If a bill making its way through the New Jersey legislature becomes law, New Jersey employers will no longer have the ability to require employees and job candidates to disclose any usernames and passwords associated with personal accounts on social networking sites, such as Facebook, LinkedIn and Instagram.

On Oct. 25, the New Jersey Senate passed Bill A2878, which limits an employer’s ability to access private social media sites. If Gov. Christie signs the measure, New Jersey will become the fourth state to pass a social network privacy law, following Maryland, Illinois and California. Notably, the New Jersey bill goes the farthest in protecting individuals from company intrusion because it prohibits an employer from even asking whether an employee or applicant has a personal social networking account.

Social Media at Work

There is simply no ignoring the explosive growth of social media. Facebook alone has grown to over one billion active monthly users. A full 75 percent of U.S. workers utilize their smartphones to check their social media sites on a daily basis, according to a study this year by a leading social media integration firm.

Employers have also caught on to social media as a means by which to learn more about their employees and job applicants. The Equal Employment Opportunity Commission has determined that 75 percent of recruiters conduct online reviews of job applicants in an attempt to learn more about their potential new hires, The New York Times reported earlier this year.

There is nothing inappropriate about conducting a computer search for publicly-available information (think a Google search). However, many people have restricted social media sites that they do not use for work purposes — and that is where the problems arise.

Some employers, anxious to learn as much as possible about a potential job candidate, have taken to asking candidates (or even existing employees) to turn over their personal social media passwords so that the employer can conduct a more thorough background check. This practice has rankled many individuals, who believe they have a legitimate expectation of privacy in their personal social media sites. Infamously, the city of Bozeman, Montana, found itself in the middle of a public relations firestorm when, in 2009, it began asking all job applicants to identify the social media sites they utilized, as well as their usernames and passwords, as a condition of being considered for employment.

In New Jersey, the issue first received governmental attention in the form of a lawsuit. In Pietrylo v. Hillstone Restaurant Group, two restaurant employees were terminated as a result of their postings on MySpace about the defendant employer’s operations. Civil Case No. 06- 5754 (FSH), 2008 U.S. Dist. LEXIS 108834 (D.N.J., July 25, 2008). The postings, which included sexual remarks about the management and customers, were made in a private forum that could only be accessed by password on the social networking site. The private forum was created by one of the restaurant employees to enable co-workers to vent about their jobs.

After one of the plaintiff’s co-workers accessed the MySpace forum for a member of management, that employee was asked to provide, and did provide, management with the password to access the private forum.Although the employee was never threatened with any type of adverse employment action, the employee testified that she felt obligated to provide the password at management’s request. The plaintiffs were later terminated as the employer found the postings on the MySpace forum to be offensive and could negatively affect the employer’s operations. Thereafter, the terminated employees filed suit against their former employer.

The jury in Pietrylo determined that the employer violated the federal Stored Communications Act, 18 U.S.C. §§2701-11, which prohibits the access of personal online information in an unauthorized manner. Because the jury found that the employee felt compelled to provide the MySpace password to management, the jury reasoned that the employee’s actions were not voluntary and, therefore, the employer accessed the personal online information in an unauthorized manner.

Similarly, in Ehling v. Monmouth-Ocean Hospital Service Corp., the New Jersey District Court denied the defendant employer’s motion to dismiss the plaintiff’s common-law invasion of privacy claim after gaining access to plaintiff’s Facebook account. 2012 U.S. Dist. LEXIS 74558 (D.N.J. May 30, 2012). The plaintiff claimed that the employer threatened the plaintiff’s co-worker, who also was the plaintiff’s Facebook “friend,” in order to view the plaintiff’s private Facebook profile. The employer thereafter sent letters to state licensing authorities about the plaintiff’s Facebook posts, claiming that her views showed a disregard for patient safety.

