Are you in the midst of a breaking crisis? Call +1 (514) 458-7101

The Crisis Intelligence Blog

Now Illegal in 3 More States: Employers Cannot Request Passwords to Employee Social Media Accounts

13 May

Online Privacy and Security LawsEditor’s Note: The following is an important update, by the wonderful Judith Delaney, on the three new states who have recently passed laws making it illegal for companies to request social media passwords from employees.

Back in January of this year, Melissa and I both published a blog post informing you that the states of California, Michigan, Maryland and Illinois had passed laws making it illegal for companies to request social networking passwords, or nonpublic online account information, from behind the “social media wall” from their employees or job applicants. (Read my article here and Melissa’s article here for a refresher)

As we continue to move through 2013, three more states: Arkansas, New Mexico and Utah, can now be added to the “original” four, having passed new legislation restricting employers’ access to employees and job applicants’ personal social media accounts.

As this is an important issue for both employers and employees to be aware of, below you’ll find a summary of these three new laws.

Employers cannot request social media passwords from employees in the following states


Act 1480 (the “Act”) signed by Governor Beebe on April 22, 2013 (currently no date when law becomes effective), prohibits an Arkansas employer from requiring or requesting a current or prospective employee to:

  • Disclose one’s username or password for a personal social media account;
  • Add an employee, supervisor or administrator to the list of contacts for such an account; or
  • Change the privacy setting of such account

The Act also prohibits employers from the ability to retaliate against a current or prospective employee for exercising their right of refusal under the Act.

Penalties for violation of this Act: Penalties for violation are fines ranging from $10 to $100; 6 months in prison; and/or a misdemeanor conviction.

This Act does not prohibit employers to: View publically available information, including postings on social media sites, or inadvertatently receive an employee’s login information. An employer may also require access to an employee’s social media account if it is reasonably believed to be relevant for ediscovery based on a formal investigation by the employer of allegations of an employee’s violation of federal, state or local laws or regulations, or the employer’s written policies.

New Mexico

New Mexico’s law was signed into law on April 5, 2013 and goes into effect July 1, 2013.  As with Arkansas and some of the other state laws, this law also prohibits an employer to request or require a prospective employee to provide a password in order to gain access to the prospective employee’s account or profile on a social media site, or to demand access in any manner to such account or profile.

This Act does not prohibit employers to: Unlike other state laws including Arkansas, New Mexico does not prohibit an employer from seeking access to their current employee’s social media account or profile.  It also does not limit an employer’s right to:

  • Have policies regarding work place Internet, social networking or emails use;
  • Monitor employees’ usage of the employer’s electronic equipment; or
  • View publicly available information about a prospective employee or employee


Utah’s law, known as the Internet Employment Privacy Act (“IEPA”), was signed by Governor Herbert on March 26, 2013 and becomes effective May 14, 2013. The IEPA is very similar to the Arkansas law and other state laws as it prohibits employers in the public and private sector to:

  • Ask an employee or prospective employee to disclose login information for that person’s personal Internet account; and
  • The ability to retaliate against a current or prospective employee for exercising their right of refusal under IEPA

Penalties for violation of this Act: The IEPA creates a private right of action for aggrieved employees or prospective employees to recover up to $500 in damages.

This Act does not prohibit employers to: Under IEPA, an employer may:

  • Request login information to its own electronic communication devices, accounts or services;
  • Discipline or discharge an employee for transferring any proprietary or confidential information of financial data of the employer to the employee’s personal Internet account, unless written permission has been provided to such employee by the employer;
  • Investigate  misconduct involving the use of the employee’s personal Internet account;
  • Restrict employees’ use or access of certain websites while using employer owned electronic devices or computer networks;
  • Monitor, review, access or block electronic data and communications stored on the employer’s electronic devices or networks;
  • Screen certain employees and job applicants; and
  • View publicly available information about a prospective employee or employee

What you should take away from these new laws

As an employer in some or all of the 7 states noted so far, if you have not done so already, review your policies and practices to make sure that you are in compliance with your state law in not asking prospective and current employees for information that you are prohibited from asking.  This should be done not only to protect you as the employer from violating state social media legislation, but to minimize your risk of violating state and federal anti-discrimination laws, if you view an individual’s race, national origin, religion, age, disability or other protected information.

Editor’s note: As these new laws form around social media and online privacy, it’s extremely important for companies, as well as employees, to know what they are and are not allowed to do or request – you’ve seen the penalties for violating these laws, some go as far as including jail time. However, it is also important to understand what is not included within these laws (as stated above). The more you protect yourself, your company and your employees, the less risk you face internally and externally, and the stronger you and your team will be, which has an infinite of benefits as you see here often on this blog.

Our promise to you

As more of these online laws form around the world, you can count on this blog for having current updates and summaries of what to look out for, what to know and understand and what to take away, in order to maintain an organization that is compliant with new and developing online laws, and to minimize your internal and external risk. Click the following links for more information on social media law and/or online privacy laws.

Disclaimer:  The information contained in this article is provided only as general information and may or may not reflect the most current developments legal or otherwise pertaining to the subject matter thereof.  Accordingly, this information is not promised or guaranteed to be correct or complete, and is not intended to create, or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or all of the content of this article.


  1. Incite | Corporate Communications Consulting | PR | Social Media | Seattle | Personal Social Media Account Passwords - May 16, 2013

    [...] movement is often slow in government circles, three new states have recently passed laws making it illegal for companies to request passwords for employee personal social media accounts. This now makes a total of seven states with such [...]

Leave a Reply