United States: Patchwork Of State Social Media Password Protection Laws Creates Challenges For Employers

Last Updated: July 15 2013
Article by Philip L. Gordon and Joon Hwang

The legislative torrent has been virtually unprecedented in the area of workplace privacy. In a single season, spring 2013, seven states enacted social media password protection legislation, bringing the total number of states to 11 since Maryland enacted the first such law in May 2012. Bills are pending in more than 20 other states. The current roster of states, dominated by the Rocky Mountain Region and the Far West, is as follows: Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah and Washington. New Jersey appears poised to join this group as the state's legislature amends a bill conditionally vetoed by Governor Christie in May.

The 11 states have created an unwieldy legislative patchwork that will leave many multi-state employers struggling to create a uniform policy. Nonetheless, a thorough review of the legislative hodgepodge does lead to several useful conclusions for employers. These conclusions will be described in detail below.

What conduct by employers do these laws generally prohibit?

One of the only points of uniformity is the basic prohibition: all of these laws prohibit employers from requesting or requiring that applicants or employees disclose their user name, password, or other information needed to access a personal social media account. The notable exception is New Mexico, which applies the prohibition only to applicants.

The states with the most expansive legislation — Illinois, Michigan and Washington — also prohibit employers from requiring that applicants or employees (a) accept a request, such as a Facebook "friend request," that would permit access to restricted content; (b) permit the employer to observe their restricted social media content after they have logged in, i.e., "shoulder surfing"; and (c) change their privacy settings in a manner that would permit the employer to access their restricted social media content. Arkansas and Colorado do not expressly prohibit shoulder surfing. California, Michigan and Oregon do not expressly prohibit requiring an applicant or employee to change privacy settings to permit employer access to restricted social media content. It remains an open question whether state courts will read these slightly narrower statutes and those statutes that prohibit only compelled disclosure of log-in credentials to encompass other methods for circumventing user-created restrictions on access to personal social media.

A majority of states expand on their access prohibition by applying it not only to social media but also to any personal online account. For example, the most recently enacted law (Nevada) defines "social media account" to mean "any electronic service or account or electronic content, including, without limitation, videos, photographs, blogs, video blogs, podcasts, instant and text messages, electronic mail programs or services, online services or Internet website profiles." The states that most broadly define social media are Arkansas, California, Colorado, Maryland, Michigan, Nevada and Utah. By contrast, Illinois, New Mexico, Oregon, and Washington appear to apply their password protection laws only to social media accounts, excluding other personal online services from their laws' purview.

The legislative patchwork also presents material differences regarding the target of an access request. In virtually all states, an employer is prohibited from seeking access to an applicant's or employee's own restricted social media content. California's law appears to go one step further by prohibiting employers from asking an employee to help obtain access to the restricted social media content of a co-worker.

What are the exceptions to the general prohibition?

The range of exceptions to the general prohibition is even more dizzying than the range of prohibitions. All states, except for Illinois, expressly provide that employers can demand that employees provide log-in credentials to non-personal accounts that are used for the employer's business purposes. The precise formulation of these exceptions varies, but the gist of most of them is that if the employer creates or pays for the account, the general prohibition does not apply. Utah's law takes the exception one step further by permitting employers to request the log-in credentials for a personal social media account that the employee uses to conduct the employer's business.

The uniformity of the "non-personal account" exception evaporates with respect to workplace investigations. On this topic, the states break down into three evenly divided camps. Three states — Illinois, Nevada and New Mexico — have no exception for workplace investigations. Four states — Arkansas, California, Michigan and Utah — have what could be characterized as a broad exception. California's exception, for example, reads as follows: "Nothing in this section shall affect an employer's existing rights and obligations to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding." The remaining four states — Colorado, Maryland, Oregon and Washington — have relatively narrow exceptions for workplace investigations. The Colorado and Maryland laws, for example, permit requests for access to employees' personal social media content only when necessary to investigate violations of securities laws or regulations or potential misappropriation of trade secrets. Notably, the states with a workplace investigation exception appear to permit the employer to require the disclosure only of social media content, not the employee's log-in credentials.

These password protection laws could interfere with the ability of broker-dealers and other employers to comply with statutory or regulatory requirements to monitor business-related posts by employees regardless of whether the account used to post is personal or employer-provided. Consequently, six states have adopted language championed by the securities industry that appears to allow employers to request log-in credentials when required to comply with legal obligations or the rules of a self-regulatory organization such as the Financial Industry Regulatory Authority's (FINRA) rules on the supervision of online communications. These states include Arkansas, Michigan, Nevada, Oregon, Utah and Washington. Washington law, for example, provides as follows: "This section does not prevent an employer from complying with the requirements of state or federal statutes, rules or regulations, case law, or rules of self-regulatory organizations." As noted above, two states — Colorado and Maryland — have adopted narrower exceptions that appear to permit requests for social media content to investigate compliance with securities laws or regulations.

These 11 password protection laws have several other variations. First, half of the states — Arkansas, Illinois, Michigan, New Mexico, Oregon and Utah — expressly state that it is not unlawful for employers to access publicly available social media content. While the remaining five states do not speak to this issue, there does not appear to be any viable basis for an applicant or employee to complain about an employer's access to publicly available social media content. Second, three states — Arkansas, Oregon and Washington — expressly state that employers do not engage in prohibited conduct if they inadvertently acquire social media log-in credentials while monitoring corporate electronic resources as long as the employer does not use the information to access an employee's personal social media. Finally, three states — Michigan, Oregon and Utah — confer on employers immunity from claims based on their failure to request or require that an applicant or employee provide access to restricted, personal social media content.

