Employee Online Privacy Act

Summary

Job applicants and employees are increasingly using online accounts for their personal communication and social networking.  Potential and actual employers should not request or require access to these personal accounts, except in cases where the employer is obligated to investigate activities that may involve personal accounts.  The Model Employee Online Privacy Act protects employees and applicants’ personal Internet accounts from unwarranted access by employers.  At the same time, the Act preserves employers’ obligations to maintain a safe work environment, protect intellectual property, and comply with applicable laws.

Employee Online Privacy Act

Employee Online Privacy Act 

Summary

Job applicants and employees are increasingly using online accounts for their personal communication and social networking.  Potential and actual employers should not request or require access to these personal accounts, except in cases where the employer is obligated to investigate activities that may involve personal accounts.  The Model Employee Online Privacy Act protects employees and applicants’ personal Internet accounts from unwarranted access by employers.  At the same time, the Act preserves employers’ obligations to maintain a safe work environment, protect intellectual property, and comply with applicable laws.

Section 1 – Title.

This chapter is known as the “Employee Online Privacy Act.”

Section 2 – Definitions.

As used in this chapter:

(1) “Adverse action” means to discharge, threaten, or otherwise discriminate against an employee in any manner that affects the employee’s employment, including compensation, terms, conditions, location, rights, immunities, promotions, or privileges.

(2) “Employer” means a person, including the state or a political subdivision of the state, that has one or more workers employed in the same business, or in or about the same establishment, with the right to control and direct the work provided by such workers.

(3) “Law enforcement agency” is as defined in [insert section].

(4)     (a) “Personal Internet account” means an online account that is used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer.

(b) “Personal Internet account” does not include an account created, maintained, used, or accessed by an employee or applicant for business related communications or for a business purpose of the employer.

Section 3 – Prohibited and Permitted Activities

Employer may not request disclosure of information related to personal Internet account.

An employer may not do any of the following:

(1) request or require an employee or an applicant for employment to disclose a username and password, or a password that allows access to the employee’s or applicant’s personal Internet account; or

(2) compel an employee or applicant for employment to add the employer or an employment agency to the employee’s or applicant’s list of contacts associated with a personal Internet account;

(3) compel an employee or an applicant for employment to access a personal Internet account in the presence of the employer in a manner that enables the employer to observe the contents of the employee’s or applicant’s personal Internet account.

(4) take adverse action, fail to hire, or otherwise penalize an employee or applicant for employment for failure to disclose information or take actions specified in subsection (1)-(3).

Permitted actions by an employer.

(1) This chapter does not prohibit an employer from doing any of the following:

(a) requesting or requiring an employee to disclose a username or password required only to gain access to the following:

(i) an electronic communications device supplied by or paid for in whole or in part by the employer; or

(ii) an account or service provided by the employer, obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes;

(b) disciplining or discharging an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal Internet account without the employer’s authorization;

(c) conducting an investigation or requiring an employee to cooperate in an investigation in any of the following:

(i) if there is specific information about activity on the employee’s personal Internet account, for the purpose of ensuring compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct; or

(ii) if the employer has specific information about an unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to an employee’s personal Internet account;

(d) restricting or prohibiting an employee’s access to certain websites while using an electronic communications device supplied by, or paid for in whole or in part by, the employer or while using an employer’s network or resources, to the extent permissible under applicable laws; or

(e) monitoring, reviewing, accessing, or blocking electronic data stored on an electronic communications device supplied by, or paid for in whole or in part by, the employer, or stored on an employer’s network, to the extent permissible under applicable laws.

(2) Conducting an investigation or requiring an employee to cooperate in an investigation as specified in Subsection (1)(c) includes requiring the employee to share the content that has been reported in order to make a factual determination.

(3) This chapter does not prohibit or restrict an employer from complying with a duty to screen employees or applicants before hiring or to monitor or retain employee communications that is established under federal law, by a self-regulatory organization under the Securities and Exchange Act of 1934, 15 U.S.C. Sec. 78c(a)(26), or in the course of a law enforcement employment application or law enforcement officer conduct investigation performed by a law enforcement agency.

(4) This chapter does not prohibit or restrict an employer from viewing, accessing, or using information about an employee or applicant that can be obtained without the information described in Subsection (1) or that is available in the public domain.

Chapter does not create duties.

(1) This chapter does not create a duty for an employer to search or monitor the activity of a personal Internet account.

(2) An employer is not liable under this chapter for failure to request or require that an employee or applicant for employment grant access to, allow observation of, or disclose information that allows access to or observation of the employee’s or applicant for employment’s personal Internet account.

Section 4 – Remedy

(1) The state Attorney General may bring may bring a civil cause of action against an employer in a court of competent jurisdiction on behalf of a citizen an aggrieved by a violation of this chapter.

(2) In an action brought under Subsection (1), if the court finds a violation of this chapter, the court shall award the state not more than $500 per violation.

Section 5 – Effective Date

This act takes effect upon approval by the Governor.

Section 6. Severability Clause

If any provision of this chapter or the application of any provision of this chapter is found invalid, the remainder of this chapter shall be given effect without the invalid provision or application.

Section 7. Repealer Clause

The following laws are hereby repealed:

 

Approved by the Communications and Technology Task Force at the 2013 Spring Task Force Summit on May 3, 2013.

Approved by the ALEC Board of Directors on August 5, 2013.

Re-approved by the ALEC Board of Directors on December 26, 2018.