By Jessica Mendelson and Robert Milligan

The Michigan Legislature recently passed the Internet Privacy Protection Act (“IPPA”), otherwise known as House Bill 5523. On December 28, 2012, Michigan Governor Rick Snyder signed the IPPA, making Michigan the fourth state to enact a social media privacy law regulating employers. In explaining the reasoning behind the law, Governor Snyder stated, “Cyber security is important to the reinvention of Michigan, and protecting the private internet accounts of residents is a part of that. Potential employees and students should be judged on their skills and abilities, not private online activity.”

The IPPA prohibits both educational institutions and employers from requesting access to personal internet or social media accounts of employees or students. Furthermore, the act prohibits employers and educational institutions from retaliating against a person who fails to disclose such information.

The act broadly defines the terms employer and educational institution. “Employer” includes both public and private employees, as well as representatives and agents of an employer. Similarly, educational institutions include both “public or private educational institutions” ranging from nursery school through graduate school, and the term is construed “broadly to include . . . institutions of higher education to the greatest extent consistent with constitutional limitations.” The law defines the phrase “personal internet account” as an “account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data.”

IPPA prohibits employers from requesting employees or applicants for employment grant access to or disclose information permitting the employer to access the employee or applicant’s personal email account. Furthermore, employers are prohibited from engaging in retaliatory behavior for an employee or applicant’s failure to provide access to his or her personal email account. Similarly, educational institutions cannot require students or prospective students to grant access to or disclose information allowing access to his or her personal internet account, nor can these institutions penalize a student or prospective student for failure to disclose this information.

IPPA does not prohibit an employer from requesting an employee provide access to an electronic communications device paid, in whole or in part by the employer, or an account or service “provided by the employer, obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes.” Furthermore, the law does not prevent employers for disciplining or discharging an employee who obtains confidential or proprietary information from his or her employer without authorization. In addition, there is an investigation exception allowing employers to request an employee divulge social media information to ensure compliance with laws or regulatory requirements, to prevent unauthorized transfer of the employer’s proprietary or confidential information, restricting access to certain websites on employer’s communication devices. Finally, the IPPA does not prohibit or restrict an employer from “complying with a duty to screen employees or applicants prior to hiring or to monitor or retain employee communications that is established under federal law or viewing information available in the public domain.

With respect to educational institutions, the IPAA does not prohibit an educational institution from requesting or requiring a student to disclose access information to electronic communications devices paid for by the institution, or account or services provided by the institution used for educational purposes. Nor are educational institutions prohibited from viewing information available in the public domain.

The IPPA does not create a duty for an employer to monitor the activity of an employee’s personal internet account, nor is an employer liable for failing to request access to a personal internet account. The IPAA also provides for criminal and civil penalties: violators can be found guilty of a misdemeanor and may suffer financial penalties of a maximum of $1000, plus reasonable attorney fees and court costs in the case of a civil action.

Unlike the California social media law, which we previously blogged on, the Michigan social media law more clearly differentiates between personal and employer-owned social media accounts. There may be still be issues regarding who is the owner of certain information but the statute at least attempts to provide clarity on the meaning of “personal” and excludes from its prohibitions devices paid for by the employer from its prohibitions, as well as  accounts or services “provided by the employer, obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes.” We have previously blogged about cases concerning the ownership of “social media assets” on Twitter, Facebook, LinkedIn, and Myspace, each of which illustrate the importance of clear policies regarding the ownership of company social media accounts. Here, the law focuses on who owns the account in order to determine whether there is a privacy right. As a result, both public and private employers will need to make sure that they employ social media ownership agreements with their employees to ensure that company social media accounts stay with the company and that the employer has the username and password for the account when the employee departs.

The enactment of this statute makes Michigan the fourth state, along with California, Maryland, and Illinois to restrict employers from accessing employees’ and applicants’ social media accounts (Delaware and New Jersey have passed social media privacy legislation protecting students’ social media accounts). In all likelihood, 2013 will see additional social media laws passed throughout the country. Vermont, Texas, Missouri, and California (to apply to public employers) are considering social media privacy legislation. We will continue to keep you apprised of future developments in social media legislation.