Under a new bill recently signed into law by Colorado Governor John Hickenlooper, employers are prohibited from requiring access to an applicant’s or employee’s personal social media account. Violations could result in penalties and fines. Here are the details of this new law.
Employers Denied Access to Private Social Media Accounts
Colorado joins the growing trend of states restricting employer access to private social media and other online accounts of job applicants and employees. Colorado’s new law, House Bill 13-1046, applies to any employer engaged in a business, industry, trade or profession in the state, except government law enforcement agencies. It prohibits employers from suggesting, requesting or requiring that an applicant or employee disclose their user name, password or other means of accessing their personal account or online services. Employers also may not compel an applicant or employee to add anyone to their list of contacts (e.g., to “friend” on Facebook, etc.) or to change their privacy settings on their social media accounts. Employers violate this law if they discipline, discharge or otherwise penalize an employee, or fail to hire an applicant who refuses to disclose any of the prohibited information or refuses to add the employer to their contacts or to change their privacy settings.
A person harmed by an employer’s violation of the law may file a complaint with the Colorado Department of Labor and Employment (CDLE). The CDLE is required to investigate the complaint and issue findings within 30 days after a hearing. The law provides that the CDLE may create rules regarding the penalties for violations, including imposing fines of up to $1,000 for a first violation and up to $5,000 for each subsequent violation.
Access Permitted for Company Systems and Certain Investigations
Two exceptions to the prohibition on requiring access to online accounts are spelled out in the law. First, employers are permitted to require employees to disclose any user name, password or other access to non-personal accounts or services that provide access to the employer’s internal computer or information systems. Second, employers are allowed to conduct investigations in two areas: (1) to ensure compliance with applicable securities or financial law or regulatory requirements based on the receipt of information about the use of a personal online account by an employee for business purposes; and (2) to investigate whether an employee has made an unauthorized posting of the employer’s proprietary information or financial data to a personal online account. No “fishing expeditions” are allowed under the investigative exceptions; employers may only access personal online information for these investigative purposes following the receipt of information that the employee is using his or her personal online accounts in these specific, inappropriate ways.
Employers Permitted to Enforce Non-Conflicting Policies
Existing employment policies that do not conflict with the provisions of this new law are permissible and may be enforced. Employers should examine their policies and practices that may conflict with this law and revise them to remove any requirements or actions prohibited by this law. Specifically, employers should revisit their background check practices related to social media, workplace investigation procedures, policies governing use of company computers, electronic accounts and personal online accounts as well as any other policy addressing technology and employer access to accounts.