Victories for privacy rights have been few and far between since 9/11, but an astonishing exception is the blossoming of state laws offering protection for workers against bosses who want to snoop into their social media lives. Last month, Nevada became the 11th state to enact password protection legislation designed to ensure some online privacy for workers. Similar laws are under consideration in about 20 other states.

According to the ACLU’s Allie Bohm, who tracks privacy issues at the group’s New York headquarters, reports of employers requiring workers to disclose the passwords for private social media accounts quickly caught the attention of legislators. Because of Facebook’s broad popularity, lawmakers immediately grasped the threat to individual privacy in allowing employers unrestricted access to the social media lives of their employees.

“If your boss were to demand to read the snail mail that’s delivered to your home by the Postal Service, you would be outraged and consider it a gross violation of your privacy. Well, demanding access to the password to your Facebook account is the same thing,” and even lawmakers not normally sympathetic to civil liberties issues can see the problem, Bohm said. “The fact that the National Security Agency is sweeping up vast quantities of info from the net doesn’t mean that state legislators believe that employers have the same right.”

The issue first burst into public view in 2011 with the case of Robert Collins, a Baltimore man then employed by the state of Maryland. Collins was being interviewed for a transfer to a job in the Department of Corrections and was “stunned” to be asked “illegal and invasive” questions about his social media use, he later testified to the Maryland House of Delegates. Fearful of being denied the transfer, he reluctantly complied with the demand that he provide his Facebook password. On the spot, the interviewer logged on to Collins’ account and began rummaging through the contents. The corrections department just wanted to insure that he was not a gang member, he was told.

Furious at this treatment, Collins brought his complaint to his union, the American Federation of County, State and Municipal Employees (AFSCME), and to the Maryland ACLU. Both organizations are well connected in the state capital in Annapolis and it wasn’t long before the nation’s first worker password protection legislation was introduced. Supporters easily brushed aside opposition from the state Chamber of Commerce and Gov. Martin O’Malley (D) signed the measure into law on May 2, 2012.

“I was ecstatic,” when the bill became law, Collins told AlterNet. “Maryland chose to err on the side of citizens and privacy rights. You don’t see that very often,” he said. He added he has been excited to see other states take up the issue. Laws based in some measure on the Maryland model have been enacted by Arkansas, California, Colorado, Illinois, Michigan, Nevada, New Mexico, Oregon, Utah, and Washington.

A New Jersey state legislature approved similar bill early this year, but it was vetoed by Gov. Chris Christie (R). Christie’s objections, however, appear limited to handful of relatively uncontroversial points, and he has signaled his willingness to approve a basic worker protection bill once the legislature has agreed to some changes to the statutory language.

ACLU’s Bohm indicated that these state-level victories may represent the “low hanging fruit” for privacy proponents, and that additional state or federal laws favoring workers may be harder to come by. She cited the recent of example of Texas, where a good password protection law made rapid progress early this year. The bill stalled, however, as unfriendly legislators began loading it up with exceptions and language designed to protect to employers, not workers. The bill become so heavily laden with pro-business language that its original sponsors were happy to see it die when the legislature ended its session without a vote early this month.

Employers and their lobbyists know that password protection laws are not always in their interests, according to Philip L. Gordon, a Denver-based partner in Littler Mendelson, one of the country’s leading business-side law firms.

“There’s definitely a downside to these laws. First, the laws are completely unnecessary. There is no data to show that private employers are doing this, so we seem to have legislation looking for a problem. It almost seems like pandering,” said Gordon, who serves as chairman of the firm’s privacy and data protection practice group. A very recent survey of Littler clients showed that less than 1 percent of employers ever ask for employee passwords, he said. The small number of employers that do ask generally have sound reasons for doing so, such as financial services companies that are required by regulation to monitor the online communications of employees.

The case of companies designated as brokers or dealers in selected financial products has received serious attention by state legislators, and the laws in at least six states provide specific exemptions for them, Gordon notes. Likewise, broad exemptions from the laws are granted to employers when they are engaged in workplace “investigations” of employee misconduct or violations of the law. Employers should be careful, Gordon cautioned, not to use “investigation” as a catch-all excuse to snoop on workers, but the legitimate exemption does give the employer needed freedoms.

Collins told AlterNet he found the investigations loophole troubling. An investigation of employee misconduct presents many opportunities for mischief, or worse, by an unscrupulous boss. Littler’s Gordon indirectly confirmed Collins’ concerns. Writing about Michigan’s password law earlier this year, Gordon commented:

“While airtight at first blush…[the Michigan law] is more like a sieve upon closer scrutiny. Most importantly, the Act does not prohibit an employer from asking an employee to help the employer view content in another employee’s…personal account….Given that employees routinely report social media conduct of coworkers that violates corporate policy or is suspected to be unlawful, this limitation is critical for employers seeking to investigate an employee’s Internet misconduct….

In other words, the Michigan law, and others like it, leave bosses free to snoop on the private online accounts of workers as long as they can induce a coworker to cooperate.

Some of the problems with state level password protection laws might be solved with good federal-level legislation, Gordon and ACLU’s Bohm agreed. Although not professing any agreement on important details, they agreed a federal law would set the same basic rules for bosses throughout the country.

Sen. Richard Blumenthal (D-Conn.) took a step in that direction early last year when he introduced the Password Protection Act of 2012. The bill failed to gather any momentum, however, and expired in early 2013 without any Senate action. Gordon said he was unfamiliar with the specifics of Blumenthal’s bill, but that employers would be wise to support a federal law as long as it specifically pre-empted state laws. Bohm said the ACLU was generally supportive of Blumenthal’s approach, and would work with congressional supporters to strengthen worker privacy protections in any new version that might be introduced.

In an email message to AlterNet, Blumenthal said this week that he intends to re-introduce his legislation in August or September: “I intend to reintroduce this important legislation because employers seeking access to passwords or confidential information on social networks, email accounts, or other protected Internet services is an unreasonable and intolerable invasion of privacy. With few exceptions, employers do not have the need or the right to demand access to applicants’ private, password-protected information. This legislation would ensure that employees and job seekers are free from these invasive and intrusive practices.”

The outlook for the Blumenthal bill looks doesn’t look especially bright right now, despite broad bipartisan support in many of the state-level password protection votes, one congressional staffer noted. Congress overall seems too gridlocked and several influential lobbying groups have yet to make any public commitments either for or against the Blumenthal bill. The U.S. Chamber of Commerce, for example, has no position on the password protection legislation at this time, spokeswoman Blair Latoff Holmes said.

In the meantime, the ACLU expects state legislators to continue pressing forward, although not at the same frenetic pace as seen over the last year. Workplace rights advocates should contact their state legislators to offer their support in one of the few areas where privacy rights are being broadened on the post-9/11 era, Bohm said.