California Leader in Passing Password Privacy Laws – AB 1844 and SB 1349 Signed by Jerry Brown

On September 27, California Governor Jerry Brown signed a pair of privacy laws, AB 1844 and SB 1349, protecting the rights of individuals from having to personal account names and passwords  to schools, employers, and prospective employers.  California is the first state to enact laws protecting both students and workers.   These include passwords for such accounts as Facebook, Twitter, Linked in and personal email accounts.  Notice the word "personal". Very important.

Undoubtedly, other states that may not have these in process will follow California’s lead.  "The Golden State is pioneering the social media revolution, and these laws will protect all Californians from unwarranted invasions of their personal social media accounts,"   Brown said in a statement. Maryland and Illinois have laws in affect for workers, and Delaware, for students.

These laws    will become effective on January 1.  Kudos to the legislature for doing this and to Brown for signing the measures.   "No boss should be able to ask for this kind of personal information," said state Sen. Leland Yee, D-San Francisco.  Yee wrote California bill SB 1349.  Assemblywoman Nora Campos was the primary driver for AB 1844.

• Under AB 1844, it will be illegal for employers  ask employees or job applicants for the user names and passwords to their social media accounts.  Five state senators actually voted no on this - Anderson, Blakeslee, Correa, Gaines, and Walters!

• Under SB 1349, it will be   illegal for colleges/universities to ask students/perspective students for their social media account info.  No one voted against this measure.

 What this does not do (of course) is protect individuals from themselves.  While employers ask for neither account names nor passwords, there is nothing to prevent them from using Google, Bing, or any other search engines to find out information or to go onto Facebook, for example, to see what you may have posted for the universe to see.  Fear the default privacy settings! The bill don't talk about enforcement or penalties for non-compliance.

You may want to read "25 most-used passwords revealed: Is yours one of them?" There are numerous articles online on creating (more) difficult to figure out passwords. 

http://www.zdnet.com/blog/security/25-most-used-passwords-revealed-is-yours-one-of-them/12427

The text of the two bills passed and links to additional details are below.

LEGISLATIVE COUNSEL'S DIGEST

AB 1844, Campos.  Employer use of social media.  

Existing law generally regulates the conduct of employers in the state.

This bill would prohibit an employer from requiring or requesting an employee or applicant for employment to disclose a username or password for accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media.  This bill would also prohibit an employer from discharging, disciplining, threatening to discharge or discipline, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions.

Under existing law, the Labor Commissioner, who is the Chief of the Division of Labor Standards Enforcement in the Department of Industrial Relations, is required to establish and maintain a field enforcement unit to investigate specified violations of the Labor Code and other labor laws and to enforce minimum labor standards.  Existing law authorizes, and under specified circumstances requires, the Labor Commissioner to investigate employee complaints of violations of the Labor Code, provide for a hearing, and determine all matters arising under his or her jurisdiction.

This bill would provide that the Labor Commissioner is not required to investigate or determine any violation of a provision of this bill.

SECTION 1.

 Chapter 2.5 (commencing with Section 980) is added to Part 3 of Division 2 of the Labor Code, to read:

CHAPTER 2.5.  Employer Use of Social Media

 (a) As used in this chapter, “social media” means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.

(b) An employer shall not require or request an employee or applicant for employment to do any of the following:

(1) Disclose a username or password for the purpose of accessing personal social media.

(2) Access personal social media in the presence of the employer.

(3) Divulge any personal social media, except as provided in subdivision (c).

(c) Nothing in this section shall affect an employer’s existing rights and obligations to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding.

(d) Nothing in this section precludes an employer from requiring or requesting an employee to disclose a username, password, or other method for accessing an employer-issued electronic device.

(e) An employer shall not discharge, discipline, threaten to discharge or discipline, or otherwise retaliate against an employee or applicant for not complying with a request or demand by the employer that violates this section.  However, this section does not prohibit an employer from terminating or otherwise taking an adverse action against an employee or applicant if otherwise permitted by law.

SEC. 2.

 Notwithstanding any other provision of law, the Labor Commissioner, who is Chief of the Division of Labor Standards Enforcement, is not required to investigate or determine any violation of this act.

http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201120120AB1844&search_keywords= 

LEGISLATIVE COUNSEL'S DIGEST

SB 1349, Yee.  Social media privacy: postsecondary education.

Existing law establishes and sets forth the missions and functions of the public and independent institutions of postsecondary education in the state.

This bill would prohibit public and private postsecondary educational institutions, and their employees and representatives, from requiring or requesting a student, prospective student, or student group to disclose, access, or divulge personal social media, as defined, information, as specified.  The bill would prohibit a public or private postsecondary educational institution from threatening a student, prospective student, or student group with or taking specified pecuniary actions for refusing to comply with a request or demand that violates that prohibition.  The bill would require a private nonprofit or for-profit postsecondary educational institution to post its social media privacy policy on the institution’s Internet Web site.

