California's Law Barring Demands For Social Media Passwords Sounds Good… But Might Not Be
from the ain't-that-always-the-case? dept
We’ve been seeing a fair bit of cheering around the news that California became the latest state to sign into law rules that bar organizations and schools from demanding social media passwords from employees and students. In theory, this seems like a good idea. After all, we’ve heard of more than a few cases where students and employees were asked for their passwords. But we’ve questioned if there should be a law here, or if people can just deal with it themselves.
And while many people are cheering on California’s new law, Eric Goldman points out that we should be wary of the potential for significant unintended consequences. He worries about the broad definitions of what’s really covered (hint: it goes beyond just “social media” even though that’s all anyone’s discussing). More importantly, he worries about the line between “personal” and “professional” accounts. Obviously, if you are managing, say, your employer’s Twitter account, it’s reasonable for them to have your password. And if it’s just your own personal account, it’s not. But… that assumes that those two categories are mutually exclusive and distinct, when the reality is they’re often not. People use personal accounts for work related things all the time. It wasn’t that long ago that we wrote about a dispute concerning who owned a LinkedIn account — the company or the employee — when many of the contacts were due to the employment situation. It’s not so easy, and Goldman sees trouble ahead:
Thus, the law assumes that social media accounts have only two states: personal or not-personal. Sadly, that’s completely contrary to the cases I’m seeing in court right now. Instead, social media accounts fit along a continuum where the endpoints are (1) completely personal, and (2) completely business-related–but many employees’ social media accounts (narrowly construed, ignoring the statutory overbreadth problem) fit somewhere in between those two endpoints. Indeed, employers and employees routinely disagree about whether or not a social media account was personal or business-related. See, e.g., Insynq v. Mann, Eagle v. Sawabeh, Maremont v. SF Design Group, Kremer v. Tea Party Patriots, and PhoneDog v. Kravitz.
And, he points out, since it’s important for companies to have the passwords to “corporate” accounts, while the law makes it illegal to ask for them on “personal” accounts, there’s clearly going to be conflict when accounts fall somewhere into that blurry middle, as many of them do:
Putting the two concepts together, employers should require that employees provide them with login credentials for social media accounts relating to their business; but the law makes it illegal for employers to ask for login credentials to “personal” accounts. This puts employers in an obvious squeeze: employers may not know which employee accounts are purely personal and which are a mix of personal and business-related; the statute doesn’t expressly allow employers to access mixed account; and the statute doesn’t give employers a defense if they demand the login credentials because they reasonably but mistakenly thought the account was all or partially business-related. Courts will likely have to create common law exclusions for employers trying to get access to mixed accounts, but only after much angst, confusion and costly–and avoidable–litigation.
So while the intent may be good, the actual law may have some significant problems and costs associated with it. And for what? Was this really that big of a problem? Yes, there were some stories of it happening, but there was no indication that it was really that common. On top of that, in many cases, individuals could handle the situation on their own, without needing the law to back them up.
Filed Under: california, passwords, social media
Comments on “California's Law Barring Demands For Social Media Passwords Sounds Good… But Might Not Be”
I pray it works out. At the very least, this law will eliminate the most egregious offenses and prevent others like it.
if you’ve got a situation where the company doesn’t already have the password or control of the account, then it’s not the company’s account.
It’s stupid that there’s even a remote need for a law, but if a company doesn’t see the need to sort out who has control from the beginning, then they shouldn’t be suing for access to an account on a third party service.
Re: Re:
Point. A good point. Let’s see if everyone else sees it that way (I pray they do).
Re: Re:
Yes, this. Personally, I don’t see a continuum or spectrum between a company account and a personal account. If the problem is people conducting business using their personal accounts (of any sort, email, facebook, whatever) for business, then address that problem. It should be expressly disallowed by company policy — at least, it has been nearly every place I’ve ever worked.
If I created the account with my own resources on my own time, it’s my account. If I talk business on that account, that doesn’t give my employer any right to learn the password. It may give them the right to sue me, depending on my contract, though.
This is exactly the reason my accounts are no way connected to my name. You could surf for a year trying to find it and it just does not exist.
They ask do you use Facebook and I reply no I fucking hate Facebook. Myspace? Fuck Myspace as well the rest. I only enjoy doing my job I have zero time to “make online friends”
Excellent sir you’re hired.
Then I get off work grab something to eat and log on my FB,Myspace,Linkdin,Steam, and a handful more and game my life away.
Well at least till the “boss” gets sick of me on the pc lol. I guess I should have married my PC instead. JK, well not really, but yeah really.
FUD, FUD, FUD. Snore.
Re: Re:
your comment is itself FUD. You just come here, say the article is FUD and don’t bother saying why. That is number 5,157 for why us Techdirt regulars hate you.
