Washington's Social Media Privacy Law
Washington businesses have good reason to carefully vet job applicants and manage existing employee behavior. Yet reviewing resumes and cover letters and references can seem almost naive now given the droves of unfiltered information available across various social media platforms.
This makes personal social media accounts, which are often not tailored toward a purely professional audience, a powerful tool for employers to vet applicants and keep tabs on employees, but also one rife for abuse.
In recognition of this potential for abuse, Washington state has enacted a social media privacy law that limits the ability of employers to request or require access to personal social media accounts of applicants and employees. This law is codified at RCW 49.44.200.
Today’s post will outline what employers can and cannot do under Washington’s social media privacy law and will touch on the remedial scheme available to employees and applicants whose privacy rights are violated.
Employers Can’t Ask For Or Require Access To Personal Social Media Accounts
Washington’s social media privacy law prohibits employers from requesting or requiring disclosure of certain information from employees or applicants concerning their personal social media accounts. The prohibitions set out below may strike you as fairly common-sense restrictions but, as the saying goes, common sense isn’t so common.
Employers can’t ask for or require disclosure of login information from job applicants or employees. This includes things like usernames, passwords, and other forms of authentication.
Logging In While Present
Not only are employer prohibited from requesting login information, they also can’t ask or require their employees or applicants to login to their social media accounts while the employer is present in order for the employer to view information.
For instance, an employer couldn’t ask an applicant to login to the applicant’s Instagram account during an interview to allow the employer to scroll through the applicant’s photos or otherwise access the account.
Adding To Contacts
An employer might be interested in being added as a contact in order to gain increased access to certain restricted content. However, employers can’t require their employees or applicants to add the employer (or another person) to their list of contacts for a given social media account.
For example, while an employer could, for instance, send a Facebook friend request, the employer could not require the employee or applicant to accept the request.
Changing Access Settings
By the same token, employers can’t request or require their employees or applicants to change the setting of a social media account that affects a third-party’s ability to view the contents of the account.
For example, the employer couldn’t ask an employee to change the privacy settings of her Facebook account to allow non-friends to view her photos.
There Are Several Exceptions That Apply To Existing Employees
There are a handful of common sense exceptions to the general privacy protections in Washington’s social media privacy law. Note that these apply only to existing employees.
Investigations Into Employee Misconduct
The first exception is made for certain types of investigations by the employer into employee activity. For example, if the employer is investigating an employee for breaking the law or transferring proprietary information, and if the employer needs social media content to determine whether such activities occurred, an employer may request certain content from the employee, subject to other limitations set out in the statute.
In no event, however, can the employer ask for or require the employee to provide his or her login information.
Exception is also made for a social network, intranet, or other technology platform primarily meant to facilitate work-related exchange, collaboration, or communication by employees or other workers. In other words, a work-related—not a personal—account.
For example, an employer who had employees communicate using Slack could likely request or require access to login credentials and information exchanged on that work-related messaging platform.
Employer-Provided Account Or Device
Employers can ask for or require login information for access to an account or electronic communications device that’s supplied by or paid for by the employer. Again, this is not so much an exception as it is a distinction between personal and work accounts/devices.
For example, an employer could likely ask for or require login information to a cellphone provided by the employer to an employee.
Employers Can’t Retaliate Against Employees Or Applicants For Exercising Their Privacy Rights
There are certain things Washington employers clearly cannot do when it comes to their employees’ or applicants’ personal social media accounts, but what if they do so anyway? It’s easy to imagine an employee or applicant, even one who knows her legal rights, feeling tremendous pressure to comply, fearing that she will be terminated or passed over for the job if she doesn’t.
Washington employers cannot take adverse action against an employee or an applicant who refuses to engage in the prohibited actions that are set out above. Which is to say, employers cannot discipline, discharge, or otherwise penalize an employee (or threaten to do any of these things) for refusing to engage in any of the prohibited actions. Similarly, employers cannot fail or refuse to hire an applicant for refusing to engage in the prohibited actions.
If an employer does take adverse action, there is a remedial scheme in place. An aggrieved employee or applicant has a right of action against the employer under RCW 49.44.205. In addition to recovering damages, a prevailing employee or applicant may recover her attorneys’ fees from the employer (plus a $500 statutory penalty), which makes it more economically viable to bring a lawsuit.
Employers should exercise extreme caution and restraint when considering asking for or requiring information relating to personal social media accounts from job applicants or current employees. Additionally, employers should establish clear written policies regarding access to, ownership of, and use guidelines for business-related social media accounts and devices. This can help clarify the (easily blurred) distinction between personal accounts and devices, on the one hand, and company-furnished accounts and devices, on the other.