The apparent practice by employers of requesting access to employees’ and applicants’ social media accounts, such as Facebook and Twitter, has led the state of Michigan to pass the Internet Privacy Protection Act (PA 478 of 2012)(IPPA). The Act was signed by Governor Rick Snyder on December 27, 2012, as part of a flurry of late session legislative activity and given immediate effect.
The Act applies to both public and private employers and prohibits an employer from requesting or requiring an employee or applicant: (1) to grant the employer access to the individual’s personal internet account; (2) to allow the employer to observe the individual’s personal internet account; and (3) to disclose information to the employer that would allow access to the individual’s personal internet account. It also prohibits an employer from discharging, disciplining, failing to hire, or otherwise penalizing an employee or applicant for refusing to comply with a request in violation of the Act.
“Personal internet account” is defined as “an account … established by an internet based-service that requires a user to input or store access information … to utilize … the user’s account.” This definition encompasses more than just social networking sites and likely includes any online account requiring a username and password, such as web-based email accounts or cloud server accounts.
The IPPA also clarifies acceptable conduct by listing employer activities that are not prohibited. Specifically, the Act does not prohibit an employer from requiring an employee to disclose access information for an electronic communications device paid for in whole or in part by the employer, or for an account provided by the employer, obtained by virtue of the employment relationship, and used for the employer’s business purposes. Employers also do not violate the Act when they view material or utilize information about an employee or applicant that can be obtained without personal access information or that is available in the public domain.
Additionally, a Michigan employer does not violate the IPPA when it does any of the following:
- Disciplines or discharges an employee for transferring the employer’s proprietary information, confidential information, or financial data to an employee’s personal account without authorization.
- Requires an employee to cooperate in investigations involving compliance with applicable laws, workplace misconduct, and unauthorized transfers of the employer’s proprietary and confidential information, if there is specific information about such activity occurring on the employee’s personal internet account.
- Restricts access to specific websites while using an electronic communications device paid for in whole or in part by the employer, or while using the employer’s network or resources.
- Monitors, reviews, or accesses electronic data stored on a device paid for by the employer or traveling through or stored on the employer’s network, provided such activity is otherwise in accordance with state and federal law.
Furthermore, the Act does not prohibit or restrict employer compliance with a duty to screen or monitor employees pursuant to federal law. It also does not create a duty for an employer to search or monitor the activity of a personal internet account and shields an employer from liability for failure to seek access to an employee’s or applicant’s personal internet account. Finally, it creates an affirmative defense for employers when acting to comply with the requirements of a state or federal law.
A person who violates the prohibitions of the Act is guilty of a misdemeanor punishable by a fine of not more than $1,000. Since the Act uses the term “person” and broadly defines “employer” to include “an agent, representative, or designee of the employer,” any supervisor, manager, or human resources professional who acts in violation of statute would be subject to these penalties, as well as civil liability.
An individual who is subject to a violation of the Act may bring a civil suit to enjoin the violation and may recover no more than $1,000, plus reasonable attorneys’ fees and costs. However, no later than 60 days before filing a civil suit for damages or adding a damages count to an existing suit for an injunction, the victim must make a written demand to the alleged violator for not more than $1,000 and must include reasonable documentation of the violation.
While the conduct proscribed by the statute does not appear to be widespread among Michigan employers, it remains important for employers to tread carefully when creating and applying social media and internet policies and when seeking information about employees and applicants via the internet for any purpose. Such conduct can create a host of pitfalls that are not readily apparent. With its potential to have an impact on everything from background checks to workplace investigations, the IPPA will likely add to such pitfalls.
Employer policies and practices in this area should be strategically developed as part of an overall human resources policy.
* The Act also addresses an educational institution’s requests for access information from its students. However, this article only focuses on those portions of the Act affecting employers.