate policies regulating use of the employer's own electronic resources or from monitoring usage of the employer's own electronic resources, including e-mail. There is no exception for legitimate workplace investigations. Thus, as noted above, a death threat communicated to a co-worker via a restricted social media page appears to be off-limits to the employer unless provided voluntarily by an employee.

The law does expressly state that it does not apply to "information that is in the public domain," i.e., social networking sites for which the account holder has not used privacy settings to restrict access. However, this limitation provides little aid to employers as applicants and employees increasingly activate privacy settings to restrict access to their social media accounts. Further, because Facebook settings can be modified to permit different people access to different information, it is not clear what information will be considered to be in the "public domain." 

The Administration and Enforcement Section of the Right to Privacy in the Workplace Act, which was amended by this new law, provides that an employee or applicant for employment may file a complaint with the Illinois Department of Labor. The Department is instructed to investigate and attempt to resolve the complaint. If it finds a violation and is unable to resolve the complaint with the employer, the Department may sue the employer in Circuit Court to compel compliance. If the Department fails to file an action in civil court, the employee or applicant may commence an action in Circuit Court. A successful plaintiff may be awarded actual damages, plus costs, and a penalty may issue against the employer for $200, plus costs, attorney's fees and actual damages for a willful and knowing violation. 

Given that most employers recognize that employees' lawful off-duty activities are the employees' own business if those activities do not affect the workplace, the Illinois law is unnecessarily overbroad. The law prevents employers from conducting legitimate investigations and does not take into account the intricacies of the different social media sites. The law will be particularly challenging for Illinois employers to apply because of its ambiguity. Until regulations or court decisions clarify the ambiguity, the safest course of action for an Illinois employer would be to avoid any access to employees' or applicants' social media site(s) that are not in the public domain.

Philip Gordon, Chair of Littler Mendelson's Privacy and Data Protection Practice Group, is a Shareholder in the Denver office, and Kathryn Siegel is an Associate in the Chicago office. If you would like further information, please contact your Littler attorney at 1.888.Littler or, Mr. Gordon at, or Ms. Siegel at

Written by:


Littler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.