On October 1, 2012, Maryland’s first-in-the-nation law prohibiting employers from requiring – or even requesting – that employees provide pass codes to personal websites and devices took effect. Colloquially, this is the “Facebook Privacy Right.” Employers that fail to hire an applicant or discipline or discharge an employee for refusing to disclose a personal pass code violate the law (although the statute, itself, contains no remedy).Illinois and, most recently,California, have enacted similar laws and legislation is pending in nearly a dozen other states, as well as federally.
What is remarkable is how little evidence there is that employers have actually requested or required applicants or employees to disclose this personal information as a condition of employment. Indeed, Maryland’s new law does not in any way restrict an employer’s right to “Google” employees or applicants or otherwise scour the web for information on them, although there are good reasons to refrain from such sleuthing. What an employer knows – the sexual orientation or history of mental illness, for example, of an applicant or employee – may be alleged to be the motive for an adverse action such as a refusal to hire or termination. That’s a quick ticket to a lawsuit. Rather, what generated the law was a Maryland Department of Corrections requirement that individuals wishing to be prison guards disclose their Facebook passwords so that the DOC could “vet” them for gang connections. This was based on the real concern that people with gang affiliations were infiltrating the prison system. One can fault the DOC for going too far in addressing the problem (and when challenged by the Maryland ACLU, the DOC abandoned the practice). But, what is not apparent is that this is a widespread problem that required legislative action.
The cure may create more mischief than the perceived ill it was intended to address. For example, the law prohibits an employer from even requesting a personal pass code, such as in response to allegations of sexual or racial harassment online by one employee of another. And, while the law quite reasonably does not constrain an employer from demanding pass codes to “non-personal” sites and devices, it does not provide any definition of what would be “personal” as opposed to “business.” If I am permitted to use my personal iPhone for work and I use my account for business-related mischief, is or is this not subject to employer review? And, what about that company-issued iPad? If I register it personally with Apple and use cloud storage for work-related documents, does this law limit my employer’s ability to demand the pass code to see what I am up to if it suspects I am up to no good? All unclear. And while there is a clause in the law that says it is not intended to prevent an employer from investigating theft of confidential information or trade secrets (something that employers have a right to do without the law), the drafters of the legislation failed to specify that an employer can demand a personal pass code during this investigation. All of this is why some groups representing the interests of businesses, such as the Maryland Chamber of Commerce, opposed the legislation. It is not because they are Neanderthals. It is because they have to contend with the consequences of the laws that are passed, including the costs of litigation to flesh out what the law “really means.”