HOUSE BILL REPORT
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.
As Passed House - Amended:
April 24, 2013
Title: An act relating to social networking accounts and profiles.
Brief Description: Concerning social networking accounts and profiles.
Sponsors: Senate Committee on Commerce & Labor (originally sponsored by Senators Hobbs, Eide, Kline, Ranker, Hatfield, Harper, Billig, Hasegawa, Kohl-Welles, Shin, Keiser, Frockt, Rolfes, Hill, Conway and Nelson).
Labor & Workforce Development: 3/26/13, 4/3/13 [DP].
Passed House - Amended: 4/24/13, 97-0.
HOUSE COMMITTEE ON LABOR & WORKFORCE DEVELOPMENT
Majority Report: Do pass. Signed by 8 members: Representatives Sells, Chair; Reykdal, Vice Chair; Manweller, Ranking Minority Member; Condotta, Assistant Ranking Minority Member; Holy, Moeller, Ormsby and Short.
Minority Report: Do not pass. Signed by 1 member: Representative Green.
Staff: Alexa Silver (786-7190).
According to the National Conference of State Legislatures, nine states enacted legislation in 2012 and 2013 to prohibit employers or institutions of higher education from requiring an employee, applicant, or student to provide a username or password to a social media account. The laws in California, Illinois, Maryland, Michigan, New Mexico, and Utah apply to employers, and the laws in Arkansas, California, Delaware, Michigan, New Jersey, New Mexico, and Utah apply to institutions of higher education. Washington law does not address requests by an employer to access an employee's or prospective employee's social networking accounts.
Facebook's user agreement prohibits a user from sharing his or her password, letting anyone else access his or her account, or doing anything else that may jeopardize the security of the account. It also prohibits a user from soliciting login information or access to another person's account. Twitter's Terms of Service provide that a user is responsible for safeguarding his or her password and is responsible for any activities under his or her password.
Summary of Amended Bill:
An employer may not request, require, or coerce an employee or job applicant to disclose login information to a personal social networking account, access his or her account in the employer’s presence, add a person to his or her list of contacts, or alter the account settings that affect a third party’s ability to view the contents of the account. An employer also may not take adverse action against an employee or job applicant for his or her refusal to provide login information, access his or her account in the employer's presence, add a person to his or her list of contacts, or alter the account settings.
"Employer" includes the state and local governments. "Login information" means a username and password, a password, or other means of authentication that protects access to a personal social networking account. For employees, "adverse action" means discharging, disciplining, or otherwise penalizing the employee, or threatening to discharge, discipline, or otherwise penalize the employee. For job applicants, "adverse action" means failing or refusing to hire the applicant.
These prohibitions do not apply to an employer’s request or requirement that an employee share the contents of his or her account if the employer requests the content to make a factual determination in an investigation. To request such content, the employer must receive information about the employee’s activity on the account, and the purpose of the investigation must be either: (1) to ensure compliance with laws, regulatory requirements, or prohibitions against work-related misconduct; or (2) to investigate an allegation of the unauthorized transfer of confidential or proprietary information or financial data. The employer may not request or require the employee to disclose login information as part of the investigation.
An employer is not liable for possessing an employee’s login information if the employer, through the use of an employer-provided device or a device or program that monitors the employer’s network, inadvertently receives the login information but does not use it to access the employee’s account.
Certain types of networks, devices, and employer actions are excluded from the scope of the bill. It does not:
apply to a social network, intranet, or other technology platform intended primarily to facilitate work-related information exchange, collaboration, or communication;
prohibit an employer from requiring login information to access an account or service provided by virtue of the employment relationship or to access an electronic communications device supplied or paid for by the employer;
prohibit an employer from enforcing existing personnel policies that do not conflict with the bill; or
prevent an employer from complying with the requirements of statutes, rules or regulations, case law, or the rules of a self-regulatory organization.
An aggrieved employee or applicant may bring a civil action, and the court may award injunctive or other equitable relief, actual damages, a $500 penalty, and attorneys' fees and costs. If the judge finds the action was frivolous and brought without reasonable cause, the judge may award a prevailing defendant reasonable expenses and attorneys' fees.
Fiscal Note: Not requested.
Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.
Staff Summary of Public Testimony:
(In support) This bill will protect people's privacy on social networks. There is growing concern about certain employers asking their employees for their Facebook passwords. A password should not be requested as a tool for research when a person wants to apply for a job. The bill may need some work to address incorrect use of social media on a company's intranet.
(With concerns) If an employer receives information about work-related employee misconduct, the employer needs to be able to investigate to ensure compliance. For example, an employee may have used a work computer to post information on his or her personal online account that could be construed as harassment. An employer should also be able to investigate when it receives information about the unauthorized transfer of information to a personal account, which could be used for identity theft or industrial espionage. The bill creates a safe zone where information may be received and transferred improperly. An employee should be required to cooperate with the employer investigation. Work-related information exchanged between or among employees should be exempted.
There is a high standard in federal and state law to protect the personal financial information of a bank's customers. If a bank learns that an employee may be inappropriately sharing financial information, the bank needs to be able to investigate. Without access to the employee's password, the employee could create an account in Facebook that is known only to the friends to whom they give the password.
(Opposed) There is support for the purpose of the bill, but it needs amendments. Other states have enacted legislation with varying degrees of success. The definition of "social media" in the bill may not actually include Facebook or Twitter. It refers to creating a list of other users, but on Facebook two people must consent to interact, and on Twitter people choose to follow you. The definition in current law is broader. Shared social media accounts are not addressed. An employer may hire a person to market the employer's firm based on the person's Facebook followers.
Persons Testifying: (In support) Senator Hobbs, prime sponsor.
(With concerns) Tom McBride, TechAmerica; and Denny Eliason, Washington Bankers Association.
(Opposed) Michael Shaw, Washington State Bar Association.
Persons Signed In To Testify But Not Testifying: None.