Re: Re:
I’m pretty sure it’s FAP, FAP, FAP
Re: Re:
FUD, FUD, FUD. Snore.
Wait. What?
What part of Mike’s or Mr. Goldman’s analysis are you referring to and how is it FUD?
From what I have gleaned, it seems like the new law itself is what is creating the FUD all by itself. Fear of litigation. Uncertainty as to what constitutes a personal or business account. Doubt as to how deal with the situation from either side.
Re: Re:
Help! Police! Fud!
Re: Re:
FUD, FUD, FUD. Snore.
Hey AJ. I get that you’re going to toss continuous ad homs at me all the time and attack anything I write because of whatever weird fetish you have for such things, but I’m a bit surprised that you’d now go after Professor Goldman, someone you’ve claimed to respect.
I can’t think of anyone who doesn’t respect Professor Goldman. If you have a disagreement with what he wrote, you might try actually laying it out, rather than your all too typical childish response.
Re: Re:
> FUD, FUD, FUD. Snore.
And you wonder why everyone thinks you’re an asshole.
In the presence of such a law, companies will clarify which accounts belong to them by “owning” them from the beginning — directing the employee to open them, make a written record, record the password. They will be quite nervous about forcing the distinction to be explicit. And that will be a good thing.
The ownership of the account will be by designation. Then if content gets on the wrong account — tough, it doesn’t affect the ownership of the account. Any more than keeping work records at home compromises your dominion over your apartment, or vice versa.
But — as an academic, I always consider my professional account to be my own property. And it is fully mixed.
In the presence of such a law, companies will clarify which accounts belong to them by “owning” them from the beginning — directing the employee to open them, make a written record, record the password. They will be quite nervous about forcing the distinction to be explicit. And that will be a good thing.
The ownership of the account will be by designation. Then if content gets on the wrong account — tough, it doesn’t affect the ownership of the account. Any more than keeping work records at home compromises your dominion over your apartment, or vice versa.
But — as an academic, I always consider my professional account to be my own property. And it is fully mixed.
Re:
Wow, Mike. I would have pegged you as going the other way on this one. This is a great law to set the standard for the rest of the US, as it’s a simple way to bypass the “can’t ask you about wife, family, children, religion, orientation, ethnicity, etc. in an interview” law.
Doesn't matter for big companies
In the end, big companies make their own rules. If someone hiring does the wrong thing in California, there may be legal consequences for failing to hire because you declined to give access to your social media. But it requires the lawyers become involved.
While it’s not required to get various forms of Trust and Durable Power of Attorney documents notarized, Wells Fargo requires all documents be notarized. Don’t like it, bank somewhere else. Or sue.
you are grasping straws now, of course its a good thing that employers cant ask for your personal passwords, you cant look at it any other way, as far as the line that you refer to…its not really there, and if it is there, its the employers fault as personal and professional is often a easy line to see.
lets face the facts, had the ruling gone the other way you would be arguing against it with a different argument.
and the big deal is...?
Okay, I grant you, most laws these days are total bullshit. Even knowing how threatened Very Serious People get when you invoke the BS word, I would call the vast majority of state and federal laws enacted in the U.S. (at least) to be complete bullshit, designed only to give politicians an excuse to promote themselves. As someone who has spent some time in California over the last few months, I suspect this description is even more apt for any law passed in that state.
But in this case, what’s the major problem? Okay, so maybe the distinction between personal and company social media accounts isn’t realistic. How is that going to lead to more problems? Companies were suing for access to personal accounts previously, so I don’t see this increasing. Is this law going to harm companies, such that their employees steal all the business from them? Again, I could see that happening already anyway.
Please explain the “unintended consequences” in terms of actual damage.
No penalty
Section 2: “Notwithstanding any other provision of law, the Labor Commissioner, who is Chief of the Division of Labor Standards Enforcement, is not required to investigate or determine any violation of this act.” In other words, no penalty for breaking the law.
Already a loophole...
So now instead of asking for the password, they’ll just turn their backs, ask the employees to sign in for them, then peruse their accounts. No asking for passwords, same result.
Facebook
It’s interesting that many employers now not only want to see your Facebook account, but if you don’t have one, they assume you deleted it in anticipation of applying for the job– or never opened an account just so you wouldn’t have to let anyone else see it when you entered the work world– and consider it an attempt on your part to hide something from them.
I know of several police departments that have that policy.
I don’t get the argument of how this can possibly be bad. Am I maintaining it for the company? If yes, it’s theirs. If no, it’s mine. There is no gray area, it’s pretty clean cut. Frankly, you’re trying WAY too hard to make something far too complicated if you manage to produce a situation that actually has gray area here. At that point, flip a bloody coin. It’s quicker, cheaper, and probably more likely to give the correct answer than the courts.
“And you wonder why everyone thinks you’re an asshole.”
Pretty sure it’s because he’s an asshole.