Earlier this year, Washington became one of now twelve states to enact social media password protection laws, in a nationwide trend towards prohibiting employers from accessing restricted, personal media contents of applicants and employees.

What Does the Law Prohibit Employers From Doing?

On May 21st, Washington State Governor Jay Inslee signed into law S.B. 5211, which prohibits an employer from requesting, requiring, or otherwise coercing employees or applicants to:

  • disclose their log-in information to their social networking accounts;
  • access their accounts in front of the employer (also called “shoulder surfing”);
  • add the employer or anyone else to the list of contacts associated with their accounts; or
  • change their privacy settings on their accounts to allow their accounts to be viewed by the employer.

The law also precludes an employer from retaliating against an employee or applicant who refuses to take any of the above actions.

What Does the Law Allow Employers to Do?

The law does contain numerous exceptions.

First, employers may require employees to share content (but not login information) from a social networking account so that the employer can gather facts as part of an investigation regarding the employee’s online social networking activity and (a) violation of legal or regulatory requirements; (b) work-related misconduct or (c) unauthorized transfers of the employer’s trade secrets to the employee’s personal social networking account.

Second, the law does not apply to platforms intended for work-related information exchanges by employees or other workers, like an employer’s Facebook page. Third, an employer can request log-in information to access accounts, services, or devices, paid for or supplied by the employer. Fourth, the law does not prohibit an employer from enforcing existing personnel policies that do not conflict with the law. Fifth, SB 5211 does not interfere with an employer’s duty to comply with “the requirements of state or federal statutes, rules or regulations, case law, or rules of self-regulatory organizations.” Finally, an employer does not violate the law if it inadvertently obtains an employee’s log-in information through the course of monitoring employer-provided devices or network, but the employer may not use that log-in information to access the worker’s personal social networking accounts.

What Remedies Are Available to Employees if an Employer Violates the Law?

An aggrieved employee or job applicant can bring a lawsuit to get “injunctive or other equitable relief, actual damages, a penalty in the amount of $500, and reasonable attorneys’ fees and costs.”

An employer who gets sued under the section and prevails can get “reasonable expenses and attorneys’ fees upon final judgment and written findings by the trial judge that the action was frivolous and advanced without reasonable cause.”