Back in March, I wrote about new legislation at the state level that would prohibit employers from asking job applicants for their social media user names and passwords. Legislatures in eleven states have introduced social media privacy bills, and in one state, Maryland, one of the bills has become law.
The idea behind these laws is that when employers demand that a job applicant disclose his or her social media login information, it is an invasion of the applicant's privacy. The bills also protect people that have already been hired as employees.
Employers should now review their hiring and employment policies to make sure they do not run afoul of these laws. Employers' training practices should also include a disussion of this legislation. As I said in March, I am telling my clients not to ask for Facebook or other social media login information.
The table below summarizes the federal and state legislation currently pending.
Some bills also protect students in post-secondary educational institutions. Under these bills, educational institutions may not ask students for social media website login information.
Some bills have certain carve-outs, which are noted below.
Finally, all of the state bills prohibit employers from asking for passwords either broadly cover passwords to Internet applications or cover “social media websites” and define “websites” to include Internet applications. The bill in the U.S. House of Representatives, however, does not contain such a broad definition. Therefore the House bill leaves open the possibility that an employer could ask for a user name/password combination for a Facebook application on a cell phone or tablet. Applications are not technically “websites.” Therefore, under a narrow reading of the House bill’s language, login information for iOS and other mobile device applications is not covered.
|
Bill |
Status |
Scope |
Notes |
|
Passed Legislation |
|||
|
MD SB 433 |
Codified at Md. Lab. & Empl. Code § 3-712. |
Employers |
Carve-outs for regulatory investigations and investigations of unauthorized access to employer information. |
|
Federal Bills |
|||
|
3074, Password Protection Act of 2012 |
Referred to Committee on Health, Education, and Labor on 5/9/12 |
Employers |
Grafts protection onto the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Carve-outs for discharges for good cause, states that opt out of the federal law, and classified information. |
|
H.R. 5050, Social Networking Online Privacy Act |
Referred to House Committee on Education and the Workforce on 4/27/12 |
Employers |
Does not define “social networking website” implying that passwords for mobile device apps are not covered. |
|
State Bills |
|||
|
CA AB 1844 |
Passed Assembly. Introduced in Senate on 5/10/12 |
Employers |
|
|
CA SB 1349 |
Set for hearing in Senate Appropriations Committee. |
Employers and education |
|
|
DE HB 308 |
Reported out of Telecommunication, Internet & Technology Committee on 5/18/12 |
Employers |
Carve-out for financial institutions investigation. |
|
IL HB 3782 |
Passed the House. Passed out of Senate Labor Committee. Ready for third reading in IL Senate. |
Employers |
Carve-outs for employer workplace policies, monitoring employer’s equipment and email, and public domain information. |
|
MA HB 4323 |
Introduced 3/23/12 |
Employers |
Carve-out for employer workplace policies. |
|
MD HB 364 |
Apparently abandoned in favor of SB 433 |
Employers |
|
|
MI HB 5523 |
Referred to Committee on Energy and Technology on 3/29/12 |
Employers and education |
Violation is a misdemeanor with up to $1000 fine. |
|
MN SF 2565/HF2963 |
Referred to Senate Jobs and Economic Growth Committee on 3/27/12 and House Commerce and Regulatory Reform Committee on 3/26 |
Employers |
Carve-out for employer workplace policies. |
|
NJ A2878 |
Reported out of Assembly Consumer Affairs Committee |
Employers |
|
|
NJ A2879 |
Reported out of Assembly Consumer Affairs Committee |
Education |
|
|
NY A 9654 |
Reported out of Labor Committee 5/8/12 |
Employers |
|
|
NY S 6831 |
Referred to Labor Committee 3/27/12 |
Employers |
|
|
SC H. 5105 |
Referred to Judiciary Committee 3/29/12 |
Employers |
|
|
WA SB 6637 |
Reintroduced 4/11 |
Employers |
Civil actions can seek $500 penalty plus damages. Carve-out for public domain information. |
Stephen Wu
Partner, Cooke Kobrick & Wu LLP
http://www.ckwlaw.com/Information-Security-and-Privacy-Law-Resources/
swu@ckwlaw.com