Illinois' New Social Media Password Law Raises Substantial and Unjustified Obstacles to Employers' Legitimate Business Activities

With last week’s approval by Illinois’ Senate of a House bill entitled, “The Right to Privacy in the Workplace Act,” Illinois (assuming the Governor signs the bill) will soon become the second state, joining Maryland, to forbid employers from requesting or requiring log-in credentials for an applicant’s or employee’s social networking site. This bill, like Maryland’s law, raises significant interpretative challenges for employers while imposing unjustified and overbroad restrictions on their ability to run their own business.

Remarkably, the Illinois bill (like the Maryland law) contains no legislative findings supporting the need for the law. To be sure, in March and April of this year, there was a media frenzy aimed at creating the impression that private employers routinely request access to applicants’ and employees’ social networking accounts. This stir, however, was substantially overblown. It was based on a small number of news stories, virtually all of which involved job applicants, not employees, and public, not private, employers. To date, we have seen no empirical evidence suggesting that private employers are engaging in the practice which is the subject of legislation not only in Illinois and Maryland, but also of pending bills in ten other states (California, Delaware, Michigan, Minnesota, Missouri, New Jersey, New York, Ohio, South Carolina and Washington) and in both houses of Congress.

Despite the absence of a proven need, the Illinois bill imposes apparently broad restrictions on employers. The bill prohibits an employer from “request[ing] or require[ing] any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website.” The bill also forbids employers from “demand[ing] access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.”

While the first prohibition is clear enough, the scope of the second is ambiguous. The second prohibition appears to be aimed at “shoulder surfing,” i.e., an employer’s asking an applicant or employee to log into a social networking site without revealing log-in credentials so that the employer can review the site. Similarly, this prohibition appears to reach an employer’s asking an employee or applicant to print a hard copy of his or her own social networking site or to e-mail screen shots of that site to the employer. Assuming this prohibition is intended to reach such conduct, it remains unclear whether the prohibition applies only to content posted on the applicant’s or employee’s own social networking site or extends to the restricted social networking sites of co-workers who are not the subject of the request.

To put the ambiguity into sharper focus, consider the following scenario. An employee reports to his human resources manager that a co-worker, who is a Facebook friend, has commented on his own wall, which is restricted to “Friends Only,” that he is so angry at the company he could “blow the place up.” The Illinois law appears to prohibit the HR manager from asking the reporting employee to permit the HR manager to view the posting co-worker’s post on the reporting employee’s own newsfeed and from asking the reporting employee to print a hard copy of the post or to e-mail a screen shot of the post to the HR manager. The Illinois law also appears to prohibit the HR manager from asking the posting co-worker for access to his social networking site so the HR manager can investigate the reporting employee’s allegation. However, it is unclear whether the Illinois law would prohibit the HR manager from asking the reporting employee, without disclosing his own log-in credentials or any information on his own news feed, to access the posting co-worker’s “Friends Only” Facebook wall so the HR manager could corroborate and further investigate the allegation.

While this point, at first blush, may appear to be hair splitting, it is critical for employers because the Illinois law contains no exception for legitimate workplace investigations. In fact, the Illinois law contains no exceptions at all to its general prohibitions. Instead, the law merely emphasizes that it is not intended to restrict an employer’s right to promulgate policies regulating use of the employer’s own electronic resources or from monitoring usage of the employer’s own electronic resources, including e-mail. The bill also expressly states that it does not apply to “information that is in the public domain,” i.e., social networking sites for which the account holder has not used privacy settings to restrict access. However, this limitation provides little aid to employers as applicants and employees increasingly activate privacy settings to restrict access to their social media accounts. In sum, the Illinois law shuts off most, if not all, access by employers to a potentially important source of information when conducting legitimate investigations into misconduct related to work, such as workplace violence, unlawful harassment, and misappropriation of trade secrets.

The absence of any exceptions to the general prohibition in the Illinois bill highlights another challenge for employers raised by this new genre of workplace regulation. The Maryland law contains exceptions for investigations of suspected securities fraud violations and suspected misappropriation of trade secrets. While these exceptions themselves are overly narrow, their absence from the Illinois bill suggest that the states are beginning to weave yet another inconsistent patchwork of laws that will further complicate for employers the already daunting challenge of regulating new technology in the workplace.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.