Friday, September 28, 2012

California Leader in Passing Password Privacy Laws – AB 1844 and SB 1349 Signed by Jerry Brown



On September 27, California Governor Jerry Brown signed a pair of privacy laws, AB 1844 and SB 1349, protecting the rights of individuals from having to personal account names and passwords  to schools, employers, and prospective employers.  California is the first state to enact laws protecting both students and workers.   These include passwords for such accounts as Facebook, Twitter, Linked in and personal email accounts.  Notice the word "personal". Very important.

Undoubtedly, other states that may not have these in process will follow California’s lead.  "The Golden State is pioneering the social media revolution, and these laws will protect all Californians from unwarranted invasions of their personal social media accounts,"   Brown said in a statement. Maryland and Illinois have laws in affect for workers, and Delaware, for students.

These laws    will become effective on January 1.  Kudos to the legislature for doing this and to Brown for signing the measures.   "No boss should be able to ask for this kind of personal information," said state Sen. Leland Yee, D-San Francisco.  Yee wrote California bill SB 1349.  Assemblywoman Nora Campos was the primary driver for AB 1844.

  • Under AB 1844, it will be illegal for employers  ask employees or job applicants for the user names and passwords to their social media accounts.  Five state senators actually voted no on this - Anderson, Blakeslee, Correa, Gaines, and Walters!
  • Under SB 1349, it will be   illegal for colleges/universities to ask students/perspective students for their social media account info.  No one voted against this measure.

 What this does not do (of course) is protect individuals from themselves.  While employers ask for neither account names nor passwords, there is nothing to prevent them from using Google, Bing, or any other search engines to find out information or to go onto Facebook, for example, to see what you may have posted for the universe to see.  Fear the default privacy settings! The bill don't talk about enforcement or penalties for non-compliance.


You may want to read "25 most-used passwords revealed: Is yours one of them?" There are numerous articles online on creating (more) difficult to figure out passwords. 




The text of the two bills passed and links to additional details are below.

LEGISLATIVE COUNSEL'S DIGEST
AB 1844, Campos.  Employer use of social media.  

Existing law generally regulates the conduct of employers in the state.

This bill would prohibit an employer from requiring or requesting an employee or applicant for employment to disclose a username or password for accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media.  This bill would also prohibit an employer from discharging, disciplining, threatening to discharge or discipline, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions.

Under existing law, the Labor Commissioner, who is the Chief of the Division of Labor Standards Enforcement in the Department of Industrial Relations, is required to establish and maintain a field enforcement unit to investigate specified violations of the Labor Code and other labor laws and to enforce minimum labor standards.  Existing law authorizes, and under specified circumstances requires, the Labor Commissioner to investigate employee complaints of violations of the Labor Code, provide for a hearing, and determine all matters arising under his or her jurisdiction.

This bill would provide that the Labor Commissioner is not required to investigate or determine any violation of a provision of this bill.

SECTION 1.

 Chapter 2.5 (commencing with Section 980) is added to Part 3 of Division 2 of the Labor Code, to read:
CHAPTER 2.5.  Employer Use of Social Media

 (a) As used in this chapter, “social media” means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.
(b) An employer shall not require or request an employee or applicant for employment to do any of the following:

(1) Disclose a username or password for the purpose of accessing personal social media.
(2) Access personal social media in the presence of the employer.
(3) Divulge any personal social media, except as provided in subdivision (c).
(c) Nothing in this section shall affect an employer’s existing rights and obligations to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding.
(d) Nothing in this section precludes an employer from requiring or requesting an employee to disclose a username, password, or other method for accessing an employer-issued electronic device.
(e) An employer shall not discharge, discipline, threaten to discharge or discipline, or otherwise retaliate against an employee or applicant for not complying with a request or demand by the employer that violates this section.  However, this section does not prohibit an employer from terminating or otherwise taking an adverse action against an employee or applicant if otherwise permitted by law.

SEC. 2.

 Notwithstanding any other provision of law, the Labor Commissioner, who is Chief of the Division of Labor Standards Enforcement, is not required to investigate or determine any violation of this act.


LEGISLATIVE COUNSEL'S DIGEST
SB 1349, Yee.  Social media privacy: postsecondary education.

Existing law establishes and sets forth the missions and functions of the public and independent institutions of postsecondary education in the state.

This bill would prohibit public and private postsecondary educational institutions, and their employees and representatives, from requiring or requesting a student, prospective student, or student group to disclose, access, or divulge personal social media, as defined, information, as specified.  The bill would prohibit a public or private postsecondary educational institution from threatening a student, prospective student, or student group with or taking specified pecuniary actions for refusing to comply with a request or demand that violates that prohibition.  The bill would require a private nonprofit or for-profit postsecondary educational institution to post its social media privacy policy on the institution’s Internet Web site.

SECTION 1.

 The Legislature finds and declares that quickly evolving technologies, social media services, and Internet Web sites create new challenges when seeking to protect the privacy rights of students at California’s postsecondary educational institutions.  It is the intent of the Legislature to protect those rights and provide students with an opportunity for redress if their rights are violated.  It is also the intent of the Legislature that public postsecondary educational institutions match compliance and reporting requirements for private nonprofit and for-profit postsecondary educational institutions imposed by this act.

SEC. 2.

 Chapter 2.5 (commencing with Section 99120) is added to Part 65 of Division 14 of Title 3 of the Education Code, to read: CHAPTER 2.5.  Social Media Privacy

As used in this chapter, “social media” means an electronic service or account, or electronic content, including, but not limited to, videos or still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.
(a) Public and private postsecondary educational institutions, and their employees and representatives, shall not require or request a student, prospective student, or student group to do any of the following:
(1) Disclose a user name or password for accessing personal social media.
(2) Access personal social media in the presence of the institution’s employee or representative.
(3) Divulge any personal social media information.
(b) A public or private postsecondary educational institution shall not suspend, expel, discipline, threaten to take any of those actions, or otherwise penalize a student, prospective student, or student group in any way for refusing to comply with a request or demand that violates this section.
(c) This section shall not do either of the following:
(1) Affect a public or private postsecondary educational institution’s existing rights and obligations to protect against and investigate alleged student misconduct or violations of applicable laws and regulations.
(2) Prohibit a public or private postsecondary educational institution from taking any adverse action against a student, prospective student, or student group for any lawful reason.

A private nonprofit or for-profit postsecondary educational institution shall post its social media privacy policy on the institution’s Internet Web site.

 

No comments: