Washington just became the latest state to join the social media privacy bandwagon.
On Sunday, a state law banning employers from asking workers for their user names and passwords for their personal social media accounts went into effect. The law was passed unanimously by both the Washington State Senate and the House of Representatives in April and signed into law by Governor Jay Inslee in May. Since 2012, ten other states have passed similar laws governing social media privacy in the workplace: Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon and Utah.
In addition to prohibiting disclosure of personal login information, the law also proscribes employers from forcing employees to log in to their accounts in front of employers so they can observe ("shoulder surf") their postings, requiring employees to add employers as friends, or asking employees to change their personal settings to make things more visible to third parties. Employers also can't punish employees for refusing to disclose their personal login information.
The law does have an exception for limited circumstances. Employers may retrieve content from an employee's personal social media account if they're conducting an investigation into an employee's misconduct or if an employee is accused of making unauthorized transfers of proprietary information. Even then, employers cannot require employees to turn over their login information, but they can ask employees to turn over the information voluntarily. The law also does not apply to social media sites and platforms used primarily for work purposes.
"I think it is a solid step to give people privacy, but I would not be shocked if there's some new app or application or a laser beam hologram technology we haven't dreamed of yet that makes further work necessary," Inslee said to the Associated Press in May.
Bryan O'Connor, a labor and employment lawyer who is managing partner of Jackson Lewis' Seattle office, told Law Technology News that, compared with other states, the Washington law carries greater risk for employers.
"The remedies seem to have more teeth and are much more generous," said O'Connor. Under the act, employees can sue their employers in civil court and can recover up to $500 in statutory damages, as well as actual damages, injunctive relief and attorneys fees and costs. According to O'Connor, most of the other states he's aware of do not provide for recovery of attorneys fees and costs.
The Washington law also lacks an explicit carve-out for the securities industry. The Financial Industry Regulatory Authority (FINRA), Wall Street's self-regulatory agency, and others have been active lobbying states to include an exception allowing financial firms to access employees' private social media profiles in order to prevent the spread of insider information or fraud. According to The Wall Street Journal, the securities groups failed to get the carve-out in California, but about ten states have agreed to include the carve-out in their proposed laws. Proskauer Rose labor and employment associate Daniel Saperstein says that the Washington law has broad language relating to "complying with the requirements of state or federal statutes" and "self-regulatory organizations," but nothing specific regarding securities laws or FINRA.
Some attorneys have been critical of the push for social media privacy laws, saying that the law is unnecessary and imposes an extra burden on employers. In May, a Littler Mendelson survey of 1,000 employers showed that 99 percent of respondents had never asked an employee for private social media login information.
"Several of the laws will impede [an] employer's ability to investigate potential workplace violence incidents revealed by posts in personal social media accounts and work-related harassment and cyberbullying conducted through personal social media accounts," wrote Littler partner and chair of the privacy and data protection practice group Philip Gordon, along with two other Littler attorneys.
The Digital Media Law Project also questioned the need for social media privacy laws, noting that there were already remedies at common law to protect employees.
Their concerns don't appear to be halting the momentum as far as passing social media privacy laws. According to the National Conference of State Legislatures, since the beginning of 2013, legislation has been introduced or is pending in 36 states. While some states have rejected proposed social media privacy laws, other states, including Wisconsin, Vermont, New Hampshire, Rhode Island and New York, are still considering measures to protect social media.
Meanwhile, Saperstein notes that New Jersey could be the next state to enact a social media privacy law. Governor Chris Christie conditionally vetoed the initial bill in May after finding it over-broad. Christie proposed some changes, including requiring employees to file a complaint with the state labor commission instead of state court and getting rid of the provision banning employers from asking employees if they even used social media.
The modified bill was passed by the New Jersey Assembly in May and is pending before the Senate. "This is definitely a growing trend, and it appears that there will be other states to follow," said Saperstein.