SECTION 1.

 The Legislature finds and declares that quickly evolving technologies, social media services, and Internet Web sites create new challenges when seeking to protect the privacy rights of students at California’s postsecondary educational institutions.  It is the intent of the Legislature to protect those rights and provide students with an opportunity for redress if their rights are violated.  It is also the intent of the Legislature that public postsecondary educational institutions match compliance and reporting requirements for private nonprofit and for-profit postsecondary educational institutions imposed by this act.

SEC. 2.

 Chapter 2.5 (commencing with Section 99120) is added to Part 65 of Division 14 of Title 3 of the Education Code, to read: CHAPTER 2.5.  Social Media Privacy

As used in this chapter, “social media” means an electronic service or account, or electronic content, including, but not limited to, videos or still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.

(a) Public and private postsecondary educational institutions, and their employees and representatives, shall not require or request a student, prospective student, or student group to do any of the following:

(1) Disclose a user name or password for accessing personal social media.

(2) Access personal social media in the presence of the institution’s employee or representative.

(3) Divulge any personal social media information.

(b) A public or private postsecondary educational institution shall not suspend, expel, discipline, threaten to take any of those actions, or otherwise penalize a student, prospective student, or student group in any way for refusing to comply with a request or demand that violates this section.

(c) This section shall not do either of the following:

(1) Affect a public or private postsecondary educational institution’s existing rights and obligations to protect against and investigate alleged student misconduct or violations of applicable laws and regulations.

(2) Prohibit a public or private postsecondary educational institution from taking any adverse action against a student, prospective student, or student group for any lawful reason.

A private nonprofit or for-profit postsecondary educational institution shall post its social media privacy policy on the institution’s Internet Web site.

http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml;jsessionid=cd4ee55e9a736436443b9249afea?bill_id=201120120SB1349

 

http://www.siliconvalley.com/news/ci_21644971/facebook-twitter-email-passwords-made-private-under-california

Unlike - Prospective Employers Asking for Facebook Passwords

A potential sentence for those who do persist in asking for Facebook passwords - remove them from their current job and place them in one that requires asking, “Would you like fries with that?” _{It’ll be interesting to see whether the court of public opinion, the American Civil Liberties Union (ACLU), state legislatures, or the federal government, orchestrate something against any employers that seek to ask prospective employees for their Facebook passwords. Or passwords to any of their personal accounts. Simple concepts like privacy and protection of freedom of speech come to mind.}

_{"While we do not have any immediate plans to take legal action against any specific employers, we look forward to engaging with policymakers and other stakeholders, to help better safeguard the privacy of our users," said Facebook spokesperson Andrew Noyes.}

_{The flip side of this is that this should serve as a reminder to have different passwords for different accounts. Numerous articles are “out there” about how to do this. Simple algorithms and/or mnemonic techniques can simplify this. People need to take an active role in protecting their privacy.}

_{This should also serve as a reminder that people need to make use of all privacy settings that are available to them on social networking sites. People need to “Google” themselves to see what is publicly available, both text and pictures. Do you really want those pictures from junior year Spring Break to be tagged with your name on them floating around the internet?}

_{Facebook's chief privacy of policy officer Erin Egan cautioned that if an employer discovers that a job applicant is a member of a protected group, the employer might open itself up to claims of discrimination if it does not hire that person.}

_{"As a user, you shouldn't be forced to share your private information and communications just to get a job," wrote Erin Egan. "And as the friend of a user, you shouldn't have to worry that your private information or communications will be revealed to someone you don't know and didn't intend to share with just because that user is looking for a job.}

_{Senator Richard Blumenthal from Connecticut is writing a bill that would stop the practice of employers asking job applicants for their Facebook or other social media passwords. “These practices seem to be spreading, which is why federal law ought to address them. They go beyond the borders of individual states and call for a national solution,” said Blumenthal,}

_{California State Senator Leland Yee plans to amend an existing bill in coming days to prohibit employers from asking current employees or job applicants for their social media user names or passwords.}

_{Prospective employees do need to read their prospective employer’s privacy rights about using work laptops, tablets, smart phones, other mobile devices, to gain access to social networks. There could be a clause forbidding it. They could use application controls to grant only partial access to social networking sites. These could include, for example, time of day, letting you check messages, but not send attachments. There is some research out there that individuals just joining the workforce are using access to social networking sites as one criterion in evaluating employment opportunities.}

_{Hopefully, something can be passed relatively quickly to stop this practice before it takes off.}

_{http://www.telegraph.co.uk/technology/facebook/9162356/Facebook-passwords-fair-game-in-job-interviews.html}

_{http://news.yahoo.com/facebook-warns-employers-not-demand-passwords-141726769.html}

_{http://newyork.cbslocal.com/2012/03/23/blumenthal-wants-to-ban-companies-from-asking-for-facebook-passwords/}