On May 22, Louisiana Gov. Bobby Jindal signed the Personal Online Account Privacy Protection Act into law. The Act, effective immediately, prohibits employers from requesting or requiring access to the personal online accounts of applicants or employees. Louisiana joins 11 other states that have already passed similar legislation. The Act also applies to educational institutions, which are prohibited from requesting or requiring the same information from students or prospective students.

This Act does not create a duty for an employer or educational institution to search or monitor the activity of an individual's personal online account. That's important because, where information is readily available, an employer could face liability for ignoring it (such as negligence claims). The Act's language protects against that, at least in part.

What's Protected

The Act protects personal online accounts. A "personal online account" is an account used exclusively for personal communications unrelated to any business purpose of the employer or educational institution. A personal online account does not include accounts that the employer or educational institution created, services, or uses for business or educational purposes. Facebook and Twitter accounts, for example, would almost always be protected. An employee's work email, however, would not be.

Who Is Covered

The Act applies to virtually all private and state or local government employers, regardless of size, that are doing business in Louisiana. As of  now, those employers will be unable to request or require employees or applicants to disclose usernames, passwords, or other authentication information that would allow the employer access to personal online accounts. The Act bars an employer from retaliating against an employee or applicant (e.g., discharging, disciplining, failing to hire or otherwise penalizing or threatening to penalize the employee) who fails to disclose that information.

The Act applies to private and public educational institutions in a similar fashion. Educational institutions may neither request nor require disclosure of information that would allow access to a student's or prospective student's personal online account. Likewise, if a student or prospective student fails to provide that information, the educational institution is barred from expelling, disciplining, failing to admit, or otherwise penalizing or threatening to penalize the student or prospective student.

Employer Exceptions

While the law affords the individual new privacy protection, it still allows employers and educational institutions a considerable amount of leeway.

Even under the new law an employer may still:

  • view or access information about an employee that is available in the public domain;
  • obtain an applicant's or employee's email address;
  • request or require access to an electronic communication device that the employer pays for or supplies, or to an account or service that the employee obtained because of the relationship with the employer or that is used for the employer's business purposes;
  • discipline or discharge an employee for sending confidential or proprietary information or financial data to an employee's personal online account without permission;
  • conduct an investigation or require an employee or applicant to cooperate in an investigation where there is specific information related on an employee's personal online account, to ensure compliance with applicable laws, regulations or prohibitions, or where the employer has specific information about an unauthorized transfer of the employer's proprietary or confidential information or financial data to the employee's personal online account (these types of investigations may require the employee or applicant to share the content without disclosing the username or password);
  • restricting or ban an employee's or applicant's access to certain websites while using an electronic communications device the employer supplied or pays for; or
  • screening applicants or monitor or retain employee communications pursuant to law, rule, or regulation.

If the employer inadvertently obtains an employee's or applicant's authentication information by virtue of a device or program that monitors an employer's network or a device the employer provides, the employer will not be liable. That being said, you may not use such information to access the employee's personal online account. Finally, if an employee or applicant voluntarily self-discloses, the employer will not be liable.

Educational Institution Exceptions

The exceptions for an educational institution are fewer than those for an employer. The Act allows an educational institution to:

  • request or require a student or prospective student to disclose any authentication information that would allow the educational institution to gain access to an electronic communication device the educational institution supplied or pays for (unless it was provided with the intent to permanently transfer ownership); or to an account or service that the student or prospective student obtained because of his or her admission or that is used for educational purposes;
  • view or access information about an student that is available in the public domain; or
  • restrict or prohibit a student's or prospective student's access to certain websites while using an electronic communications device that the educational institution supplied or paid for, or while using an educational institution's network or resources.

As with employers where an employee or applicant voluntarily disclosed authentication information, an educational institution would not be liable if a student or prospective student were equally as forthcoming.

All Bark And No Bite?

As written, the law does not provide for a penalty against the employer or educational institution for violation of the Act, nor does it codify a private right of action for the individual. Thus, the Act may be more of a gold standard than a mandatory one.

The Bottom Line

Considering the issues that may arise when an employer or educational institution has access to authentication information of personal online accounts (for a good accounting of the risks, read this), the Act may actually prove beneficial. Employers and educational institutions are still allowed to search publicly available information online, which is now commonplace. Going beyond that and accessing additional information may create liability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.