Legislatures, state and federal, are starting to react to the trend of employers — at least the creepy employers — requiring job applicants and employees to turn over usernames and passwords for personal social media accounts.

Here’s a post from the Goodwin Procter law firm about a new law passed in Maryland and one in the works in Illinois. The point of such legislation is to make it illegal for employers to coerce job applicants and employees to surrender their autonomy in this manner. Federal legislation on the subject has also been introduced.

Lawmakers face a huge challenge, however, in trying to ensure such laws don’t compromise an employer’s legitimate interest in its own business information. Productivity applications are quickly being “consumerized,” the iPhone is now enterprise-issued hardware, and cloud storage and web services are often used by most of us for both business and non-business. In today’s mobile environment, for many, there is no bright line between “personal” and “non-personal” digital behavior.

Unfortunately, the Maryland law relies on just such an anachronistic “personal / non-personal” distinction.

The Maryland law says an employer can’t require that the applicant or employee supply her password to access “a personal account or service through an electronic communications device.” Balancing that with allowance for employer access to business information, the Maryland law states it’s OK to require an employee to produce a password to access “nonpersonal accounts or services that provide access to the employer’s internal computer or information systems.”

Good luck, Marylanders, dividing the email accounts and apps on your tablet computers into “personal” and “non-personal” categories!

The Goodwin Proctor post says another initiative, one in Illinois, is about to take effect. This legislation betters Maryland’s effort. It provides:

“It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website or to demand access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.”

This legislation makes distinctions between social media and other kinds of web services. Here’s how “a social networking website” is defined in the Illinois bill:

“For the purposes of this subsection, ‘social networking website’ means an Internet-based service that allows individuals to: (A) construct a public or semi-public profile within a bounded system, created by the service; (B) create a list of other users with whom they share a connection within the system; and (C) view and navigate their list of connections and those made by others within the system.”

Is the definition perfect? No. For instance, while I think it captures Facebook and Twitter, at least as those two services work today, I’m not sure it captures Google+. Something fun to try: think of your favorite cloud storage service, and ask yourself, would it satisfy all elements of the Illinois test, and thus be deemed a “social networking website?”

Email is trickier. Illinois says that a social networking website “shall not include electronic mail.” There may be other laws in Illinois on the books about email, but the exception here in this legislation suggests Illinois is wary about treading into business information territory.

Attorney William Carleton is a member of McNaul Ebel Nawrot & Helgren PLLC, a Seattle law firm. He works with startups and emerging tech companies, their founders and investors. He posts regularly about tech-related legal issues on his blog.

Comments

  • a “personal” opinion

    The 
    Illinois version is much worse than Maryland’s. By focusing on facebook instead of the overall privacy issue, Illinois fails. Your employer has no business accessing your personal email, youtube account, amazon account, redbox account or credit card accounts. All of these would be significant invasions of privacy. The right distinction though isn’t personal/non-personal but personal/company. The company should have the right to access your company credit card account for example.

    Is it hard to distinguish what is personal? Most people have personal items in their company offices. Do people have problems with that?

    • http://wac6.com/ William Carleton

      Thanks for your comment. What about Dropbox or Evernote, where personal/company might both reside? You list some good examples of things that should be pretty clear cut as personal.

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.
Sr. Product ManagerJulep Beauty, Inc.
Sr. UX DesignerJulep Beauty, Inc.