There are many restrictions on an employer’s ability to access its employees’ personal online accounts.
In 2017, social media has become so prevalent that it affects nearly everyone in some facet of their life. Employers are certainly not spared from this phenomenon. Though social media provides many positives for employers—including ease of access to advertising and new methods of effective communication amongst employees and customers—there are also some potential negatives.
These sites provide a public platform for employees to voice their opinions about their employer and fellow employees—sometimes in a negative manner—or to express opinions which may be out of line with the beliefs or values of their employers. Thus, it is easy to see why an employer may want to monitor its employees’ social media activity to make sure they are not besmudging the company name. The question then becomes: what right does an employer have to monitor the social media activity of its employees? The Right to Privacy in the Workplace Act (the “Act” - 820 ILCS 55/10) provides answers to this and other related questions.
The Amended Act
Section 10 of the Act lays out what the employer can and cannot do regarding its employees’ “personal online accounts.” Of course, it is first important to understand what exactly a “personal online account” is. The Act defines it as “an online account that is used by a person primarily for personal purposes, not including an account created, maintained, used, or accessed by a person for a business purpose of the person’s employer or prospective employer.” This definition is fairly broad, extending the protections under the Act to online accounts other than “social media” accounts. However, it also provides that, if the account is used for business and not personal purposes, it will not be protected by the Act.
As expressly stated in the Act, it is unlawful for an employer (or prospective employer) to request, require or coerce any employee (or prospective employee) to provide a user name, password or any other related account information in order to gain access to their “personal online account,” or to demand access in any manner to that account. Further, as of January 1, 2017, a recent amendment to the Act added three restrictions on an employer’s rights regarding employees’ personal online accounts. These additional restrictions state that it is unlawful for an employer or prospective employer to:
- Request, require or coerce any employee or prospective employee to authenticate or access an account while the employer is present;
- Require or coerce an employee to invite an employer to join a group affiliated with the personal online account; or
- Require or coerce the employee to join an online account established by the employer or add the employer to the employee’s list of contacts in the employee’s personal account.
The amendment to the Act also added retaliation provisions making it unlawful for an employer to discharge, discipline, fail to hire or otherwise retaliate against an employee who refuses to allow an employer to perform one of the disallowed activities above.
Exceptions and Requirements
At this point, it looks incredibly bleak for an employer’s rights regarding the “private online accounts” of their employees, but alas, the Act does provide for certain exceptions to the above restrictions. First, the Act does not prevent the employer from maintaining lawful policies which govern the use of the employer’s electronic equipment or internet, or the use of social networking or email upon the employer’s internet or devices. Further, an employer can monitor the use of its electronic equipment without requesting or using any employee (or prospective employee) to provide a password or other account information in order to gain access to the employee’s personal online account. These sections of the Act essentially provide that an employer can still control and monitor its own electronic devices and the activity which takes place upon its internet network. Additionally, an employer is free to collect information on an employee (or prospective employee) which is in the public domain, or that is otherwise obtained in compliance with the Act.
The January 1, 2017 amendment to the Act provided some additional circumstances in which an employer may request personal online account information from employees or applicants. These additions allow an employer to request information to comply with state and federal laws, or to request or require an employee or applicant to share specific content that has been reported to the employer—without requesting or requiring the employee or applicant to provide a user name and password or other means of access to the account.
However, an employer can only execute these freedoms if they are being used (i) to ensure compliance with applicable laws or regulatory requirements; (ii) to investigate an allegation of unauthorized transfer of an employer’s proprietary or confidential information to an employee or applicant’s personal account; (iii) to investigate a violation of applicable laws or work-related employee misconduct; (iv) to prohibit an employee from using a personal account for business purposes; or (v) to prohibit an employee or applicant from accessing or operating a personal account during business hours, while on business property, and while using an employer paid for network and resources.
Lastly, what if an employer inadvertently receives information that would allow it to gain access to an employee’s personal online account? The amendment to the Act provides for this situation as well. This “windfall” is not a free pass to access the account. In this situation, an employer will not be liable under the Act, but the employer may not use the information to access the account and must delete it as soon as reasonably practicable, unless it is being used as part of one of the aforementioned exceptions.
The Right to Privacy in the Workplace Act, couple with the January 1, 2017 amendment, place many restrictions upon an employer’s ability to access its employees’ or applicants’ “personal online accounts” which include, but are not limited to, personal social media accounts. For this reason, as an employer, it is important to note that, unless you fit into one of the above exceptions, you simply aren’t invited to the party. iBi
James VanRheeden is an associate attorney with Quinn, Johnston, Henderson, Pretorius, and Cerulo. Email him at firstname.lastname@example.org.