New Jersey Poised to Enact the Most Aggressive Social Media Password Protection Law to Date, Adding to a Patchwork of Conflicting Laws Across the U.S.
New Jersey is expected to shortly join California, Illinois, Maryland, Michigan, and Utah in prohibiting employers from seeking employee or applicant passwords to social media accounts or services. New Jersey’s General Assembly passed its bill on March 21, 2013, and that bill now awaits signature by Governor Christie. Although there is no indication from the governor whether he intends to sign the bill, ignore it, or veto it, any action other than signature would simply be symbolic and almost certainly overruled (the General Assembly passed the bill 75-2). New Jersey’s law is more pro-employee/applicant than any such law enacted to date, providing the broadest protections, the narrowest exceptions, and the most generous remedies.
Specifically, the New Jersey bill would prohibit an employer from requesting or requiring, as a condition of employment, that a current or prospective employee “provide or disclose any user name or password, or in any way provide the employer access to,” any personal social networking account, service or profile. The italicized language appears to prohibit New Jersey employers not only from “shoulder surfing,” i.e., reviewing social media content by observing the individual’s access without requesting login credentials, but also goes one step further. The bill apparently would prohibit an employer from asking an employee who complains about the social media activity of a coworker, such as online sexual harassment, for access to the complaining employee’s personal social media account to observe what the alleged harasser posted. Moreover, unlike similar laws in California, Michigan, and Utah, the New Jersey bill contains no exception for workplace investigation into suspected unlawful conduct or violations of employer policies. Notably, the New Jersey bill does not contain a narrower exception, such as the one in Maryland’s law, which includes a carve-out for investigations into suspected violations of securities laws or regulations or into suspected misappropriation of trade secrets.
The New Jersey bill adds a new prohibition not seen in any prior law that actually could be detrimental to job applicants and employees. Specifically, employers cannot “[i]n any way require or request that a current or prospective employee disclose whether the employee has a personal account.” Consequently, were an employer to search publicly available social media content for information about an employee or applicant and discover negative information that might relate to the applicant or employee, such as racist comments or a predilection for sex with minors, the employer could not ask whether the account where the content is posted is, in fact, the applicant’s or employee’s personal account. Moreover, if the employer does inquire and the applicant or employee refuses to confirm or deny whether he or she posted the offensive social media content, New Jersey’s law would make it a violation for the employer to then take adverse action based on the individual’s refusal to respond. In other words, the employer would be worse off if it tried to “do the right thing” and attempted to verify the authenticity of information that, if true, would lead to an adverse employment action.
The New Jersey bill also has the most generous remedial scheme. “Facebook” laws in Maryland and California do not expressly provide a private right of action. By contrast, the New Jersey bill confers a private right of action on applicants or employees to recover unlimited compensatory and consequential damages. While the laws in Utah and Michigan also confer a private right of action, damages are capped at $500 and $1,000 per violation, respectively. Illinois’ law does not cap damages; however, it requires that applicants or employees first attempt to resolve their complaint through the state labor department. No such administrative exhaustion requirement applies under the New Jersey bill.
To be sure, once the bill is likely enacted, it will not entirely handcuff New Jersey employers from performing investigations and background checks necessary to run a safe and efficient operation without running afoul of the law. However, before investigating information present on an employee's or applicant's "personal account," human resources professionals are encouraged to seek guidance from inside or outside counsel to ensure compliance with this proposed law. If approved, the law will go into effect on the first day of the fourth month following its enactment.
Photo credit: robas