Are Social Media Password Privacy Statutes #necessary?

(DMLP Intern Rebekah Bradway contributed to this post.)

As we live more of our life online each day, the wealth of information available on social media sites like Facebook and Twitter grows endlessly. It is no surprise, then, that this information may also be useful in informing hiring and other employment practices. Though employers' actual desire for and use of this social media information is questionable, there is a growing trend towards legislating to protect the privacy of individuals participating in social media sites. Social media password privacy statutes have become prevalent, as about a dozen such statutes have been signed into effect and similar statutes have been (at least) introduced in 36 states. 

Recent surveys have shown that despite public concern, very few employers actually request private social media login information (reporting one to five percent, most of which involve requests for voluntary access or access as an alternative to other application components). Though there are undoubtedly some reported instances of employers requesting Facebook and other logins during job interviews - like Robert Collins's application to the Maryland Department of Public Safety and Correctional Services - this practice is in no way the norm and sharing this information is rarely required. Nevertheless, last year, Maryland became the first state to enact one of these acts, prohibiting employers from demanding personal account information and passwords from prospective and current employees. California, Illinois, Michigan, Washington, and more have followed suit. Although it is reassuring to hear our representatives fight for privacy rights, they are zealously fighting to pass laws that address relatively nonexistent behavior and may even be unnecessary given existing tort law and statutes. 

Privacy Tort: Intrusion Upon Seclusion

"One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person." Restatement (Second) of Torts § 652B.

The elements of this tort vary by state, but generally include:

  1. The defendant's unauthorized intentional invasion of the plaintiff's affairs (physical or otherwise)
  2. The plaintiff's affairs involved a private matter
  3. A reasonable person would find the intrusion offensive, and
  4. The plaintiff has suffered from the intrusion.  

With respect to an employer demanding access to an applicant or employee's private social media login, these elements initially seem easy to satisfy. There is no doubt, especially when you consider the media and legislature's response to this issue, that a reasonable person would find this intrusion highly offensive, and the individual is harmed as a result of the intrusion. The limitations to pursuing a claim of intrusion on seclusion lie primarily with the aspects of the remaining elements: authorization and the existing privacy of the social media material. 

As to authorization, this claim will fail when prospective employees voluntarily share their password or other information. However, the question of authorization becomes more complicated if a company demands disclosure of login information. Several senators have even called on the DOJ to explore whether employer password demands are coercive. Although this situation has not yet been explored, there may be an argument for coercion in some circumstances.

When disclosure is required in order to apply for a position, there is likely to be difficulty proving coercion given a prospective employee's ability to walk away from the application and look elsewhere. The coercion argument is stronger when an employee is required to share private login information in order to retain employment (see Pietrylo v. Hillstone Restaurant Group), but is still not guaranteed to be an effective argument against authorization. (Note also that this must be distinguished from company accounts that an employee may control or otherwise monitor, as to which the employee would have no claim of privacy.)

That being said, consent may be limited to particular information on an account. For example, an employer may request access by telling an employee that the password will be used to check particular kinds of data. If an employer uses a password to pry into private affairs beyond those to which the employee intends to grant access, it would arguably exceed the scope of consent.

Another limitation to pursuing this tort action may be the public nature of much of the material on Facebook and other social media sites. This tort cannot be used to reach matters in which an individual has no reasonable expectation of privacy. Aspects of a Facebook page and Twitter feed likely fit into this category - profile pictures, basic biographical information, and other publicly posted content. However, particularly when individuals have altered their privacy settings and limit the audience for their speech, it seems more likely that there would be a privacy interest at stake. Though these issues have yet to be litigated, there could be a plausible claim of intrusion upon seclusion to be made in response to employers who demand social media account information. 

Tortious Interference with Contract

"One who intentionally and improperly interferes with the performance of a contract (except a contract to marry) between another and a third person by inducing or otherwise causing the third person not to perform the contract, is subject to a liability to the other for the pecuniary loss resulting to the other from the failure of the third person to perform the contract." Restatement (Second) of Torts § 766.  

Though elements again vary by state, they typically include:

  1. The existence of a valid contract between the plaintiff and a third party
  2. The defendant's knowledge of this contract and intentional improper inducement of a breach of this contract
  3. The plaintiff's subsequent breach caused by the defendant's inducement, and
  4. Damages/harm. 

The contract at issue in these instances would be the terms of use agreements by Facebook, Twitter, LinkedIn, and others. Many of these agreements prohibit the disclosure of private account passwords or other forms of access. Take, for example, Facebook's Terms of Use: "You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account." 

This explicitly prohibits Facebook users from sharing their password with another - certainly including prospective employers. When users join Facebook by creating an account, they click and agree to these Terms of Use. As employers can hardly be unaware of this contract, by intentionally demanding users share their login information, there is potentially tortious interference with the contract when a user then does so. One difficult element here may be to establish harm, as much of the harm will depend on whether Facebook decides to enforce the Terms of Use and how they respond to a breach of the contract.

Another consideration is establishing the employer's improper motive or means. Use of the password to further illegal activity, such as acts in violation of the Computer Fraud and Abuse Act and/or Stored Communications Act, may be sufficient evidence of improper motive. Simplified, the CFAA and SCA criminalize unauthorized access (or access exceed authorization) of a computer system or electronic communications, respectively. In this circumstance, it is the social media site, not the employee/potential hire, that would have to grant authorization. Though an individual may provide their password to an employer for the limited purpose of accessing personal information relevant to employment, such access by a third party might still be prohibited by the site operator and thus unauthorized. 

Overlapping Statutes and Other Considerations

There have also been arguments that these password privacy statutes are made excessive by other statutes, including the SCA and CFAA themselves, as well as the Fair Credit Reporting Act. Other statutes that might potentially apply to use of social media information include discrimination laws, unfair labor practice laws, and state data privacy laws. The threat of these potential lawsuits, particularly as this issue has gained so much attention in the media, is likely enough to deter requests for social media passwords in many employment fields. Further, as many of the new statutes regarding employee passwords fail to include a specific remedy or provide remedies so trivial that no one would bother to bring a claim, it seems that even those who could have otherwise potentially benefited from these statutes will find them toothless and useless. 

Again, I applaud the legislature for considering privacy issues and recognizing that existing tort law and statutes are not always the most effective or fail-safe means to address social media and employment concerns due to consent complications. Still, these social media password protection laws help few and do not demand the urgency with which state legislatures have been approaching the topic in part due to our existing legal framework. With other pressing privacy concerns--like data security and surveillance--to be addressed, not to mention other employment matters, let us instead encourage our representatives to concentrate their efforts elsewhere.

Kristin Bergman is an intern at the Digital Media Law Project and a rising 3L at William & Mary Law School. She'd like to think that she has nothing to hide, but still would not turn over her Facebook account information to a prospective employer.

(Image courtesy of Flickr user Alessio85 pursuant to a Creative Commons CC BY 2.0 license.)

Subject Area: