Several states have laws which prohibit employers from requiring an employee or applicant to give the employer access to the employee or applicant’s personal social media account. Tennessee has joined that list with the recent passage of the Employee Online Privacy Act of 2014 (Online Privacy Act).
The Online Privacy Act, which will take effect on January 1, 2015, applies to any person or entity that employs one or more employees and includes the state and its political subdivisions as well as an agent, representative or designee of the employer. The Online Privacy Act prohibits an employer from:
- Requesting or requiring an employee or applicant to disclose a password that allows access to a personal internet account;
- Compelling an employee or applicant to add the employer or an employment agency to his or her list of contacts associated with a personal internet account;
- Compelling an employee or applicant to access a personal internet account in the presence of the employer in a manner that enables the employer to observe the contents of the personal internet account; or
- Discharging, failing to hire, or taking adverse action or penalizing an employee or applicant because of a refusal to disclose the password or comply with a request for one of the above prohibited actions.
There are, of course, some exceptions. An employer is not prohibited from:
- Requesting or requiring an employee to disclose a user name or password required to gain access to an electronic communications device supplied by or paid for wholly or in part by the employer, or to gain access to an account or service provided by the employer that is obtained by virtue of the employment relationship or that is used for the employer’s business purposes.
- Disciplining or discharging an employee for transferring the employer’s proprietary or confidential information or financial data to the employee’s personal internet account.
- Conducting an investigation or requiring an employee to cooperate in an investigation if there is specific information on the employee’s personal internet account regarding compliance with applicable laws or prohibitions against work related employee misconduct, or the employer has specific information about an unauthorized transfer of the employer’s proprietary information, confidential information or financial data to the employee’s personal internet account.
- Restricting or prohibiting an employee’s access to certain websites while using an electronic communications device supplied by or paid for wholly or in part by the employer, or while using an employer’s network or resources.
- Monitoring, reviewing, accessing or blocking electronic data stored on an electronic communications device that is supplied by or paid for wholly or in part by the employer, or stored on the employer’s network.
- Complying with the duty to screen employees or applicants before hiring, or to monitor or retain employee communications, in accordance with applicable law.
- Viewing, accessing or using information about an employee or applicant that is available in the public domain.
- Conducting an investigation or requiring an employee to cooperate in an investigation regarding compliance with applicable law or prohibitions against work related employee misconduct, or an investigation about the unauthorized transfer of the employer’s proprietary information, confidential information or financial data to the employee’s personal internet account.
Individuals whose rights are violated under this law may sue the employer and recover not more than $1,000.00 in damages for each violation, plus reasonable attorney’s fees and court costs.
I have advised for several years that employers should not require employees to disclose passwords for personal social media accounts or grant them access to those accounts. Now, Tennessee has a law which will penalize those employers who do so.
Tennessee Employment Law 