All Tennessee employers and their agents must now comply with the “Employee Online Privacy Act of 2014,” a new law that prohibits employers from asking their employees for their usernames and passwords to social media sites, among other things. The law went into effect on January 1, 2015. Although it prohibits employers from taking certain actions, the Act also lists permissible actions, which may help employers navigate the numerous scenarios involving employees’ personal internet activity.
DON’TS: Tennessee employers can no longer:
Request or require an employee or applicant to disclose a password to their “personal Internet account,” such as Facebook, Twitter, or a personal e-mail account.
Compel an employee/applicant to add the employer to the contact list associated with the Internet account. For example, you likely cannot require an employee or applicant to “friend” you on Facebook.
Force an employee/applicant to access a personal Internet account in the employer’s presence. In other words, you cannot require an employee to access his or her “personal Internet account” while you watch.
If an employer improperly asks an employee to do one of these things, and the employee refuses, the employer is prohibited from taking an adverse employment action or otherwise penalizing the employee.
DOS: So what can an employer do? Under the Act, an employer can:
Request or require employees to provide a username and password to access an “electronic communications device” supplied by the employer or paid for (wholly or in part) by the employer.
Request or require employees to provide a username and password to access an account or service the employee obtained because of the employment relationship or that the employee uses for the employer’s business purposes. A possible example could be if an employer pays for an Internet database, such a LexisNexis, for its employees and the employer requests the employee’s username and password for that account.
Discipline or discharge an employee for transferring the employer’s proprietary, confidential, or financial information to his or her personal Internet account without the employer’s authorization.
Conduct an investigation or require an employee to cooperate in an investigation when the employer has “specific information” about an unauthorized transfer of the employer’s proprietary or confidential information.
Restrict or block an employee’s access to certain web sites while using an electronic communications device supplied by or paid for (wholly or in part) by the employer or while using an employer’s network or resources.
Monitor, review, access, or block electronic data stored on an employee’s communications device supplied by or paid for (wholly or in part) by the employer.
View, access, or use information about an employee or applicant that is available in the public domain.
The Act does not impose a penalty on employers who violate it. It does, however, create a standard of conduct for employers regarding what is illegal, and therefore could give rise to a whistleblower claim under the Tennessee Public Protection Act if an employee is terminated following an impermissible inquiry.
Tennessee’s implementation of the Employee Online Privacy Act of 2014 adds the state to a growing list of states that have enacted similar legislation prohibiting an employer from requesting an employee’s username and passwords to social media sites. In addition to Tennessee, Louisiana, New Hampshire, Oklahoma, Rhode Island, and Wisconsin enacted similar legislation in 2014.