Making Sense of the Complex Patchwork Created by Nearly One Dozen New Social Media Password Protection Laws

by Littler

The legislative torrent has been virtually unprecedented in the area of workplace privacy.  In a single season, spring 2013, seven states enacted social media password protection legislation, bringing the total number of states to 11 since Maryland enacted the first such law in May 2012.  Bills are pending in more than 20 other states.  The current roster of states, dominated by the Rocky Mountain Region and the Far West, is as follows:  Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah and Washington.  New Jersey appears poised to join this group as the state's legislature amends a bill conditionally vetoed by Governor Christie in May. 

The 11 states have created an unwieldy legislative patchwork that will leave many multi-state employers struggling to create a uniform policy.  Nonetheless, a thorough review of the legislative hodgepodge does lead to several useful conclusions for employers.  These conclusions will be described in detail below.

What conduct by employers do these laws generally prohibit?

One of the only points of uniformity is the basic prohibition:  all of these laws prohibit employers from requesting or requiring that applicants or employees disclose their user name, password, or other information needed to access a personal social media account.  The notable exception is New Mexico, which applies the prohibition only to applicants. 

The states with the most expansive legislation — Illinois, Michigan and Washington — also prohibit employers from requiring that applicants or employees (a) accept a request, such as a Facebook "friend request," that would permit access to restricted content; (b) permit the employer to observe their restricted social media content after they have logged in, i.e., "shoulder surfing"; and (c) change their privacy settings in a manner that would permit the employer to access their restricted social media content.  Arkansas and Colorado do not expressly prohibit shoulder surfing.  California, Michigan and Oregon do not expressly prohibit requiring an applicant or employee to change privacy settings to permit employer access to restricted social media content.  It remains an open question whether state courts will read these slightly narrower statutes and those statutes that prohibit only compelled disclosure of log-in credentials to encompass other methods for circumventing user-created restrictions on access to personal social media.

A majority of states expand on their access prohibition by applying it not only to social media but also to any personal online account.  For example, the most recently enacted law (Nevada) defines "social media account" to mean "any electronic service or account or electronic content, including, without limitation, videos, photographs, blogs, video blogs, podcasts, instant and text messages, electronic mail programs or services, online services or Internet website profiles."  The states that most broadly define social media are Arkansas, California, Colorado, Maryland, Michigan, Nevada and Utah.  By contrast, Illinois, New Mexico, Oregon, and Washington appear to apply their password protection laws only to social media accounts, excluding other personal online services from their laws' purview.

The legislative patchwork also presents material differences regarding the target of an access request.  In virtually all states, an employer is prohibited from seeking access to an applicant's or employee's own restricted social media content.  California's law appears to go one step further by prohibiting employers from asking an employee to help obtain access to the restricted social media content of a co-worker.

What are the exceptions to the general prohibition?

The range of exceptions to the general prohibition is even more dizzying than the range of prohibitions.  All states, except for Illinois, expressly provide that employers can demand that employees provide log-in credentials to non-personal accounts that are used for the employer's business purposes.  The precise formulation of these exceptions varies, but the gist of most of them is that if the employer creates or pays for the account, the general prohibition does not apply.  Utah's law takes the exception one step further by permitting employers to request the log-in credentials for a personal social media account that the employee uses to conduct the employer's business.

The uniformity of the "non-personal account" exception evaporates with respect to workplace investigations.  On this topic, the states break down into three evenly divided camps.  Three states — Illinois, Nevada and New Mexico — have no exception for workplace investigations.  Four states — Arkansas, California, Michigan and Utah — have what could be characterized as a broad exception.  California's exception, for example, reads as follows:  "Nothing in this section shall affect an employer's existing rights and obligations to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding."  The remaining four states — Colorado, Maryland, Oregon and Washington — have relatively narrow exceptions for workplace investigations.  The Colorado and Maryland laws, for example, permit requests for access to employees' personal social media content only when necessary to investigate violations of securities laws or regulations or potential misappropriation of trade secrets.  Notably, the states with a workplace investigation exception appear to permit the employer to require the disclosure only of social media content, not the employee's log-in credentials.

These password protection laws could interfere with the ability of broker-dealers and other employers to comply with statutory or regulatory requirements to monitor business-related posts by employees regardless of whether the account used to post is personal or employer-provided.  Consequently, six states have adopted language championed by the securities industry that appears to allow employers to request log-in credentials when required to comply with legal obligations or the rules of a self-regulatory organization such as the Financial Industry Regulatory Authority's (FINRA) rules on the supervision of online communications.  These states include Arkansas, Michigan, Nevada, Oregon, Utah and Washington.  Washington law, for example, provides as follows:  "This section does not prevent an employer from complying with the requirements of state or federal statutes, rules or regulations, case law, or rules of self-regulatory organizations."  As noted above, two states — Colorado and Maryland — have adopted narrower exceptions that appear to permit requests for social media content to investigate compliance with securities laws or regulations.

These 11 password protection laws have several other variations.  First, half of the states — Arkansas, Illinois, Michigan, New Mexico, Oregon and Utah — expressly state that it is not unlawful for employers to access publicly available social media content.  While the remaining five states do not speak to this issue, there does not appear to be any viable basis for an applicant or employee to complain about an employer's access to publicly available social media content.  Second, three states — Arkansas, Oregon and Washington — expressly state that employers do not engage in prohibited conduct if they inadvertently acquire social media log-in credentials while monitoring corporate electronic resources as long as the employer does not use the information to access an employee's personal social media.  Finally, three states — Michigan, Oregon and Utah — confer on employers immunity from claims based on their failure to request or require that an applicant or employee provide access to restricted, personal social media content. 

What remedies are available under these laws?

The remedial schemes for violation of these laws vary even more substantially than the prohibitions and exceptions.  In three states — Arkansas, Nevada and New Mexico — the statutes do not include a remedial provision and do not expressly incorporate one by reference.  Two states — California and Colorado — provide no private right of action.  The remaining states provide a private right of action with varying caps:  Utah and Washington ($500); Michigan ($1,000); Illinois and Maryland (no cap); Oregon (unclear).  Four states — California, Colorado, Illinois, and Oregon — expressly create administrative remedies; the other states do not.

What should employers do in response?

Given the prevalence of social media and the increased melding of work and personal life, employers unquestionably will need access to applicants' and employees' personal social media content for a range of legitimate business purposes, including evaluating applicants' job qualifications, conducting workplace investigations and complying with legal requirements.  At the same time, as demonstrated above, employers (especially multi-state employers) seeking to establish a uniform policy on access to applicants' and employees' personal social media content are faced with a legislative patchwork that can leave them scratching their heads.  The legislative framework will likely become only more variable with more than 20 additional states currently considering social media password protection laws.

Despite these challenges, several guidelines for employers are discernible:

  1. Publicly available social media content is fair game.  Nothing in the password protection laws purports to regulate an employer's access to publicly available social media content.  Employers do need to consider other factors when relying on publicly available social media content, such as whether the content is true and whether the content contains information on which an employer cannot lawfully rely for employment purposes.
  2. Employers can use restricted social media content voluntarily provided to the employer.  Employees routinely report voluntarily to HR about troubling social media content posted by co-workers.  Nothing in the social media password protection laws restricts an employer's ability to accept and act on this information, even if the employee has restricted access to his or her social media content.
  3. Document the source of all social media content that will be used to justify adverse employment action.  In the event an applicant or employee alleges that an employer obtained restricted social media content in violation of a password protection law, the employer should be in a position to prove that it did not compel the applicant or employee to permit access by prohibited means.  The employer can best avoid a "he-said-she-said" battle by producing documents showing the lawful means by which the employer obtained the social media content.
  4. Establish in writing that all accounts used to conduct the employer's business are not personal accounts.  As businesses rely increasingly on social media to attract new business and interact with customers, their employees are creating social media content and making connections that add substantial value to the business.  To preserve that value and avoid losing it to a competitor when the employee leaves, employers must take steps to ensure on-going access to these accounts, including the ability to access the accounts at any time by maintaining a record of the log-in credentials.  To that end, employers should obtain an employee's agreement, in writing, that the account is not personal when the employee is first assigned responsibility for the account.  In this way, the employer eliminates the risk of liability  for requiring the employee to disclose his or her log-in credentials and for firing an employee who refuses to cooperate.
  5. Establish a policy that prohibits employees from storing the employer's confidential information in a personal online account.  Under some of the password protection laws, employers arguably could not gain access to the employer's own confidential information stored in an employee's personal, online account, such as a Dropbox account, so that the employer could delete the information or observe the employee deleting the information.  Employers can mitigate this risk by establishing a policy which prohibits such storage of the employer's confidential information.  In addition, such a policy would provide the basis for the employer to invoke the workplace investigation exception in any password protection law that has this exception when the employer has reason to believe the employee is storing the employer's confidential information in a personal online account in violation of the policy.
  6. Do not ask applicants for their log-in credentials and consult legal counsel before using other means, such as shoulder surfing, to access applicants' restricted social media content.  While the password protection laws have a range of exceptions applicable to requests for an employee's log-in credentials, these exceptions, such as the exception for workplace investigations, do not apply in the context of the hiring process.  Consequently, as a general rule, employers should not seek access to applicants' restricted social media content.  Notably, very few private employers currently seek such access.  In June 2012, Littler Mendelson's Executive Employer Survey Report found that 99% of 1,000 C-suite executives, corporate counsel, and human resources professionals surveyed stated that their organization did not request social medial log-in credentials as part of the hiring process.
  7. Consult legal counsel before accessing an employee's restricted social media content.  State legislators have recognized that employers can have legitimate reasons to access an employee's restricted social media content — for example, to conduct a workplace investigation or to comply with applicable law, such as FINRA's rules on supervising the social media content of registered representatives.  Unfortunately, the password protection laws contain so many variations, nuances and ambiguities that employers will likely need the assistance of legal counsel to reduce the risk of a violation when accessing an employee's restricted social media content for these purposes.
  8. Train supervisors and in-house investigators to be cautious about seeking access to restricted social media content.  Given the newness of the password protection laws, supervisors and in-house investigators may not even be aware that these laws exist.  At a minimum, employers should inform supervisors and in-house investigators that (a) access to restricted social media content potentially raises a red flag, and (b) they should consult with the organization's legal department or outside counsel before seeking access to such information.
  9. Support federal password protection legislation that preempts state laws and get involved in the state legislative process.  At this point, the only cure for the tangle of state law restrictions on access to social media content would be a federal law that preempts all of the state laws.  However, that solution is nowhere on the horizon.  The one federal bill addressing restrictions on employers' access to employees' and applicants' restricted social media content does not mention preemption.  Given that, and the fact that bills addressing password protection are pending in many more states, employers should try to influence the legislative debate in an effort to obtain more balanced and uniform legislation that takes employers' interests into account.

Written by:


Littler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.