The District Court held that the plaintiff employee had taken steps to protect the privacy of her Facebook account, which included utilizing a restricted access webpage and by excluding members of management from her Facebook friend list. The District Court concluded that the plaintiff may have had a reasonable expectation that her Facebook posts would remain private.

The New Jersey Legislation

It is against this backdrop that the New Jersey legislature has taken its first steps into the social media fray.

Bill A2878 prohibits employers from accessing “personal accounts,” which are defined as social networking websites used by any current or prospective employee exclusively for personal communications unrelated to any business purposes of the employer. Specifically excluded from the definition is any account “created, maintained, used or accessed by a current or prospective employee for business purposes of the employer or to engage in business related communications.” Employers, therefore, have the right to police work-related sites utilized by their employees. More difficult to decipher is whether an employer violates the proposed law if it demands to see posts on an employee’s personal site that the employee has also utilized to conduct some measure of business.

The heart of Bill A2878 contains four prohibitions on prospective or existing employers:

• An employer cannot ask an employee or candidate to disclose any user name or password, or to provide the employer access to, a personal social media account. Note that the prohibition is not restricted to the individual’s own personal account; the restriction is on disclosure or access to any personal account.

• An employer cannot “in any way require or request that a current or prospective employee disclose whether the employee has a personal [social media] account.” This provision does not have any restriction on its scope. Therefore, even if an employer has innocently learned that an employee has an active blog, for example, the employer is seemingly prohibited from discussing it — even as a legitimate point of interest.

• Any agreement between the employer and employee designed to waive the bill’s provisions are automatically void and unenforceable.

• An employer cannot retaliate against an employee (a) for refusing to disclose any user name or password, (b) for filing a complaint under the bill, (c) who testifies or assists any action or proceeding under the bill, or (d) who otherwise opposes a violation of the bill.

While the restrictions on employer activity are very broad, it is perhaps the remedies provided by Bill A2878 that raise the most concern. Over the objection of various employer groups, the sponsors of Bill A2878 do not limit enforcement to the hands of an administrative agency, although the Department of Labor and Workforce Development has vested authority to collect civil penalties for any violation. Civil penalties start at $1,000 for an initial violation, and increase to $2,500 for each additional violation.

Instead, the legislature included a provision that allows aggrieved employees or prospective employees to institute private court actions against an offending employer. The measure provides for a one-year statute of limitations. The prevailing employee is entitled to injunctive relief, compensatory and consequential damages and reasonable attorney fees and court costs.

Bill A2878 does contain two notable exceptions to its enforcement requirements. First, a provision states that nothing in the measure is to be construed to prevent an employer from complying with the requirements of any state or federal statute, rule, etc. Presumably, the carve-out would allow an employer to make appropriate inquiries when conducting a workplace investigation, such as a discrimination investigation. However, since neither the federal anti-discrimination laws nor the New Jersey Law Against Discrimination require an employer to review social media sites, it remains to be seen how this new measure would intersect with these legitimate employer interests.

Importantly, Bill A2878 does not prevent an employer from implementing and enforcing policies pertaining to the use of employer-issued electronic communications devices. Therefore, employers can maintain appropriate controls over their business devices without fear of running afoul of the new measure. However, as technology continues to blur the line between work and personal time, and business devices are used to access private social media sites, there exists a broad potential for misunderstanding and contentious litigation. At an absolute minimum, employers will have to carefully rethink existing policies regarding workplace electronic devices.

The Takeaway

There has always existed a tension between employers, who have a keen desire to hire and retain only the most desirable workers, and employees, who struggle to hold on to their real and perceived privacy interests. The rapid advance of technology generally, and social media specifically, will only exacerbate these tensions.

Through Bill A2878, the New Jersey legislature has handed employees a seemingly potent weapon in the fight to maintain personal privacy in the age of smartphones and communications apps. Only time will tell exactly how potent this weapon is, but New Jersey employers will have to quickly come to terms with it — and weigh carefully just how badly they want to use these new technologies to glimpse into the private doings of their employees. •