Oklahoma and Louisiana Become the Latest States to Enact Social Media Password Protection Laws

by Littler

Weeks after Wisconsin and Tennessee1 enacted their own legislation aimed at restricting access by employers to applicants’ and employees’ personal online content, Oklahoma and Louisiana have followed suit, further complicating the patchwork of state password protection laws already in place.2

On May 21, 2014, Oklahoma Governor Mary Fallin signed H.B. 2372, making Oklahoma the fifteenth state to impose restrictions on employers’ access to the personal social media content of applicants and employees.  Two days later, Louisiana Governor Bobby Jindal signed the Personal Online Account Privacy Protection Act (H.B. 340), which prohibits employers and public and private educational institutions from requiring applicants, employees, and students to provide access to their personal online accounts.

Both laws have many of the same elements as laws previously enacted in other states, and are substantially similar to each other.  At the same time, each law has some unique and noteworthy features.  To ensure compliance, employers with operations in Oklahoma or Louisiana should understand the requirements of each law.  Oklahoma’s new law becomes effective on November 1, 2014.  Louisiana’s new law becomes effective on August 1, 2014.

The General Prohibitions

Both new laws prohibit employers from requesting or requiring that applicants or employees disclose a username, password, or other means of authentication for their online accounts.  The Oklahoma law also prohibits an employer from observing the applicants’ or employees’ restricted online content after they have accessed the account (i.e., “shoulder surfing”). Unlike many of the other password protection laws, neither law expressly prohibits employers from requesting or requiring that an applicant or employee accept a “friend” request, change privacy settings to permit access by the employer, or otherwise divulge personal online content.  The absence of these express prohibitions makes these new laws among the narrowest in the country.

In line with the majority of similar laws, both new laws define “personal online social media account” far more broadly than just social media.  Specifically, both laws apply to any online account, including e-mail, instant messaging and media-sharing accounts, but with a significant narrowing exception.  In the words of the Oklahoma statute, the account must be used “exclusively for personal communications to be protected.”  The Louisiana law expands on this concept by stating that the law does not apply to any account used “for either business purposes of the employer . . . or to engage in business-related communications.”  This carve-out further narrows the scope of the Oklahoma and Louisiana laws.

Both laws prohibit employers from taking adverse action based on an applicant’s or employee’s rejection of a request for their user name, password or other authentication information.  The Louisiana law is particularly broad in this regard, prohibiting not only discharge, discipline, and refusal to hire, but also “otherwise penaliz[ing] or threaten[ing] to penalize” an employee or applicant for failing to disclose log-in credentials.  By contrast, the Oklahoma law prohibits only “retaliatory personnel action” that “materially and negatively affects the terms and conditions of employment” in addition to refusal to hire.  In what appears to be a drafting error, the plain language of the Oklahoma law does not prevent employers from taking adverse action based on an employee’s or applicant’s refusal to disclose “other means of authentication” for accessing a personal online social media account or refusal to permit shoulder surfing.

Exceptions to the General Prohibitions

Both laws have similar and significant exceptions aimed at protecting employers’ legitimate business interests.  For instance, nothing in the new laws prevents employers from requesting or requiring that employees: (a) disclose log-in credentials for any employer-provided system or equipment; or (b) divulge content in any accounts or services provided by the employer or by virtue of the employee’s employment relationship with the employer.  The Oklahoma law goes one step further by expressly allowing employers to review or access personal online accounts that employees access while using the employer’s computer system, information technology network, or electronic communication device.  However, before doing so, Oklahoma employers should confer with legal counsel regarding the potential implications of such searches under federal law.

Both laws contain relatively broad exceptions for workplace investigations.  For example, neither law prohibits employers from conducting an investigation into misappropriation of proprietary information, violations of the law or workplace policies where the investigation arises from the receipt of specific information about activity on the employee’s personal account.  Unlike most other password protection laws, these new laws expressly state that an investigation includes requiring an employee or applicant “to share the content that has been reported in order to make a factual determination,” albeit the employer still may not obtain the employee’s or applicant’s log-in credentials.

Both laws contain a potpourri of other exceptions and express carve-outs that are helpful for employers.  Both laws provide that an employer is not liable if it inadvertently obtains employees’ or applicants’ user names, passwords, or other authentication information when monitoring corporate electronic resources, provided employers do not use this information to access the individual’s personal online account.  Both laws expressly permit employers to comply with a duty to screen applicants before hiring, or to monitor or retain employee communications, where the duty arises out of state or federal statutes, rules or regulations, case law, or rules of self-regulatory organizations, such as FINRA.  Furthermore, the Louisiana law explicitly states that employers are not prohibited from viewing, accessing, or utilizing information about employees or applicants that is publicly available.  The Louisiana law also states that it does not prohibit or restrict employees or applicants from self-disclosing any username, password, or other authentication information to employers to allow access to their personal online accounts. 


The two laws vary most significantly in their remedial schemes.

The Oklahoma law, like similar laws of other states, provides for a private cause of action for aggrieved employees or applicants.  However, employees and applicants must file a civil action within six months after the alleged violation, a relatively short statute of limitations.  Although employees and applicants may seek injunctive relief to restrain an employer from committing any further violations, such relief is available only on a showing of a violation by clear and convincing evidence, which is a heavy evidentiary burden.  Further, aggrieved employees and applicants may recover only liquidated damages of $500 per violation.  Punitive damages and emotional distress damages are not recoverable.  Moreover, a violation may not serve as the basis for a claim under any of Oklahoma’s public policy torts.

In stark contrast to Oklahoma’s detailed remedial scheme, Louisiana’s new law, on its face, does not provide for a private cause of action for aggrieved employees or applicants, nor does it provide any mechanism for administrative enforcement.  Accordingly, it is unclear how the new law will be enforced.

Recommendations for Employers

A growing number of states are adopting legislation aimed at limiting employers’ access to personal online content.  As of the date of this article, 16 states – Arkansas, California, Colorado, Illinois, Louisiana, Maryland, Michigan, New Jersey, New Mexico, Nevada, Oklahoma, Oregon, Tennessee, Utah, Washington, and Wisconsin – have enacted password protections laws.  The laws in each of these states have their own distinct features, which places the onus on employers, especially those with multistate operations, to implement sufficient protocols to ensure compliance.  Because of the state-to-state variations, employers should consult with legal counsel before requesting or requiring access to non-public, personal online content.  In general, the best practice is not to seek access to personal online content except where there is a strong business interest for doing so that is recognized in the applicable password protection law, such as the interest in conducting a workplace investigation or  complying with another applicable law, such as FINRA regulations.

1 See Philip Gordon and Joon Hwang, Tennessee Joins the Growing List of States Limiting Employers’ Access to Personal Online Content, Littler ASAP (May 13, 2014).

2 See Philip Gordon and Joon Hwang, Making Sense of the Complex Patchwork Created by Nearly One Dozen New Social Media Password Protection Laws, Littler ASAP (Jul. 2, 2013); Philip Gordon, Amber Spataro and William Simmons, Workplace Policy Institute: Social Media Password Protection and Privacy — The Patchwork of State Laws and How It Affects Employers, Littler Report (May 31, 2013).

Written by:


Littler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.