United States: Patchwork Of State Social Media Password Protection Laws Creates Challenges For Employers

Last Updated: July 15 2013
Article by Philip L. Gordon and Joon Hwang

The legislative torrent has been virtually unprecedented in the area of workplace privacy. In a single season, spring 2013, seven states enacted social media password protection legislation, bringing the total number of states to 11 since Maryland enacted the first such law in May 2012. Bills are pending in more than 20 other states. The current roster of states, dominated by the Rocky Mountain Region and the Far West, is as follows: Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah and Washington. New Jersey appears poised to join this group as the state's legislature amends a bill conditionally vetoed by Governor Christie in May.

The 11 states have created an unwieldy legislative patchwork that will leave many multi-state employers struggling to create a uniform policy. Nonetheless, a thorough review of the legislative hodgepodge does lead to several useful conclusions for employers. These conclusions will be described in detail below.

What conduct by employers do these laws generally prohibit?

One of the only points of uniformity is the basic prohibition: all of these laws prohibit employers from requesting or requiring that applicants or employees disclose their user name, password, or other information needed to access a personal social media account. The notable exception is New Mexico, which applies the prohibition only to applicants.

The states with the most expansive legislation — Illinois, Michigan and Washington — also prohibit employers from requiring that applicants or employees (a) accept a request, such as a Facebook "friend request," that would permit access to restricted content; (b) permit the employer to observe their restricted social media content after they have logged in, i.e., "shoulder surfing"; and (c) change their privacy settings in a manner that would permit the employer to access their restricted social media content. Arkansas and Colorado do not expressly prohibit shoulder surfing. California, Michigan and Oregon do not expressly prohibit requiring an applicant or employee to change privacy settings to permit employer access to restricted social media content. It remains an open question whether state courts will read these slightly narrower statutes and those statutes that prohibit only compelled disclosure of log-in credentials to encompass other methods for circumventing user-created restrictions on access to personal social media.

A majority of states expand on their access prohibition by applying it not only to social media but also to any personal online account. For example, the most recently enacted law (Nevada) defines "social media account" to mean "any electronic service or account or electronic content, including, without limitation, videos, photographs, blogs, video blogs, podcasts, instant and text messages, electronic mail programs or services, online services or Internet website profiles." The states that most broadly define social media are Arkansas, California, Colorado, Maryland, Michigan, Nevada and Utah. By contrast, Illinois, New Mexico, Oregon, and Washington appear to apply their password protection laws only to social media accounts, excluding other personal online services from their laws' purview.

The legislative patchwork also presents material differences regarding the target of an access request. In virtually all states, an employer is prohibited from seeking access to an applicant's or employee's own restricted social media content. California's law appears to go one step further by prohibiting employers from asking an employee to help obtain access to the restricted social media content of a co-worker.

What are the exceptions to the general prohibition?

The range of exceptions to the general prohibition is even more dizzying than the range of prohibitions. All states, except for Illinois, expressly provide that employers can demand that employees provide log-in credentials to non-personal accounts that are used for the employer's business purposes. The precise formulation of these exceptions varies, but the gist of most of them is that if the employer creates or pays for the account, the general prohibition does not apply. Utah's law takes the exception one step further by permitting employers to request the log-in credentials for a personal social media account that the employee uses to conduct the employer's business.

The uniformity of the "non-personal account" exception evaporates with respect to workplace investigations. On this topic, the states break down into three evenly divided camps. Three states — Illinois, Nevada and New Mexico — have no exception for workplace investigations. Four states — Arkansas, California, Michigan and Utah — have what could be characterized as a broad exception. California's exception, for example, reads as follows: "Nothing in this section shall affect an employer's existing rights and obligations to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding." The remaining four states — Colorado, Maryland, Oregon and Washington — have relatively narrow exceptions for workplace investigations. The Colorado and Maryland laws, for example, permit requests for access to employees' personal social media content only when necessary to investigate violations of securities laws or regulations or potential misappropriation of trade secrets. Notably, the states with a workplace investigation exception appear to permit the employer to require the disclosure only of social media content, not the employee's log-in credentials.

These password protection laws could interfere with the ability of broker-dealers and other employers to comply with statutory or regulatory requirements to monitor business-related posts by employees regardless of whether the account used to post is personal or employer-provided. Consequently, six states have adopted language championed by the securities industry that appears to allow employers to request log-in credentials when required to comply with legal obligations or the rules of a self-regulatory organization such as the Financial Industry Regulatory Authority's (FINRA) rules on the supervision of online communications. These states include Arkansas, Michigan, Nevada, Oregon, Utah and Washington. Washington law, for example, provides as follows: "This section does not prevent an employer from complying with the requirements of state or federal statutes, rules or regulations, case law, or rules of self-regulatory organizations." As noted above, two states — Colorado and Maryland — have adopted narrower exceptions that appear to permit requests for social media content to investigate compliance with securities laws or regulations.

These 11 password protection laws have several other variations. First, half of the states — Arkansas, Illinois, Michigan, New Mexico, Oregon and Utah — expressly state that it is not unlawful for employers to access publicly available social media content. While the remaining five states do not speak to this issue, there does not appear to be any viable basis for an applicant or employee to complain about an employer's access to publicly available social media content. Second, three states — Arkansas, Oregon and Washington — expressly state that employers do not engage in prohibited conduct if they inadvertently acquire social media log-in credentials while monitoring corporate electronic resources as long as the employer does not use the information to access an employee's personal social media. Finally, three states — Michigan, Oregon and Utah — confer on employers immunity from claims based on their failure to request or require that an applicant or employee provide access to restricted, personal social media content.

What remedies are available under these laws?

