California's Law Barring Demands For Social Media Passwords Sounds Good... But Might Not Be
from the ain't-that-always-the-case? dept
And while many people are cheering on California's new law, Eric Goldman points out that we should be wary of the potential for significant unintended consequences. He worries about the broad definitions of what's really covered (hint: it goes beyond just "social media" even though that's all anyone's discussing). More importantly, he worries about the line between "personal" and "professional" accounts. Obviously, if you are managing, say, your employer's Twitter account, it's reasonable for them to have your password. And if it's just your own personal account, it's not. But... that assumes that those two categories are mutually exclusive and distinct, when the reality is they're often not. People use personal accounts for work related things all the time. It wasn't that long ago that we wrote about a dispute concerning who owned a LinkedIn account -- the company or the employee -- when many of the contacts were due to the employment situation. It's not so easy, and Goldman sees trouble ahead:
Thus, the law assumes that social media accounts have only two states: personal or not-personal. Sadly, that’s completely contrary to the cases I’m seeing in court right now. Instead, social media accounts fit along a continuum where the endpoints are (1) completely personal, and (2) completely business-related–but many employees’ social media accounts (narrowly construed, ignoring the statutory overbreadth problem) fit somewhere in between those two endpoints. Indeed, employers and employees routinely disagree about whether or not a social media account was personal or business-related. See, e.g., Insynq v. Mann, Eagle v. Sawabeh, Maremont v. SF Design Group, Kremer v. Tea Party Patriots, and PhoneDog v. Kravitz.And, he points out, since it's important for companies to have the passwords to "corporate" accounts, while the law makes it illegal to ask for them on "personal" accounts, there's clearly going to be conflict when accounts fall somewhere into that blurry middle, as many of them do:
Putting the two concepts together, employers should require that employees provide them with login credentials for social media accounts relating to their business; but the law makes it illegal for employers to ask for login credentials to “personal” accounts. This puts employers in an obvious squeeze: employers may not know which employee accounts are purely personal and which are a mix of personal and business-related; the statute doesn’t expressly allow employers to access mixed account; and the statute doesn’t give employers a defense if they demand the login credentials because they reasonably but mistakenly thought the account was all or partially business-related. Courts will likely have to create common law exclusions for employers trying to get access to mixed accounts, but only after much angst, confusion and costly–and avoidable–litigation.So while the intent may be good, the actual law may have some significant problems and costs associated with it. And for what? Was this really that big of a problem? Yes, there were some stories of it happening, but there was no indication that it was really that common. On top of that, in many cases, individuals could handle the situation on their own, without needing the law to back them up.