Skip to main content

Online and Off-Limits: New California Legislation Prohibits Employers from Requiring Access to Social Media Accounts of Employees

Written by Jake Romero

Facebook announced last week that it now has upwards of 1 billion active users.  That same week, over 10 million Twitter messages were sent during the U.S. presidential debate.  With the number and use of social media websites rapidly expanding, your privacy rights with respect to your tweets, “likes” and status updates, even the ones about being hungry and/or sleepy, are the focus of new legislation enacted in California.

Assembly Bill No. 1844  prohibits an employer from “requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media.”  AB-1844 also prohibits retaliation by the employer against any employee or applicant for not complying with employer demands that violate this prohibition.  A companion bill that was also enacted last week, Senate Bill No. 1349 , prohibits similar requests and requirements made by certain colleges of their students.

The greater likelihood is that in your hiring and retention practices, you are not specifically requiring employees and prospective employees to hand over their user names and passwords.  However, AB-1844 defines “social media” as “an electronic service or account, or electronic content, including, but not limited to, video, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.”  This definition is quite broad, and can potentially be applied to a large swath of digital content that is not traditionally thought of as “social media.”  As a result, we recommend that you consider the following steps to ensure that you do not inadvertently violate AB-1844 or lose control of or access to your business’s social media presence:

  • Your business should have a comprehensive, easy to understand Internet usage policy in place (sometimes referred to as an "acceptable use policy").  A strong Internet usage policy will help you manage and track where your employees keep and retain company information and can set boundaries regarding the use of personal social media sites during work hours and using work devices.  We recommend that each of your employees and, as of their start date, all new hires, receive a copy of the policy and sign an acknowledgment of having read it.  All of your employees should have access to your Internet usage policy on an ongoing basis.
  • Review any agreements you have in place with employees who develop, manage or contribute to social media content on behalf of your business or as part of the services they provide.  AB-1844 applies only to “personal” social media accounts but there is no guidance regarding what constitutes a personal account.  Your agreements with any employee who creates or manages social media content on behalf of your business should explicitly provide that that account or content is not personal to the employee and is the property of the employer.
  • Consider the manner in which your social media presence is managed and updated.  AB-1844 explicitly provides that nothing in AB-1844 “precludes an employer from requiring or requesting an employee to disclose a username, password, or other method for the purpose of accessing an employer-issued electronic device.”  If, however, you have a “bring your own device” policy that allows employees who manage your social media presence to do so from a device that is owned by that employee and also used for personal activities, distinguishing an employee’s personal account from your business’s data may become increasingly difficult.

Of course, if you are reading this and your company does not have a comprehensive Internet usage policy or social media policy at all, you might want to consider calling a member of the Mintz Levin Privacy and Data Security team.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.