What remedies are available under these laws?

The remedial schemes for violation of these laws vary even more substantially than the prohibitions and exceptions. In three states — Arkansas, Nevada and New Mexico — the statutes do not include a remedial provision and do not expressly incorporate one by reference. Two states — California and Colorado — provide no private right of action. The remaining states provide a private right of action with varying caps: Utah and Washington ($500); Michigan ($1,000); Illinois and Maryland (no cap); Oregon (unclear). Four states — California, Colorado, Illinois, and Oregon — expressly create administrative remedies; the other states do not.

What should employers do in response?

Given the prevalence of social media and the increased melding of work and personal life, employers unquestionably will need access to applicants' and employees' personal social media content for a range of legitimate business purposes, including evaluating applicants' job qualifications, conducting workplace investigations and complying with legal requirements. At the same time, as demonstrated above, employers (especially multi-state employers) seeking to establish a uniform policy on access to applicants' and employees' personal social media content are faced with a legislative patchwork that can leave them scratching their heads. The legislative framework will likely become only more variable with more than 20 additional states currently considering social media password protection laws.

Despite these challenges, several guidelines for employers are discernible:

  1. Publicly available social media content is fair game. Nothing in the password protection laws purports to regulate an employer's access to publicly available social media content. Employers do need to consider other factors when relying on publicly available social media content, such as whether the content is true and whether the content contains information on which an employer cannot lawfully rely for employment purposes.
  2. Employers can use restricted social media content voluntarily provided to the employer. Employees routinely report voluntarily to HR about troubling social media content posted by co-workers. Nothing in the social media password protection laws restricts an employer's ability to accept and act on this information, even if the employee has restricted access to his or her social media content.
  3. Document the source of all social media content that will be used to justify adverse employment action. In the event an applicant or employee alleges that an employer obtained restricted social media content in violation of a password protection law, the employer should be in a position to prove that it did not compel the applicant or employee to permit access by prohibited means. The employer can best avoid a "he-said-she-said" battle by producing documents showing the lawful means by which the employer obtained the social media content.
  4. Establish in writing that all accounts used to conduct the employer's business are not personal accounts. As businesses rely increasingly on social media to attract new business and interact with customers, their employees are creating social media content and making connections that add substantial value to the business. To preserve that value and avoid losing it to a competitor when the employee leaves, employers must take steps to ensure on-going access to these accounts, including the ability to access the accounts at any time by maintaining a record of the log-in credentials. To that end, employers should obtain an employee's agreement, in writing, that the account is not personal when the employee is first assigned responsibility for the account. In this way, the employer eliminates the risk of liability for requiring the employee to disclose his or her log-in credentials and for firing an employee who refuses to cooperate.
  5. Establish a policy that prohibits employees from storing the employer's confidential information in a personal online account. Under some of the password protection laws, employers arguably could not gain access to the employer's own confidential information stored in an employee's personal, online account, such as a Dropbox account, so that the employer could delete the information or observe the employee deleting the information. Employers can mitigate this risk by establishing a policy which prohibits such storage of the employer's confidential information. In addition, such a policy would provide the basis for the employer to invoke the workplace investigation exception in any password protection law that has this exception when the employer has reason to believe the employee is storing the employer's confidential information in a personal online account in violation of the policy.
  6. Do not ask applicants for their log-in credentials and consult legal counsel before using other means, such as shoulder surfing, to access applicants' restricted social media content. While the password protection laws have a range of exceptions applicable to requests for an employee's log-in credentials, these exceptions, such as the exception for workplace investigations, do not apply in the context of the hiring process. Consequently, as a general rule, employers should not seek access to applicants' restricted social media content. Notably, very few private employers currently seek such access. In June 2012, Littler Mendelson's Executive Employer Survey Report found that 99% of 1,000 C-suite executives, corporate counsel, and human resources professionals surveyed stated that their organization did not request social medial log-in credentials as part of the hiring process.
  7. Consult legal counsel before accessing an employee's restricted social media content. State legislators have recognized that employers can have legitimate reasons to access an employee's restricted social media content — for example, to conduct a workplace investigation or to comply with applicable law, such as FINRA's rules on supervising the social media content of registered representatives. Unfortunately, the password protection laws contain so many variations, nuances and ambiguities that employers will likely need the assistance of legal counsel to reduce the risk of a violation when accessing an employee's restricted social media content for these purposes.
  8. Train supervisors and in-house investigators to be cautious about seeking access to restricted social media content. Given the newness of the password protection laws, supervisors and in-house investigators may not even be aware that these laws exist. At a minimum, employers should inform supervisors and in-house investigators that (a) access to restricted social media content potentially raises a red flag, and (b) they should consult with the organization's legal department or outside counsel before seeking access to such information.
  9. Support federal password protection legislation that preempts state laws and get involved in the state legislative process. At this point, the only cure for the tangle of state law restrictions on access to social media content would be a federal law that preempts all of the state laws. However, that solution is nowhere on the horizon. The one federal bill addressing restrictions on employers' access to employees' and applicants' restricted social media content does not mention preemption. Given that, and the fact that bills addressing password protection are pending in many more states, employers should try to influence the legislative debate in an effort to obtain more balanced and uniform legislation that takes employers' interests into account.

Originally published in the July 2, 2013, issue of the Bloomberg BNA Social Media Law & Policy Report.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Philip L. Gordon
Joon Hwang
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

*** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.