The remedial schemes for violation of these laws vary even more substantially than the prohibitions and exceptions. In three states — Arkansas, Nevada and New Mexico — the statutes do not include a remedial provision and do not expressly incorporate one by reference. Two states — California and Colorado — provide no private right of action. The remaining states provide a private right of action with varying caps: Utah and Washington ($500); Michigan ($1,000); Illinois and Maryland (no cap); Oregon (unclear). Four states — California, Colorado, Illinois, and Oregon — expressly create administrative remedies; the other states do not.

What should employers do in response?

Given the prevalence of social media and the increased melding of work and personal life, employers unquestionably will need access to applicants' and employees' personal social media content for a range of legitimate business purposes, including evaluating applicants' job qualifications, conducting workplace investigations and complying with legal requirements. At the same time, as demonstrated above, employers (especially multi-state employers) seeking to establish a uniform policy on access to applicants' and employees' personal social media content are faced with a legislative patchwork that can leave them scratching their heads. The legislative framework will likely become only more variable with more than 20 additional states currently considering social media password protection laws.

Despite these challenges, several guidelines for employers are discernible:

  1. Publicly available social media content is fair game. Nothing in the password protection laws purports to regulate an employer's access to publicly available social media content. Employers do need to consider other factors when relying on publicly available social media content, such as whether the content is true and whether the content contains information on which an employer cannot lawfully rely for employment purposes.
  2. Employers can use restricted social media content voluntarily provided to the employer. Employees routinely report voluntarily to HR about troubling social media content posted by co-workers. Nothing in the social media password protection laws restricts an employer's ability to accept and act on this information, even if the employee has restricted access to his or her social media content.
  3. Document the source of all social media content that will be used to justify adverse employment action. In the event an applicant or employee alleges that an employer obtained restricted social media content in violation of a password protection law, the employer should be in a position to prove that it did not compel the applicant or employee to permit access by prohibited means. The employer can best avoid a "he-said-she-said" battle by producing documents showing the lawful means by which the employer obtained the social media content.
  4. Establish in writing that all accounts used to conduct the employer's business are not personal accounts. As businesses rely increasingly on social media to attract new business and interact with customers, their employees are creating social media content and making connections that add substantial value to the business. To preserve that value and avoid losing it to a competitor when the employee leaves, employers must take steps to ensure on-going access to these accounts, including the ability to access the accounts at any time by maintaining a record of the log-in credentials. To that end, employers should obtain an employee's agreement, in writing, that the account is not personal when the employee is first assigned responsibility for the account. In this way, the employer eliminates the risk of liability for requiring the employee to disclose his or her log-in credentials and for firing an employee who refuses to cooperate.
  5. Establish a policy that prohibits employees from storing the employer's confidential information in a personal online account. Under some of the password protection laws, employers arguably could not gain access to the employer's own confidential information stored in an employee's personal, online account, such as a Dropbox account, so that the employer could delete the information or observe the employee deleting the information. Employers can mitigate this risk by establishing a policy which prohibits such storage of the employer's confidential information. In addition, such a policy would provide the basis for the employer to invoke the workplace investigation exception in any password protection law that has this exception when the employer has reason to believe the employee is storing the employer's confidential information in a personal online account in violation of the policy.
  6. Do not ask applicants for their log-in credentials and consult legal counsel before using other means, such as shoulder surfing, to access applicants' restricted social media content. While the password protection laws have a range of exceptions applicable to requests for an employee's log-in credentials, these exceptions, such as the exception for workplace investigations, do not apply in the context of the hiring process. Consequently, as a general rule, employers should not seek access to applicants' restricted social media content. Notably, very few private employers currently seek such access. In June 2012, Littler Mendelson's Executive Employer Survey Report found that 99% of 1,000 C-suite executives, corporate counsel, and human resources professionals surveyed stated that their organization did not request social medial log-in credentials as part of the hiring process.
  7. Consult legal counsel before accessing an employee's restricted social media content. State legislators have recognized that employers can have legitimate reasons to access an employee's restricted social media content — for example, to conduct a workplace investigation or to comply with applicable law, such as FINRA's rules on supervising the social media content of registered representatives. Unfortunately, the password protection laws contain so many variations, nuances and ambiguities that employers will likely need the assistance of legal counsel to reduce the risk of a violation when accessing an employee's restricted social media content for these purposes.
  8. Train supervisors and in-house investigators to be cautious about seeking access to restricted social media content. Given the newness of the password protection laws, supervisors and in-house investigators may not even be aware that these laws exist. At a minimum, employers should inform supervisors and in-house investigators that (a) access to restricted social media content potentially raises a red flag, and (b) they should consult with the organization's legal department or outside counsel before seeking access to such information.
  9. Support federal password protection legislation that preempts state laws and get involved in the state legislative process. At this point, the only cure for the tangle of state law restrictions on access to social media content would be a federal law that preempts all of the state laws. However, that solution is nowhere on the horizon. The one federal bill addressing restrictions on employers' access to employees' and applicants' restricted social media content does not mention preemption. Given that, and the fact that bills addressing password protection are pending in many more states, employers should try to influence the legislative debate in an effort to obtain more balanced and uniform legislation that takes employers' interests into account.

Originally published in the July 2, 2013, issue of the Bloomberg BNA Social Media Law & Policy Report.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Philip L. Gordon
Joon Hwang
Similar Articles
Relevancy Powered by MondaqAI
Morris, Manning & Martin, LLP
Proskauer Rose LLP
Seyfarth Shaw LLP
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Morris, Manning & Martin, LLP
Proskauer Rose LLP
Seyfarth Shaw LLP
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions