Password Privacy Laws: More States Are Now On-Board

by Downs Rachlin Martin PLLC

[author: Matt Borick]

The arrival of October marks an historic milestone for password privacy law.  Back in May, Maryland became the first state to enact a password privacy law (discussed in my last post on this topic), and on October 1 that law officially went into effect.  So now employers in Maryland are prohibited from asking or requiring employees or job applicants to disclose the access information (passwords, user names, etc.) for any personal electronic accounts or services they have.  Nor can employers fire, discipline, or decline to hire people who won’t disclose. 

Password Privacy, LegalAnd now two other states – Illinois and California – have joined the party.  In August, Illinois passed a law (effective January 1, 2013) that makes it unlawful for employers to ask or require employees or applicants to provide their access information for “social networking websites.”  The law states that it does not apply to personal e-mail, in contrast with Maryland’s law, which more broadly covers a “personal account or service.”

California’s new law is also quite broad, defining “social media” to include

 “an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.” 

Moreover, not only does the law prevent employers from requesting or requiring disclosure of user names or passwords, it also prohibits employers from asking or requiring employees or applicants to either access their personal social media in the employer’s presence, or divulge that they even have any such accounts.  California’s law was passed at the end of September and, like the Illinois law, goes into effect on January 1, 2013.  (At the same time, California also passed a companion law aimed at students and applicants at educational institutions.  Delaware passed a similar law in July.)

What we’ve seen in Maryland, Illinois, and California is just the beginning.  Eleven other states currently have password privacy bills in the works.  In addition, both the Social Networking Online Protection Act (SNOPA) and the Password Protection Act of 2012 remain under consideration in Congress. 

As time goes on, what may prove to be the most interesting aspect of the various password privacy laws is not what they prohibit but rather what they don’t. 

 Two of the three laws that have been passed to date list situations when employers may require or obtain – or at least are not prohibited from doing so – the disclosure of access information for personal accounts. 

  • In Maryland, employers are not prevented from investigating potential violations of securities, financial, or regulatory requirements using personal accounts or the unauthorized downloading of the employer’s confidential information to personal accounts. 
  • Under California’s forthcoming law, employers will maintain their existing rights to request employees to disclose personal social media that might be relevant to an investigation of alleged employee misconduct or alleged legal or regulatory violations by employees. 
  • Illinois’ new law does not contain similar provisions, although it does make clear that employers are not foreclosed from accessing “public domain” information on employees or applicants or from setting policies for and monitoring the use of the employer’s electronic equipment and e-mail.

Along the same lines, it will be interesting to see how courts interpret and apply password privacy laws.  Past court decisions suggest that courts do not hold social media passwords sacred.  For example, the Sixth Circuit Court of Appeals recently upheld a trial court order in U.S. v. Smalcer requiring a convicted felon to disclose his Facebook password in the course of the sentencing process.  The court in Gallion v. Gallion, a Connecticut divorce case, ordered counsel for the parties to exchange their clients’ Facebook and on-line dating passwords.  And in three different personal injury cases in Pennsylvania (McMillen v. Hummingbird Speedway, Zimmerman v. Weis Markets, and Largent v. Reed), the respective courts ordered the plaintiffs to turn over their social media user names and passwords to the defense. 

These Pennsylvania cases  all involved a situation where public information on the plaintiffs’ social media sites cast doubt on their claimed injuries, and it was reasonable to expect that additional relevant information could be found on the “private” portions of the sites.  The policy of liberal discovery was not outweighed by any privacy concerns the plaintiffs claimed – as one court observed, “By definition, a social networking site is the interactive sharing of your personal life with others; the recipients are not limited in what they do with such knowledge.”

Judging from the wave of password privacy litigation, legislatures have found that, at least in the employment sector (as well as education), passwords, user names, and other social media access tools are sacred.  But as the various carve-outs in the password privacy laws make clear, such protection may not be absolute.  And if the matter gets into court litigation, it seems that all bets are off.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Downs Rachlin Martin PLLC | Attorney Advertising

Written by:

Downs Rachlin Martin PLLC

Downs Rachlin Martin PLLC on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.