October 05, 2012
Big Problems in California's New Law Restricting Employers' Access to Employees' Online Accounts (Forbes Cross-Post)
By Eric Goldman
Last week, California Governor Jerry Brown signed two laws restricting demands for social media accounts or login credentials. Senate Bill 1349 restricts schools' access to students' social media accounts. Assembly Bill 1844 restricts employers' access to employees' social media accounts.
Superficially, both laws sound like a good idea. It's ridiculous to force people to disclose social media content if they don't want to do so; not only can that violate the accountholder's privacy, but it can violate the privacy rights of innocent third parties. Demanding access to a social media account can be just as invasive as demanding access to an email account, something we all already knows is off-limits.
Still, new legislation is a blunt tool, and it's not the right solution to every problem. In this situation, California's new laws create two problems, one big and the other bigger.
The Big Problem: "Social Media" Isn't Definable, So the Law Covers More Than Anyone Expects
Although the laws expressly say they are regulating "social media" like Facebook or Twitter, it's not possible to define "social media" as a subset of the Internet ecosystem. As evidence of this definitional challenge, look at the statutes' definition of "social media" (it's the same for both bills):
"social media" means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.
In other words, the law governs effectively all digital content and activity, both on the Internet and stored in local storage devices, not just social media. After all, what digital resource isn't "an electronic service or account, or electronic content"? The coverage of the law has focused only on its application to social media accounts, but the law's unexpectedly broad reach--including to locally-stored content--virtually ensures that the law will have unintended consequences.
The Bigger Problem: It's Often Not Clear When Social Media Accounts Are "Personal"
In addition to the breadth problem, AB 1844 (regarding employer/employee relationships) makes a serious conceptual error. The law restricts employers' access to "personal" social media, presumably in contradistinction to "business-related." Yet, the law doesn't define when a social media account is "personal," leaving all of us to speculate what that means.
Thus, the law assumes that social media accounts have only two states: personal or not-personal. Sadly, that's completely contrary to the cases I'm seeing in court right now. Instead, social media accounts fit along a continuum where the endpoints are (1) completely personal, and (2) completely business-related--but many employees' social media accounts (narrowly construed, ignoring the statutory overbreadth problem) fit somewhere in between those two endpoints. Indeed, employers and employees routinely disagree about whether or not a social media account was personal or business-related. See, e.g., Insynq v. Mann, Eagle v. Sawabeh, Maremont v. SF Design Group, Kremer v. Tea Party Patriots, and PhoneDog v. Kravitz.
Meanwhile, employers can--and should--demand that employees provide them with the login credentials to business-related social media accounts. In fact, I've previously said "the cardinal rule about employee-operated social media accounts: get the login credentials BEFORE terminating the employee."
Putting the two concepts together, employers should require that employees provide them with login credentials for social media accounts relating to their business; but the law makes it illegal for employers to ask for login credentials to "personal" accounts. This puts employers in an obvious squeeze: employers may not know which employee accounts are purely personal and which are a mix of personal and business-related; the statute doesn't expressly allow employers to access mixed account; and the statute doesn't give employers a defense if they demand the login credentials because they reasonably but mistakenly thought the account was all or partially business-related. Courts will likely have to create common law exclusions for employers trying to get access to mixed accounts, but only after much angst, confusion and costly--and avoidable--litigation.
Note: SB 1349 uses the same "personal" terminology as AB 1844, but it's more likely to be clear when a student's accounts are personal than with employees.
Question for you: are you surprised to see a state legislature enact an Internet-related bill with obvious problems? (Please, answer that question honestly). Speaking for myself, I always assume that a state legislature trying to "fix an Internet problem" will botch the job. After all, state legislatures have a virtually unbroken history of poorly designed Internet regulations. (See some examples on my 2007 ranking of the best and worst Internet laws). In a future post, I hope to explain why state legislatures should never regulate the Internet.
For now, you can see why I'm not cheering California's new laws, even though I support their motivations. It's hard to get enthusiastic about a new law--especially when it relates to the Internet--that, from on day 1, has manifest problems that could have been avoided with more considered policy-making. I also wish that the many other state legislatures considering similar legislation will learn from California's drafting mistakes; but realistically, state legislatures never learn from each other's mistakes, especially when legislators are overeager to "do something about privacy."
Posted by Eric at October 5, 2012 08:57 AM | Privacy/Security
TrackBack URL for this entry: