Illinois Updates Privacy Law to Address Social Media

Can employers ask employees to "like" an employer's Facebook page or "retweet" tweets? According to the newly amended Right to Privacy in the Workplace Act, Illinois employers may be subject to fines and found guilty of a petty offense for asking, requiring or coercing employees to invite employers to join online groups of which the employee's personal online account belongs.

Legislative History

Illinois legislators have long advocated for stricter laws related to employees' privacy. In 1992, the Illinois General Assembly passed the Right to Privacy in the Workplace Act to prevent employers from requesting information about their employees' previously filed claims for benefits under the Workers' Compensation Act (WCA) or Worker's Occupational Diseases Act (WODA). Nearly two decades later, in 2012, we reported that former Governor Quinn considered signing a bill that would amend the act and prevent employers from requesting employees' and applicants' social media passwords on networking websites.

Indeed, in 2013, the act was amended to prevent employers from requesting employees' and applicants' social media passwords on networking websites and to further prevent employers from requiring employees or applicants to provide passwords and other information that would allow employers to gain access to such information.

In the summer of 2016, Governor Rauner approved H.B. 4999/Public Act 99-610, amending the act to also prohibit prospective employers from requesting employees' and applicants' social media passwords on networking websites. The act extends employees' and applicants' privacy protection beyond passwords to usernames and personal online accounts, and adds retaliation provisions.

2016 Updates

Effective Jan. 1, 2017, an act that once only prohibited employers from asking about benefits applied for or received under WCA or WODA now prohibits employers from:

• Asking, requiring or coercing employees or applicants to provide passwords or other related account information for accessing their personal online accounts.
  
• Demanding access to employees' and applicant's personal online accounts.
  
• Asking, requiring or coercing employees and applicants to authenticate or access their personal online accounts in an employer's presence.
  
• Requiring or coercing employees and applicants to invite employers to join groups affiliated with their personal online accounts.
  
• Requiring or coercing employees and applicants to join employers' online accounts or add employers or employment agencies to contact lists for their personal online accounts.
  
• Retaliating against an employee or applicant for refusing any of the above activities.
  

The act responds to the ever evolving social media landscape, where access to an employee's personal online account may reveal a range of activities that employees may support (e.g., webpages the employee "likes," politicians the employee "follows," past and present "tweets" and "emojis," etc.).

The act addresses inadvertent disclosures, such as when an employer stumbles on information that would enable the employer to gain access to the employee's personal online account through an employer-provided device for network security or data confidentiality provision.

In such instances, an employer is not liable for having this information, unless the employer uses the information or enables a third party to use the information, or acts affirmatively to delete the information as soon as reasonably practicable once the employer becomes aware that such information was received. 

Employees or applicants may file a complaint through the U.S. Department of Labor or commence an action in state court to enforce provisions of the act. Awards may include actual damages and costs, attorney fees and up to $200 per violation. Employers may also be found guilty of a petty offense.

Actions Still Permitted

The new regulation does not limit or prohibit an employer from:

• Creating or maintaining lawful workplace policies on the use of their electronic equipment, including internet, social networking website and email use. This includes policies addressing an employee's use of a personal online account for business purpose, accessing or operating a personal online account during business hours while on business property or connected to an employer's network, or when using an employer device.
  
• Monitoring the use of such equipment and email.
  
• Obtaining publicly available or otherwise lawfully accessed information about employees.
  
• Complying with other state or federal laws.
  
• Requiring an employee to share specific content reported to the employer to ensure compliance with the law or investigating an allegation of a violation of law or work-related employee misconduct.
  

Next Steps

Employers are strongly encouraged to review and update their social media policies addressing an employees' use of personal online accounts while on the job, inadvertent disclosures of employees' personal online accounts, reporting violations under this act and limited exceptions when an employer may request content sharing from an employee's or applicant's personal online accounts.

Stacey L. Smiricky and Sylvia Bokyung St. Clair are attorneys with Faegre Baker Daniels in Chicago. © Faegre Baker Daniels. All rights reserved. Reposted with permission.