The Spectacular Failure of Employee Social Media Privacy Laws

[Eric’s introductory note: this post has been sitting in the drafts folder since October. I had planned to convert it into a Forbes post, but that ambition instead caused the post to fester for 7 months. Numerous new state laws have been passed since I wrote this post. I could have tried to update the post to address the new laws, but that ambition would likely push this post back even further or kill it altogether. So, instead, I’m posting the October version basically verbatim. I hope you enjoy it despite its partial staleness.]

I previously blogged about California Labor Code 980, the law attempting to restrict employers from asking for employee’s social media login credentials. In October 2013, I spoke at a conference at Chapman Law School on the topic, and researching the talk prompted me to look at the state laws throughout the country.

Photo credit: Failed test or exam and disappointed woman // ShutterStock

Photo credit: Failed test or exam and disappointed woman // ShutterStock

The National Conference of State Legislatures has a helpful page collecting the various state bills. According to the NCSL, 36 states have introduced or passed laws as of September 12, 2013. I read all of the passed laws in preparing for the conference, and it was a singularly disheartening experience. States have taken different approaches to drafting their laws, but almost all of them were technologically illiterate. Ever wonder how many different ways legislatures can fail? Try reading the text of these passed bills in one sitting and you’ll have a good answer.

At my talk, I addressed two structural problems and one conceptual problem about the laws:

Structural problem #1: The social media exceptionalism question: What is a “social media” account and how does it differ from other types of online accounts? The various states’ handling of this is interesting. Here’s what I found:

California and Nevada basically make no attempt to limit themselves to social media, despite the specific nomenclature. Instead, they apply to all digital data, online or off. The definition reads “an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.” (emphasis added)

Illinois, New Jersey and New Mexico define social media using a definition like this: “an Internet-based service that allows individuals to do the following: (1) construct a public or semi-public profile within a bounded system created by the service; (2) create a list of other users with whom they share a connection within the system; and (3) view and navigate their list of connections and those made by others within the system.” (emphasis added)

This definition is narrower than California’s but it’s not better. First, what is a “semi-public” profile, and how does it differ from a public or non-public profile? Is there even such a thing as a “semi-private” or “non-public” profile? Who knows? It makes me wonder how many eyeballs looked at these laws while still in draft form and simply ignored or rubberstamped these meaningless phrases.

Second, what does “a bounded system” mean? The phrase also shows up in Michigan’s statute: “an account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data.” The “bounded system” phrase sounds like a walled garden of some sort, but most walled gardens aren’t impervious. So what delimits the boundaries the statute refers to, and what does an “unbounded” system look like?

I was especially flummoxed by Washington’s state, which uses the term “personal social networking account” but, as far as I could tell, never defines it. What in the world does the term mean? [Note: it appears Washington made significant changes to its statute before passage, as Venkat’s critique illustrates. Oddly, it doesn’t appear the changes improved the statute!]

Colorado and Maryland adopted definitions of the regulated accounts that are completely nonsensical and ungrammatical: “employee’s or applicant’s personal account or service through the employee’s or applicant’s…computers, telephones, personal digital assistants, and other similar devices.” Any ideas what this means?

The most useful definition comes from Oregon because at least I understand it. Oregon regulates all user-generated content accounts, whether or not we’d call them “social media” accounts. (The definition: “an electronic medium that allows users to create, share and view user-generated content, including, but not limited to, uploading or downloading videos, still photographs, blogs, video blogs, podcasts, instant messages, electronic mail or Internet website profiles or locations”).

After seeing this murderers’ row of ineffectual and misguided legislative drafting, I’m reminded of one of my helpful tips for legislatures: If you can’t define it, you can’t regulate it.

I haven’t seen too many substantive criticisms of these social media privacy laws, but let me point to one of my favorite law review articles of all time, Lior Strahilevitz’s Reputation Nation. The article explains the cross-elasticity of reputation information sources. If we suppress the most useful sources for economic decision-making, the decision-maker still needs information to make their decision, which pushes them towards inferior proxies like racial stereotypes. So while I think prospective employers are overreaching by mining their candidates’ social media accounts, I also wonder if suppressing that information just pushes employers to rely on less desirable evaluation criteria. At the same time, as Kash Hill has subsequently pointed out, it’s not clear the information helps the employer make better decisions, so perhaps the laws are just inhibiting employers from relying on bad info that they would have learned to ignore anyway.

At the conference, an employment lawyer thought the whole law was a red herring because she had never seen an employer engage in the regulated behavior. Even though Venkat and I have occasionally seen cases where employers sought login credentials, her point is still valid: are we spending a lot of time and money to regulate a behavior that would have rarely occurred even without legislative intervention?

Structural problem #2: What is a “personal” social media account? The California law says “Nothing in this section precludes an employer from requiring or requesting an employee to disclose a username, password, or other method for the purpose of accessing an employer-issued electronic device.” By definition, this exclusion doesn’t cover “bring your own devices” (BYOD) and online accounts. This creates the possibility that the employer and employee might legitimately disagree about whether an online account (or, for that matter, any digital data) is the employer’s or the employee’s.

In contrast to California’s weak handling of the issue, Arkansas says:

“Social media account” does not include an account: (i) Opened by an employee at the request of an employer; (ii) Provided to an employee by an employer such as a company email account or other software program owned or operated exclusively by an employer; (iii) Setup by an employee on behalf of an employer; or (iv) Setup by an employee to impersonate an employer through the use of the employer’s name, logos, or trademarks.

This is good, but the Arkansas statute also says: “This section does not prohibit an employer from viewing information about a current or prospective employee that is publicly available on the Internet.” What does “publicly available” mean in this context? This is the same issue with the “public”/”semi-public” language discussed above. Courts can’t resolve whether a publication just to friends is “public” or not.

Even worse, New Mexico and Michigan say that employers can access information that is in the “public domain.” Do they mean “public domain” in the copyright sense? Is some undefined lay sense? Something else?

Or how about Oregon’s approach: “Nothing in this section prohibits an employer from accessing information available to the public about the employee or applicant that is accessible through an online account.” Well, by definition, the author must be able to access his/her information through his/her own online account, so doesn’t this become a tautology?

I thought Illinois and Utah had the best solution. Illinois’ language:

For the purposes of paragraph (3.5) of this subsection, “professional account” means an account, service, or profile created, maintained, used, or accessed by a current or prospective employee for business purposes of the employer. For the purposes of paragraph (3.5) of this subsection, “personal account” means an account, service, or profile on a social networking website that is used by a current or prospective employee exclusively for personal communications unrelated to any business purposes of the employer.

The narrow definition of a personal account helps limit the bill’s reach substantially, which in turn reinforces my question about whether such a narrow law is necessary and beneficial.

A Conceptual Problem. My anecdotal survey reinforces how a decent policy objective–prevent employers from inappropriately demanding employees’ social media passwords–can be hard to convert into rigorous legislative drafting, especially in technology contexts. To me, the lesson is that if rigorous legislative drafting isn’t likely, maybe the policy objective isn’t worth pursuing in the first place. It appears state legislators have drawn a different lesson from the data I see.