By Robert Milligan, Jessica Mendelson, and Joshua Salinas

On September 27, 2012, California Governor Jerry Brown signed two bills, AB 1844 and SB 1349, into law, making California the third state in the country – Maryland and Illinois are the others – to regulate employers’ ability to demand access to employees’ or prospective hires’ personal social media accounts. Appropriately enough, Governor Brown made the announcement via five major social media networks: Twitter, Facebook, Google+, LinkedIn and MySpace. Brown tweeted, “California pioneered the social media revolution. These laws protect Californians from unwarranted invasions of their social media accounts.”

California Assembly Bill 1844

California Assembly Bill 1844 (“AB 1844”) “prohibit[s] an employer from requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media.” In other words, an employer may neither request nor require an employee or an applicant to divulge his or her personal social media account information.

This law, however, allows for employers to request the employee divulge social media “reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding.” Furthermore, this law prohibits employers from threatening or taking retaliatory measures against employees that fail to comply with employer requests or demands that violate the statute.

This law “does not prohibit an employer from terminating or otherwise taking an adverse action against an employee or applicant if otherwise permitted by law.” Finally, unlike many other labor and employment laws, “the Labor Commissioner. . . is not required to investigate or determine any violation of this act.”

Senate Bill 1349

Senate Bill 1349 (“SB 1394”) prohibits public and private postsecondary educational institutions, and their employees and representatives, from requiring students or prospective students to disclose their personal user names or passwords, or to divulge personal social media information.

SB 1394 requires private nonprofit or for-profit postsecondary educational institutions to post its social media privacy policy on the institution’s Internet website.

Both AB 1844 and SB 1394 define the term “social media” broadly to include “electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.”

Perspectives on the Bills

Proponents of these social media laws believe the laws will benefit the business community by providing California businesses with a shield from legal liability against plaintiffs who allege that these businesses have a legal duty to monitor their employee’s social media accounts. Additionally, they argue that this legislation could potentially save businesses millions of dollars by reducing costs related to monitoring social media accounts and cyber liability insurance premiums. Recently, both the California Chamber of Commerce and organized labor have expressed their support for the law.

Opponents of the bill argue that it will hurt employers by limiting their ability to regulate the workplace and investigate misconduct. Others believe the bill may make it more difficult for companies to identify workplace harassment. Members of the financial industry, including FINRA, argued that while the bill may have been well intended, it conflicts with the duty of security firms to record, supervise, and maintain business-related communications.

Some legal commentators have also expressed their concern that the definition of “social media” is far too broad because it governs effectively all digital content and activity. In fact, Illinois excludes “e-mail” from the definition of social media in its version of the statute.

What These Laws Mean For Employers

Businesses in California should take steps to comply with these new laws which will go in effect on January 1, 2013. Employers should make sure that interviewers or other persons involved in the hiring process do not request personal user names or passwords from applicants. Additionally, employers will need to be careful with company social media accounts. While the laws only apply to personal accounts, the lack of definition of the phrase “personal” is problematic, particularly since it is not always clear who owns company social media accounts. We have previously blogged on cases concerning the ownership of “social media assets” on Twitter, Facebook, and MySpace. Some experts recommend that companies utilize ownership agreements governing the social media accounts and content created by employees on behalf of the company and that they always have the account name and password for the company social media account (certainly prior to the employee’s termination). It may be helpful for employers to create clear policies on this issue to prevent future disputes.

Finally, employers should understand that the law does not constitute a complete ban on employers’ access to their employees’ social media sites. Employers are still permitted to require employees to divulge social media passwords when the information is used solely to investigate allegations of employee misconduct or employee violation of applicable laws and regulations. Similarly, employer-issued electronic devices do not fall under the umbrella of AB 1844; the bill specifically states that it shall not be construed to preclude an employer from requiring an employee to disclose passwords or usernames for such devices. Notwithstanding, an employer cannot ask for access to the “personal social media” that may be contained on the employer-issued electronic device.

There may also be additional issues for employers that employ BYOD (bring your own device) policies, where the employee uses their own personal device to access company email, applications, or other data. While the employer may not technically own the device, it still has an interest in its data and information that reside on the device. The broad definition of social media and lack of definition of “personal” in the new law may lead to some unintended consequences for employers.