Last year there was a huge fuss because some employers and colleges were asking applicants for their social media passwords, then judging them based on what they saw.
People freaked out about privacy. Then in record time (because it was an election year), state legislatures started passing laws prohibiting employers and educators from demanding social media passwords.
And the people were glad.
Cue squealing brake noises. Or if you’re older, sound of needle being ripped from record album.
Almost all the laws have broad exceptions that still allow the employer to see what’s in employees’ personal social media accounts. The laws really just protect applicants.
Almost all states’ social media password laws allow the employer access to an employee’s social media account as part of an investigation. There are few, if any, limits on what the investigation is about. For example, the California statute allows access to employee personal accounts if the information is “reasonably believed to be relevant to an investigation of employee misconduct . . . provided that the social media is used solely for purposes of that investigation or proceeding.” Cal. Labor Code section 980.
Note the information does not actually have to be related to the investigation; the employer just has to “reasonably believe” it is. Courts would apply an objective “reasonable employer” standard, as opposed to a manager who just wants to stalk people. But as a practical matter, courts usually give employers wide discretion to investigate employee misconduct, and to define what constitutes misconduct.
The language about using the information “solely” for the purpose of the investigation doesn’t really mean anything, since the investigation is already about whether someone should be fired or not. I guess it could be used to ask someone out on a date, but that would be covered by other laws anyway.
Other laws may also provide limits on whether employers can access employee social media accounts or use information they find there. For example, HIPAA restricts how an employer can use medical information it learns about its employees. Some states, like California, have a constitutional right to privacy that would add broader protections. And some states also have laws that prohibit employers from disciplining or terminating employees for off-duty conduct. So employers should be careful about doing anything with information they learn from an employee’s social media account, even if they were legally entitled to learn it.
Employer Provided Device or Service
Another common exception is when the employer owns the computer, phone or other device. Some states, like Michigan, allow the employer access if either the device or the service is paid for by the employer.
That means if the employer buys your phone, or even reimburses you for your cell phone service, it’s entitled to ask for your passwords and look at any data on the device.
Generally, employers are free to monitor employee use of any device it owns anyway. The employer also gets to control what software and apps are used because of security and compatibility concerns with the employer’s network. But most employees don’t know this, and believe that their personal use is, well, personal. So it’s important for employees to know what that free phone or laptop really means; employers should tell them.
As employers become more interested in collecting and using data generated by their employees, the tension will increase between employers who want information and employees who want privacy. Employers will issue company devices. Employees will figure out how to hack the devices and policies in order to protect their personal information. This is one of the reasons I believe that privacy will move from a legal issue to an app. (See Privacy is an App.) There needs to be a fair and open negotiation between users and the companies that want their data, especially in the employment relationship.
Many of the laws also allow employers to create and enforce policies on how employees use social media. Presumably this exception would allow an employer to access an employee’s social media account to see if employees were complying with or violating the policy. While this is a broad exception, there are many pitfalls in creating and enforcing social media policies. (See 8 Reasons Social Media Policies Backfire.) So companies need to get their social media policies right before demanding employee passwords under the policy exception.
Know What Law Applies
Both employers and employees need to know what the social media password exceptions are in their state. And remember, the law that applies to the employee is the one where she works, even if the company is located somewhere else. (See What Law Applies to Your Virtual Workforce?) I also suggest looking up VPN reviews to protect your computer.