California's Law Barring Demands For Social Media Passwords Sounds Good... But Might Not Be

from the ain't-that-always-the-case? dept

Thus, the law assumes that social media accounts have only two states: personal or not-personal. Sadly, that’s completely contrary to the cases I’m seeing in court right now. Instead, social media accounts fit along a continuum where the endpoints are (1) completely personal, and (2) completely business-related–but many employees’ social media accounts (narrowly construed, ignoring the statutory overbreadth problem) fit somewhere in between those two endpoints. Indeed, employers and employees routinely disagree about whether or not a social media account was personal or business-related. See, e.g., Insynq v. Mann, Eagle v. Sawabeh, Maremont v. SF Design Group, Kremer v. Tea Party Patriots, and PhoneDog v. Kravitz.

Putting the two concepts together, employers should require that employees provide them with login credentials for social media accounts relating to their business; but the law makes it illegal for employers to ask for login credentials to “personal” accounts. This puts employers in an obvious squeeze: employers may not know which employee accounts are purely personal and which are a mix of personal and business-related; the statute doesn’t expressly allow employers to access mixed account; and the statute doesn’t give employers a defense if they demand the login credentials because they reasonably but mistakenly thought the account was all or partially business-related. Courts will likely have to create common law exclusions for employers trying to get access to mixed accounts, but only after much angst, confusion and costly–and avoidable–litigation.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

We've been seeing a fair bit of cheering around the news that California became the latest state to sign into law rules that bar organizations and schools from demanding social media passwords from employees and students. In theory, this seems like a good idea. After all, we've heard of more than a few cases where students and employees were asked for their passwords. But we've questioned if there should be a law here, or if people can just deal with it themselves.And while many people are cheering on California's new law, Eric Goldman points out that we should be wary of the potential for significant unintended consequences . He worries about the broad definitions of what's really covered (hint: it goes beyond just "social media" even though that's all anyone's discussing). More importantly, he worries about the line between "personal" and "professional" accounts. Obviously, if you are managing, say, your employer's Twitter account, it's reasonable for them to have your password. And if it's just your own personal account, it's not. But... that assumes that those two categories are mutually exclusive and distinct, when the reality is they're often not. People use personal accounts for work related things all the time. It wasn't that long ago that we wrote about a dispute concerning who owned a LinkedIn account -- the company or the employee -- when many of the contacts were due to the employment situation. It's not so easy, and Goldman sees trouble ahead:And, he points out, since it's important for companies to have the passwords to "corporate" accounts, while the law makes it illegal to ask for them on "personal" accounts, there's clearly going to be conflict when accounts fall somewhere into that blurry middle, as many of them do:So while the intent may be good, the actual law may have some significant problems and costs associated with it. And for what? Was thisthat big of a problem? Yes, there were some stories of it happening, but there was no indication that it was really that common. On top of that, in many cases, individuals could handle the situation on their own, without needing the law to back them up.

Filed Under: california, passwords, social media