By Kristin Cifolelli, courtesy of SBAM Approved Partner ASE
With the explosion of social media use in the workplace in the last couple of years, HR Professionals have learned quickly the basic risks of using this technology. State legislatures around the country are now playing catch-up, scrambling to pass employment laws that set boundaries for employers in monitoring their employees’ social media usage.
Most laws are intended to stop employers from monitoring their employees’ social media content for evidence that they are denigrating the employer, their bosses, colleagues, or their jobs.
As of this month, 17 states have passed legislation prohibiting employers from asking for the logins and passwords to personal social media accounts, emails, and other online networking accounts of their employees and prospective hires.
Michigan was one of the first states to do so. In December 2012 it enacted the Internet Privacy Protection Act (IPPA). Not only does the law prohibit Michigan employers from asking for user names and passwords to access personal social media accounts, but it also prohibits employers from making an adverse employment-related decision affecting any employee or applicant who refuses to provide this information.
Straighforward enough, it would seem. But many employers do not realize that there are some lesser known privacy protections and nuances to these laws that could land them in hot water if they are not aware of them.
For example, Michigan and several other states’ laws also prohibit employers from requiring employees and applicants to access their personal accounts in the presence of the employer. This practice, known as “shoulder surfing,” allows the employer to view social media content without having to get login or password information.
There are other tactics employers can use to access information in employee social media accounts without getting their logins and passwords. Different state laws use language designed to anticipate and prohibit those practices.
“Mandatory friending,” for example, is the practice of suggesting or requiring that an employee or applicant “friend” an employer or supervisor. Arkansas expressly prohibits the practice; in Washington, employees and applicants cannot be forced to add any person to their friend list. In Michigan, the third component of IPPA is that it prohibits employers from asking applicants or employees to “grant access to” their personal accounts, thereby barring employers from reviewing content without asking for login credentials and without shoulder surfing.
While there is no restriction in Michigan against a subordinate friending a supervisor, employers should ensure that their supervisors are not requesting or encouraging friending of their subordinates. This may put HR departments at odds with marketing departments that are encouraging these relationships to leverage an employee’s personal social media connections for work-related marketing practices.
However, there are some exceptions to IPPA that work to the employer’s benefit. One key provision permits employers to ask an employee to divulge personal social media information in an investigation to ensure compliance with applicable laws or regulatory requirements, to prevent unauthorized transfer of the employer’s proprietary or confidential information, and to restrict access to certain websites on employer’s communication devices.
As social media continues to grow and evolve and become a larger part of activity in the workplace, employee privacy protection laws will expand and become more complex. Employers will need to be cautious about employee privacy rights in their efforts to monitor their social media activities.