On August 29, 2013, a more limited social media privacy bill (A2878), adopting the common sense conditions set forth in Governor Chris Christie’s previous conditional veto, was enacted. The new law, effective December 1, 2013, will bar employers from requiring or requesting that any current or prospective employee:
- disclose his or her username or password to a personal social media account;
- provide the employer access to his or her personal social media account;
- waive the rights or protections of the bill as a condition of applying for or receiving an offer of employment.
Under the law, a protected “personal” social media account is one used by an applicant or employee exclusively for personal communications unrelated to any business purposes of the employer. It does not apply to any account or profile created, maintained, used, or accessed by a current or prospective employee for business purposes of the employer or to engage in business-related communications. Based on this definition, a social media account used by an applicant or employee for both personal and business-related purposes (such as LinkedIn) likely falls outside the protections of the bill. How an employer may navigate that distinction in a given situation, however, is not entirely clear.
Of note, the original bill also sought to bar employers from merely asking whether applicants had a social media account—information necessary for many employers to gauge the candidate’s technological skills and media savvy. That language was omitted from the revised bill signed by Governor Christie.
The enacted law provides that it should not be construed to prevent employers from complying with the requirements of state or federal law, or from implementing or enforcing policies concerning the use of employer-issued electronic communications devices or personal devices used for business purposes (BYODs). Further, the law does not infringe upon an employer’s right to conduct an investigation into certain work-related misconduct (including harassment or potential disclosure of the employer’s proprietary information) based upon the receipt of specific information about such activity on an employee’s personal account. Pursuant to Governor Christie’s suggestion, the law also permits employers to review and rely upon any social media information found in the public domain.
Finally, the law prohibits retaliation or discrimination against individuals who refuse to divulge their usernames or passwords or provide access to their personal accounts, who object to violations of the law, or who report a complaint under the Act. Employers that violate the Act are subject to a civil penalty (from $1,000 to $2,500), but not civil liability. Language in prior versions of the bill providing for a private cause of action was omitted from the legislation signed by Governor Christie.