By Philip L. Gordon and Joon Hwang
Rhode Island recently became the fifth state in 2014 and the 17th state nationwide to enact legislation restricting access by employers to applicants’ and employees’ personal online content.
The Rhode Island law follows similar laws enacted this year by Wisconsin, Tennessee, Oklahoma, and Louisiana, continuing a nationwide trend that began in spring 2012.
Rhode Island’s new law embodies many of the prohibitions seen in similar laws. However, in comparison to similar laws, the new law provides relatively narrow exceptions that allow employers to protect their legitimate business interest.
In addition, the new law grants aggrieved individuals the right to file civil suits to recover damages, injunctive relief, and even reasonable attorneys’ fees and costs. Accordingly, Rhode Island employers should pay careful attention to the new law’s specific nuances to ensure compliance.
Like similar state laws, Rhode Island’s new legislation prohibits an employer from requiring, coercing, or requesting that applicants or employees disclose their passwords and (very broadly) any other means for accessing a personal social media account. The new legislation further bars employers from requiring that applicants or employees:
- Permit the employer to observe content of theirs or others after they have accessed an online account (i.e., “shoulder surfing”);
- Add the employer to the employee’s or applicant’s list of contacts associated with a personal internet account (e.g., accept a request, such as a Facebook “friend request,” that would permit access to restricted online content);
- Cause applicants or employees to alter their privacy settings to allow viewing of restricted social media accounts and content; or,
- Divulge any content contained in a personal social media account.
The Rhode Island law, consistent with most similar laws, broadly defines “social media account” to encompass generally all “electronic service or account, or electronic content” and provides a non-exhaustive list of examples. That list includes, but is not limited to, “videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet website profiles or locations.”
However, the new law explicitly excludes from its purview social media accounts “opened at an employer’s behest, or provided by an employer, or intended to be used primarily on behalf of the employer.”
In addition, the new legislation broadly prohibits employers from making threats to or actually discharging, disciplining, or otherwise penalizing employees for their refusal to allow access to restricted online content and failing to hire applicants for their refusal of the same.
Notably, the new legislation allows aggrieved individuals to file civil actions against employers to seek declaratory relief, injunctive relief, reasonable attorneys’ fees and costs, and damages which could include both compensatory and punitive damages. Most similar laws provide only for administrative remedies or cap damages in a private lawsuit at a relatively low amount.
Exceptions to the general prohibitions
Unlike some other state laws, Rhode Island’s new legislation provides only a few exceptions to the prohibitions that allow employers to protect their legitimate business interests.
For instance, the legislation explicitly allows the employers to require or even coerce employees or applicants to “divulge any personal social media account information” when such information is “reasonably believed to be relevant to an investigation of allegations of employee misconduct or workplace-related violation of applicable laws and regulations.” However, information may be accessed pursuant to this exception and used solely “to the extent necessary for purposes of that investigation or a related proceeding.”
In addition, financial services companies subject to NASDAQ rules and/or securities regulations may monitor employees’ personal online accounts and screen applicants’ personal online accounts as may be necessary to comply with applicable law and regulations.
The new legislation explicitly permits employers to access and use publicly available information about job applicants and current employees. However, employers should note that their use of publicly available social media content to impose discipline or make other employment decisions may be limited by other laws, such as the National Labor Relations Act, anti-discrimination laws, and laws prohibiting adverse employment action based on lawful off-duty conduct.
Recommendation for employers
Rhode Island’s new legislation further complicates the incongruent collection of state laws aimed at prohibiting employers’ access to employees’ or applicants’ personal online accounts.
As of the date of this article, 17 states – Arkansas, California, Colorado, Illinois, Louisiana, Maryland, Michigan, New Jersey, New Mexico, Nevada, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Washington, and Wisconsin – have enacted password protections laws. These laws have their own unique features that complicate efforts by employers, particularly ones with multistate operations, to implement uniform protocols to ensure compliance.
Given the complicated patchwork of state password protection law currently in place, employers should strongly consider consulting with legal counsel before making requests or requiring access to non-public personal online content.
As a general rule of thumb, employers should avoid seeking access to restricted, personal online content except where there is a strong business need for doing so that is recognized in the applicable password protection law, such as the interest in conducting a workplace investigation.
This was originally published on Littler Mendelson’s Workplace Privacy Counsel blog. © 2014 Littler Mendelson. All Rights Reserved. Littler®, Employment & Labor Law Solutions Worldwide® and ASAP® are registered trademarks of Littler Mendelson, P.C.