On May 12, 2013, Colorado's governor signed H.B. 1046 into
law to forbid employers from requiring or requesting that
prospective and current employees disclose their username and
password to their personal social media accounts. Several other
states have codified similar laws, including Maryland, Illinois,
California, Michigan, Utah, New Mexico (which ostensibly applies to
prospective employees only), and Arkansas. A number of other states
and the U.S. Congress have introduced such legislation. To
understand the new Colorado law, this alert discusses its coverage,
prohibitions, exceptions, and remedies.
The coverage of the new Colorado law is expansive, as the term
"employer" means a person engaged in a business,
industry, profession, trade, or other enterprise in the state (or a
unit of the state or local government), including an agent,
representative, or designee thereof.
Under the new Colorado law, an employer may not request or
require that an employee or applicant disclose any user name,
password, or other means for accessing his or her personal account
or service through his or her electronic communications
An employer also may not discharge, discipline, or otherwise
penalize (or threaten to discharge, discipline, or otherwise
penalize) an employee for his or her refusal to disclose any
information protected under the new Colorado law.
Moreover, an employer may not fail or refuse to hire an
applicant because he or she refuses to disclose any information
protected under the new Colorado law.
The new Colorado law allows an employer to require an employee
to disclose any user name, password, or other means for accessing
non-personal accounts or services that provide access to the
employer's internal computer or information systems.
This new Colorado law also does not prevent an employer
conducting an investigation to ensure compliance with
applicable securities or financial law or regulatory requirements
based on the receipt of information regarding the use of a personal
Web site, Internet Web site, Web-based account, or similar account
by an employee for business purposes; or
investigating an employee's electronic communications based
on the receipt of information regarding the unauthorized
downloading of the employer's proprietary information or
financial data to a personal Web site, Internet Web site, Web-based
account, or similar account.
An aggrieved applicant or employee may institute a civil action
in a court of competent jurisdiction within one year after the date
of the alleged violation, and is entitled to
compensatory and consequential damages; and
reasonable attorney fees and court costs.
The new Colorado law's coverage, prohibitions, and
exceptions are analogous to the social media laws adopted in other
states, and the bills pending in the U.S. Congress and numerous
state legislatures. It should be noted, however, that the new
Colorado law arguably offers more lucrative remedies than any of
its counterparts. As Colorado's new plaintiff-friendly law
continues a growing national trend, it is imperative that employers
within the state and across the nation proceed with
caution and prepare accordingly.
1."Electronic Communications Device" means a
device using electronic signals to create, transmit, and receive
information, including computers, telephones, personal digital
assistants, and other similar devices.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
As privacy professionals know too well, organizations that handle personal information, especially personal information that can trigger security breach notification obligations, have an overwhelming need to screen out untrustworthy applicants from positions that permit access to such data.