JURIST Guest Columnist Ralph Carter, St. John’s University School of Law Class of 2014, is the author of the first article in a 10-part series from the staffers of the Journal of Civil Rights and Economic Development. Carter explains the need for federal legislation protecting employee’s and job applicant’s private online information by setting a nationwide standard that is certain and manageable…

Imagine that you recently submitted an employment application for a highly coveted position. You have progressed through several rounds of the interview process and a battery of tests. The company’s human resources manager has informed you that the company would like to extend you an offer of employment, subject to the results of the company’s standard background investigation.

As part of this investigation, the human resources manager has requested that you provide the passwords to your personal Gmail account and your social network accounts on Facebook, MySpace, Google+ and LinkedIn. You are likely to be shocked that this intrusion into your personal life is a pre-condition of employment. It is also likely however, that if you follow your initial inclination and respectfully decline the employer’s request for your personal account passwords, your employment application will be rejected. Therefore, you acquiesce and provide your personal log-in information.

A week later, you are informed that you are no longer under consideration for the position without any explanation. You rack your brain to figure out what could have caused such a reversal of fortune; you recall that your Facebook friends posted on your private “wall” certain controversial political views, which you “liked.” Only then does it occur to you that the company may have decided that your political leanings are not in keeping with its corporate mission.

Today, as more of our professional and private interactions occur in online settings, many employers are checking job applicants’ and employees’ social media account profiles on Facebook, Twitter, Google+ and LinkedIn to gauge individuals’ suitability for employment. According to a 2011 survey of more than 300 hiring professionals conducted by social media monitoring service, Reppler, “more than 90 percent of recruiters and hiring managers have visited a potential candidate’s profile on a social network as part of the screening process” and “69 percent of recruiters have rejected a candidate based on [such] content.”

Certain employers have also adopted the more intrusive practice of requiring that current or prospective employees provide access to the password-protected private confines of their online social media accounts. Employers that seek unfettered access into the private online communications of current and prospective employees do a grave disservice to these individuals’ privacy rights.

An employer could use an employee’s or applicant’s private social network information to take adverse employment action based on the individual’s expression of political ideology within a private group on a social network, or in response to other off-duty conduct that would otherwise not be subject to scrutiny by the employer, such as whether the employee smokes tobacco. There is also the looming specter that the information gleaned from private online accounts may be used improperly by employers to take illegal employment actions on the basis of information concerning current or prospective employees’ protected class status: race, ethnicity, marital status, age, sexual orientation, pregnancy, religion or disability.

At present, no federal law explicitly prohibits employers’ attempts to gain access applicants’ and employees’ password-protected online social network content. Instead, employees and applicants are left to seek redress under the antiquated Stored Communications Act, the Computer Fraud and Abuse Act or the common-law tort of invasion of privacy. The federal laws have significant limitations in that neither of them was designed to cover the current technology used in Facebook and other social media sites. Moreover, the reported cases applying these laws and the common-law privacy tort to private social media accounts have resulted in a hodgepodge of inconsistent and at times seemingly inequitable outcomes.

Although federal legislation has been introduced to bar employers from requiring employees or job applicants to provide user log-in or passwords to social media and email accounts, the prospects for passage are uncertain. In 2012 and 2013, several states enacted or proposed legislation intended to protect job applicants’ and employees’ private online information. In May 2012, Maryland became the first state to enact a password-protection statute. As of September 2013, another twelve states have enacted password-protection statutes and provisions are under consideration in some 20 other states.

The state statutes vary widely as to their scope in a number of key areas including:

1. what conduct is proscribed;
2. whether only social media accounts are protected, or other online accounts such as electronic mail, are also covered;
3. whether employees and applicants are afforded a private right of action;
4. what remedies are available; and
5. whether there are statutory exceptions for instances in which employers seek access to password-protected personal information in furtherance of legitimate business purposes, such as workplace harassment investigations or compliance with legal or regulatory requirements.

The expanding lattice of state laws will present questions of applicability of the provisions between employees, applicants and employers of different states. For example, if a California-based employer improperly demands access to the social network of a Michigan resident, will it be subject to California and/or Michigan’s password-protection statutes? In such a scenario, the answer could determine whether the case would proceed, as the Michigan statute provides for a private right of action, while the California statute does not.

In light of these challenges, a comprehensive federal statute is needed to provide employees and job applicants with the means to protect their private online information from unwarranted scrutiny by employers. The author proposes a model federal statute, the Personal Electronic Account Privacy Protection Act (PEAPPA), which would protect employee’s and job applicant’s private online information by setting a nationwide standard that is certain and manageable.

Under the model PEAPPA, employers would be prohibited from requiring or requesting that an employee or applicant provide access, allow observation or disclose information to permit access to the employee’s or applicant’s personal electronic accounts. Personal electronic accounts would be defined broadly to cover not only social network accounts, but also email accounts and other electronic communication channels that may emerge in the future. The PEAPPA would prevent employers from requesting users’ passwords, as well as the practice of “shoulder-surfing,” in which the employer reads over the employee’s or applicant’s shoulder while he logs in to his private online accounts.

The protections of the PEAPPA will also create a necessary disincentive for employers who would use employees’ and applicants’ private online information to make employment decisions based on otherwise protected classifications, such as gender, race, marital status, religion, disability, or sexual orientation and those that are currently unprotected like membership in disfavored political organizations.

Ralph Carter is the Executive Notes and Comments Editor, Journal of Civil Rights and Economic Development.

Suggested citation: Ralph Carter, In Favor of Stronger Federal Protection for Employees’ and Applicants’ Online Social Network Accounts JURIST – Dateline, Sept. 17, 2013, http://jurist.org/dateline/2013/09/ralph-carter-privacy-rights.php.