Utah’s Internet Employment Privacy Act

March 26, 2013

The Utah legislature recently passed the Internet Employment Privacy Act (“IEPA”) that prohibits employers from asking employees or applicants for employment to turn over their passwords or usernames for their personal social-media accounts. It is expected to become law in the coming days. Utah will join at least six other states (including California, Delaware, Illinois, Maryland, Michigan, and New Jersey) that enacted similar legislation in 2012. It is expected that other states will also enact such legislation before the year is over. Employers with operations in Utah need to analyze current policies, practices and procedures to comply with the new legislation.

In recent years, employers are increasingly using the internet to find out what they can about job applicants. An article last year in Forbes Magazine noted that “[i]n their efforts to vet applicants, some companies and government agencies are going beyond merely glancing at a person’s social networking profiles and instead asking to log in as the user to have a look around.”¹ States like Utah are responding to this practice in an effort to protect employee privacy.

The IEPA makes it unlawful in Utah for an employer to ask an employee or an applicant for employment to disclose his or her username or password for a personal internet account, such as a social-media site like Facebook. The new law also prohibits employers from taking adverse employment actions against an employee or applicant for failure to disclose such information. The Act provides for a private right of action against the employer, limited to a maximum of $500.00 per violation.

The new law is not all bad news for employers. The IEPA affirmatively permits an employer to require employees to disclose usernames and passwords in some limited circumstances where they pertain to an electronic communication device that was supplied by or paid for by the employer, or as to an account or service that was provided by the employer and used for the employer’s business purposes. Employers are also permitted to discipline or discharge employees for transferring the employer’s proprietary or confidential information or financial data through an employee’s social-media account. Employers may also restrict or prohibit employees from accessing certain websites while using an electronic communication device supplied by or paid for by the employer or while on an employer’s network. Consistent with the policies of many employers, the IEPA expressly permits employers to monitor, review, access or block electronic data stored on company servers, networks or devices in circumstances where employees have no reasonable expectation of privacy.

The IEPA also allows employers to ask for username and password information when the employer has reason to believe that its proprietary, confidential or financial information has been improperly disclosed by an employee, or that an employee’s personal internet activity raises concerns about compliance with applicable laws, regulatory requirements or prohibitions against work-related employee misconduct. Employers are also not prohibited from complying with their duty to screen employees and applicants before hiring them, or otherwise complying with applicable law.

For employers who have not reviewed their social-media policies recently, this would also be a good time to consider recent decisions by the National Labor Relations Board that seek to prevent employers from “chilling” employee rights to engage in concerted activities by prohibiting employees or disciplining employees for discussing their employment through social media. For example, employers should beware of disciplining employees for online discussions about their salaries, safety issues, vacations and other policies, or even about how a supervisor is treating them. Employers are still permitted to prohibit dishonesty, defamation, threats of violence, obscenity, and unauthorized disclosure of propriety, confidential and trade secret information.

Laws and regulations relating to social media are cutting edge and in a state of change. Utah employers should regularly review their policies, practices and procedures to ensure compliance.

1 James Poulos, Employers Demanding Facebook Passwords Aren’t Making Any Friends, March 22, 2012.