Asking for Facebook Passwords? Not in Washington.
Washington Governor Jay Inslee has signed legislation that prohibits employers from asking or requiring employees or job applicants to provide information or access to social networking accounts. Social networking is an area of concern for all employers. Having access to employees' or job applicants' social networking information can provide employers with information that they might not be able to get otherwise. Employers could determine whether job applicants have been open and complete about their past work experience. Employers could determine whether employees are disclosing a business's confidential information or trade secrets using social networking or social media. Employers could determine whether complaints of behavior in the workplace can be supported or refuted through employees' social media activity.
On the other hand, the growing trend, and now the law in Washington, is that employees and job applicants have privacy expectations in their social networking and social media activities. Washington now holds those privacy expectations above most of an employer's interests in obtaining information. "Most," because Washington still recognizes that an employer has an interest in conducting workplace investigations and in protecting its confidential information and trade secrets, and the new law takes these into account.
What the Law Prohibits and Allows
Here's what the law prohibits:
- Employers may not request, require, or coerce an employee or job applicant to disclose their login information for their personal social networking accounts.
- Employers may not request, require, or coerce an employee or job applicant to access their personal social networking accounts in the employer's presence.
- Employers may not request, require, or cause an employee or job applicant to change the settings on their personal social networking accounts to enable third parties to view the contents of their accounts. This means an employer cannot cause an employee to change settings for viewing information from "private" to "public," or that employers cannot require employees to "friend" or "link to" their managers or coworkers on social networks.
- Employers may not take adverse actions against an employee or job applicant who refuses to comply with any of these types of requests.
Here's what the law allows:
Employers may request or require employees to share content from their personal social networking account if:
- The request is to share content from the social networking account, not to provide login information, allow observation, or change settings.
- The request is to allow the employer to make a factual determination in the course of conducting an investigation.
- The investigation is in response to the employer's receipt of information about the employee's activity on their personal social networking account. This likely means that the employer cannot ask for the content of accounts unless someone informs the employer that there is information germane to the investigation on the account.
- The purpose of the investigation is either to ensure compliance with laws, regulations, or prohibitions against work-related employee misconduct, or to investigate an allegation of the unauthorized transfer of an employer's proprietary information, confidential information, or financial data to the employee's personal social networking account.
The law applies only to an employee's or job applicant's personal social networking accounts. It does not apply to social networking accounts or tools established by the employer or provided by the employer to an employee. A common example of this would be a business's social networking account that an employee has access to; the business can require the employee to provide the login information for that account.
The law allows employees to sue for violations of the law. Employees can seek injunctions, actual damages, a penalty of $500, and attorney fees and costs. The law does, however, allow employers to recover their attorney fees and expenses if the employer defeats such a lawsuit and shows that the lawsuit was frivolous and advanced without reasonable cause.
The law becomes effective July 28, 2013.
What Employers Should Do
So what should employers do in response to this law?
Employers who have a formal policy of requesting or requiring that employees or job applicants provide login information, content, or access to social networks should change those policies and communicate those changes to employees.
Employers should train everyone involved in the hiring process and ensure that they know not to ask job applicants for social networking information. This includes human resources and recruiting people as well as managers who may interview applicants.
Employers should train managers and supervisors that they cannot ask employees for social networking information and cannot ask employees to allow them access to social networking information. Some managers like to "friend" all of their subordinates, but managers can no longer ask employees to do so.
Employers should train everyone who conducts investigations and ensure that they understand when they are permitted to request social networking information and what they are permitted to request.
Employers should review handbooks and policies to consider whether changes should be made to social-media policies, investigation and discipline policies, and other policies.
If employers, managers, or supervisors already have employees' social networking login information, or already have access to employees' social networking activity, consider how to handle that information and access. The law does not state that it applies retroactively, and does not address how to handle information already gathered. Employers should consult legal counsel on what risks that information poses to employers that have already obtained it.