Oregon’s Social Media Account Protection Act
On May 22nd, Oregon enacted its own social networking privacy law, becoming the thirteenth state nationwide to do so. The law aims to protect employee social-networking privacy by prohibiting their employers from requiring access to employees’ accounts.
We previously blogged about similar legislation passed in Washington state, Utah, New Mexico, Arkansas, California, Illinois, and Maryland, among others. The new Oregon statute shares some of the same features. Oregon employers are now prohibited from requiring employees and job applicants to (a) turn over account logins, or (b) allowing employer access to their accounts (i.e. by adding employer reps to their accounts, or opening accounts in the presence of employer reps). Nor can employers discipline or retaliate against employees, or refuse to hire applicants, for invoking the law’s protection. The law was made part of Oregon’s existing employment discrimination statutes, and thus allows the Attorney General’s office or aggrieved employees or applicants to sue employers for money damages, a minimum $200 penalty, punitive damages, injunctions, attorneys’ fees, reinstatement, back pay, and ‘other appropriate relief.’
Yet similar to Washington state’s recently passed legislation, the Oregon statute also contains a number of concessions for employers. A plaintiff employee who loses his or her lawsuit against the employer is subject to having to pay the employer’s attorneys’ fees, albeit likely limited to instances where the claim was frivolous or brought in bad faith. A third party may not sue an employer (i.e. for negligent hiring or retention) for its ‘failing’ to request or require employee account logins. The law permits employers to require employees to provide ‘personal’ account access (but not through login disclosure) for an investigation into work-related misconduct involving the employee’s use of the account. An employer is not liable for its ‘innocent discovery’ of protected employee logins while monitoring its own networks and devices (but the employer may not use the logins). And an employer may require logins for those accounts ‘provided by, or on behalf of, the employer, or to be used on behalf of the employer.’
Which brings us to a fairly wide gap in the law’s text, as we similarly described in our Washington post. The Oregon law does not define ‘personal’ accounts, or on the flip side, those which are ‘provided by, or on behalf of, the employer, or to be used on behalf of the employer.’ Court decisions in the last few years indicate that employers may have at least some ownership rights to LinkedIn, MySpace, and Twitter accounts which an employee uses for both personal and employment purposes, where the employer had a significant hand in creating, developing, or maintaining the account. The Oregon law’s exception for employment-related accounts will likely have the same result. An employer can elude the statute by writing into its job description the requirement that employees create an account, or use their pre-existing accounts (even personal accounts), as part of their job duties, and by taking the appropriate corresponding measures. So, will the Oregon statute really achieve its intended purpose?
Vermont’s New Social Media Privacy Committee
On May 24th, Vermont passed a law which established a single-purpose ‘Committee’ to study and recommend possible social-networking privacy legislation. The Committee would include designated representatives of the Attorney General, Commissioners of Labor, Financial Regulation, Human Resources, Human Rights,[1] and Public Safety, as well as two appointed representatives of both employers and labor-unions, and a Vermont ACLU representative. The Committee must begin meeting before September 1, 2013 (with the Labor Commissioner as its chair), and must report to the Assembly by January 15, 2014.
The Committee’s stated tasks include looking at existing and proposed state and federal privacy laws, including the ‘interplay’ between state and federal law, and considering other factors relevant to employee social-networking privacy. As we discussed in previous blogs, among the topics the Committee should consider are (1) more precisely defining ‘personal’ and ‘employment’ social-networking accounts (lest the confusion between protected and unprotected accounts, as explained in our post on the initial Washington privacy bill), and (2) the conceptual conflict between growing state privacy legislation, on the one hand, and the recent strengthening of federal trade secrets theft laws and enforcement policy, on the other, which in significant part are for the benefit of American employers.
[1]More precisely, the Executive Director of the Human Rights Commission.