Dykema Gossett PLLC

Dykema Labor & Employment Law Blog

Michigan Passes Internet Privacy Protection Act, Joins The Ranks of States Prohibiting Employers From Demanding Access To Facebook Accounts


Michigan Passes Internet Privacy Protection Act, Joins The Ranks of States Prohibiting Employers From Demanding Access To Facebook Accounts

Last summer there was a flurry of activity in state legislatures across the United States following news reports about employers requiring prospective employees to permit access to Facebook pages or other social media sites as a condition of being considered for employment.  Faced with varying levels of outrage from their constituents, state legislatures in states such as Illinois, Maryland, and California quickly passed bills designed to prohibit the practice.  Late last month, Michigan joined their ranks, prohibiting employers from requiring that current or prospective employees provide passwords to their personal internet accounts as a condition of employment.

Michigan’s Internet Privacy Protection Act (“MIPPA”) is fairly sweeping in the behavior it prohibits. Employers (which is defined as any person engaged in business, industry, or the like, and includes any agent, representative, or designee of the employer) cannot request access to an employee’s or prospective employee’s personal internet accounts.  Nor can they require the employee or prospective employee to allow an employer to look over their shoulder while the employee accesses their account. Similarly, the MIPPA makes it illegal for an employer to disclose information that allows a third party to observe an employee or applicant’s personal internet account.  This provision prevents a supervisor who may have been “friended” by an employee from allowing other members of management from viewing otherwise private contents of a Facebook page or other social media site.  MIPPA’s prohibitions are not, however, limited to actually viewing employee or applicant personal internet accounts.  MIPPA makes it illegal for an employer to discipline, fail to hire, or otherwise penalize an employee who refuses to provide access to his or her personal internet accounts.

MIPPA contains some exceptions, however.  An employer still can require an employee to provide access information for an electronic communications device paid for in whole or in part by the employer, or to an account or service provided by the employer or used for the employer’s business purposes.  So, a “personal” gmail account that is, in reality, created expressly for the employer’s business use remains accessible to the employer.  Similarly, an employer still can discipline or discharge an employee for transferring the employer’s proprietary or confidential information to their personal internet accounts without authorization, and still can require an employee to provide access if there is specific information about potential illegal activity or work-related misconduct on that account, or if there is specific information about transfer of proprietary information to a personal internet account.  An employer also can restrict access to certain websites while an employee is using an electronic communications device provided by the employer, and can monitor, review or access electronic data stored on an electronic communications device paid for by the employer (or review electronic traffic stored on the employer’s network) so long as that access does not run afoul of any other law.

Even prior to the passage of this law, there were serious questions about the wisdom of an employer’s decision to demand access to personal internet accounts as a matter of course.  Those accounts often contain information regarding an employee’s race, age, gender, religion, or other protected characteristics.  An employer that accesses that data forfeits any defense that it was unaware of the protected categories if the decision ultimately is made not to extend a job offer, or to terminate employment.  Furthermore, the NLRB repeatedly has found that employee social media sites can contain statements protected under the National Labor Relations Act, making review of those sites problematic for employers in many instances.  MIPPA makes it clear that, at least in Michigan, accessing personal internet accounts in the course of employment is, in most cases, not only unwise, it is illegal.

MIPPA therefore has two practical implications for many employers.  First, it is yet another law with which all employers in Michigan must comply.  While that is not a significant burden in itself, the fact that there is a patchwork of laws springing up around the United States on this topic, each with its own nuances and exceptions, makes it imperative that employers with operations in multiple states spend time familiarizing themselves with the requirements of each state in which they conduct operations.  Second, any employer that is conducting an investigation that may involve access to an employee’s personal internet accounts (such as investigations involving allegations of trade secret misappropriation or sexual harassment), need to familiarize themselves with this new law’s requirements in order to ensure that those investigations are conducted in compliance with this new law.