Last week, Michigan enacted a social media privacy law that prohibits employers and educational institutions from requesting access to the personal social media or other internet-based accounts of employees or students. The new law, known as the Internet Privacy Protection Act, provides that employers or educational institutions (ranging from elementary schools through institutions of higher learning) may not request or require an employee, job applicant, or current or prospective student to grant access to or disclose login information for the individual’s “personal internet account,” which is defined broadly as an “account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data.”
Notably, the statute contains a number of exceptions, including for when:
1. The employer pays for an “electronic communications device,” in whole or in part;
2. The account or service is provided by the employer, obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes;
3. An employee transfers the employer’s “proprietary or confidential information or financial data” to the employee’s personal internet account without authorization;
4. The employer is conducting a workplace investigation, provided that the employer has “specific information” about activity on the employee’s personal internet account or the unauthorized transfer of the employer’s data to the employee’s account; or
5. The employer is “monitoring, reviewing, or accessing electronic data” traveling through its network.
The law also does not restrict an employer from complying with a duty to screen employees or applicants prior to hiring or to monitor or retain employee communications as required under federal law or by a “self-regulatory organization” as defined by the Securities Exchange Act of 1934 (such as the Financial Industry Regulatory Authority, or FINRA, which has issued guidance regarding the need for regulated institutions to monitor their employees’ business-related social media communications).
With the enactment of this statute, Michigan joins California, Maryland, Illinois, and New Jersey in restricting employers from accessing employees’ and applicants’ social media accounts. Delaware and New Jersey have also passed laws protecting the privacy of students’ social media accounts. The coming year should see additional legislative activity in this area, as social media privacy bills are under consideration in Missouri, Texas, and other jurisdictions.