Michigan’s Internet Privacy Protection Act (IPPA) prohibits employers from gaining access to applicant and employee personal Internet accounts. When the IPPA became effective on December 28, 2012, Michigan joined Maryland, whose law took effect on October 1, 2012, and California and Illinois, whose laws became effective January 1, 2013. Similar statutes have been introduced in ten other states, including Pennsylvania and New York. California, Delaware, Michigan and New Jersey already have laws applying to academic institutions. A common objective of these laws is prohibiting employers from requiring applicants or employees to disclose username or passwords or otherwise accessing personal social media, such as LinkedIn, Facebook and Twitter. Employers are prohibited from failing to hire, disciplining, or discharging, or otherwise penalizing an applicant or employee who declines an employer’s request to provide access to his or her social media accounts. Violations of Michigan’s IPAA are considered a misdemeanor punishable by a fine of not more than $1,000. Aggrieved individuals may also bring a civil action to enjoin the violation and may recover up to $1,000 in damages plus reasonable attorney fees and court costs.
While the language of the statutes may differ slightly, the laws generally afford employers the right to request and require an employee to disclose information to access:
Moreover, employers may conduct an investigation or require an employee to participate in an investigation:
Based on such investigations, employers are permitted to discipline or discharge an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal Internet account without the employer’s authorization.
Michigan employers are not prohibited from:
Unlike any other state’s social media laws, the IPPA expressly states that it does not create a duty for an employer to search or monitor the activity on a personal Internet account. Thus, individuals who may be injured by violent employees, for example, cannot assert negligent conduct by an employer solely because the employer failed to request or require that an employee or applicant disclose information that would allow access to a personal Internet account containing information of possible criminal or violent activities or inclinations.
Courts balance the privacy interests of individuals using social media sites with the legitimate interests of employers in protecting their proprietary and confidential information. Employers would be well advised, if they have not yet done so, to create social media and Internet policies that explain the rights of employers to monitor employees’ activity in social media.
Contact either of the authors or any member of Pepper’s Labor and Employment Practice Group for assistance in designing such social media and Internet policies.
Robert C. Ludolph and Adam Wolfe