Privacy & Information Security Law Blog

On April 9, 2012, Maryland became the first state to pass legislation that would prevent employers from asking or forcing employees and applicants to hand over their social media login credentials. The bill, which passed the state Senate unanimously (Senate Bill 433) and the House of Delegates by a wide margin (House Bill 964), now awaits Maryland Governor Martin O’Malley’s signature.

The proposed law would prohibit any “person engaged in a business, an industry, a profession, a trade, or other enterprise in the state, or a unit of State or local government” from requesting or requiring that an employee or applicant disclose any username, password or other means for accessing a personal account or service through an electronic communications device. The Maryland bill also bars employers from firing, disciplining or otherwise penalizing an employee, or failing or refusing to hire an applicant, who refuses to disclose such information. Although the law appears to be relatively broad in scope, critics have noted that it would not prevent employers from “shoulder surfing” to see what employees or applicants have posted online, or from requiring employees to “friend” them on social media sites.

Legislatures in other states such as California, Illinois and Michigan are considering similar bills prohibiting employers from accessing the social media login information of employees and applicants.

The issue came to the attention of the Maryland legislature after a Maryland Department of Public Safety and Correctional Services officer alleged that he had been asked to provide his Facebook login information during a reinstatement interview. In response to over 100 complaints filed by the American Civil Liberties Union on behalf of the officer and other individuals, in February 2012, the Department suspended the practice for 45 days to investigate further. The Department asserted, however, that it had sought to explore applicants’ online interactions to screen employees for gang affiliations, not to invade their privacy.

Facebook’s Chief Privacy Officer recently addressed reports of employers seeking access to the Facebook passwords and profiles of prospective employees, emphasizing that the “practice undermines the privacy expectations and the security of both the user and the user’s friends. It also potentially exposes the employer who seeks this access to unanticipated legal liability.”