Trendsetter or Outlier? Oregon Adds New Twist to Password Protection Laws

Since early 2012, 21 states have enacted some form of "password protection" law.  Although these laws vary substantially by state, their common thread is the intention to restrict employers' ability to access content in applicants' and employees' restricted online accounts.  These laws effectuate that intent by varying combinations of prohibitions on the following types of conduct: (a) requesting an individual's log-in credentials; (b) asking to view restricted content when accessed by the individual, i.e., "shoulder surfing"; (c) requesting an individual to accept a "friend" or "connection" request; and (d) asking an individual to change privacy settings to permit access by an employer to an account.  Yet, 99% of more than 400 senior HR executives and in-house employment counsel who responded to a survey conducted by Littler Mendelson in May 2012 and again in May 2013 stated they do not ask applicants for social media passwords.

Nonetheless, Oregon—remaining true to its state slogan that "Things Look Different Here[,]"—recently took its password protection law to the next level by adding two categories of prohibited conduct not seen in any similar law to date.  In early June, the state prohibited employers from requiring that applicants and employees (a) have a personal social media account as a condition of employment, or (b) authorize the employer to advertise on their personal social media accounts.  Employers cannot take any adverse action against, or retaliate against, applicants or employees who refuse such requests.  The amendment takes effect on January 1, 2016.

The law's definition of "social media" extends the prohibition to virtually any form of online account.  That definition includes not just social networking accounts but any account that permits sharing of user-generated content, including video- and photo-sharing sites, blogs, podcasts, and even media generally used for much narrower distribution of content, such as instant messaging and e-mail.  However, Oregon amended its existing law to add a relatively narrow definition of "personal social media."  That new definition includes only social media used "exclusively for personal purposes."  The new prohibition does not apply to accounts used for any of the employer's or prospective employer's business purposes or paid for, or provided by, the employer or prospective employer.

Taking these amendments together, the Oregon legislature appears to be concerned that employers will seek new markets for their products or services by forcing applicants and employees to let the employer exploit their circles of social media contacts wholly unrelated to work.  There can be no question that employers excited about their company's products and services often encourage employees to share information about those products and services through social media, including personal social media.  We are unaware of any empirical data showing that employers actually are forcing employees or applicants to do so or of any case where an employee or applicant has been the subject of adverse employment action for resisting such a requirement.

That said, many states enacted legislation in the area of password protection that, at best, can be characterized as preemptive.  Consequently, there is the distinct possibility that other states will follow Oregon's lead and legislate against yet another "problem waiting to happen."  For now, Oregon employers must ensure that any campaign to use their own workforce to promote their products or services through social media is purely voluntary, and other employers should watch closely for similar developments in their states.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.