Tennessee Passes “Employee Online Privacy Act of 2014” Preventing Employers from Obtaining Access to Personal Internet Accounts Like Facebook

The Tennessee Legislature recently passed the Employee Online Privacy Act of 2014.  This is found in 2014 Public Chapter 826.  This new statute will be found at T.C.A. § 50-1-1001 et seq. and takes effect on January 1, 2015.  This new statute basically prevents an employer from taking any adverse employment action against an employee for failure to provide access to a “personal internet account” (which basically includes any type of internet account).  “Personal internet account” is defined as follows:

(5) "Personal Internet account":

(A) Means an online account that is used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer; and includes any electronic medium or service where users may create, share or view content, including, emails, messages, instant messages, text messages, blogs, podcasts, photographs, videos or user-created profiles; and

(B) Does not include an account created, maintained, used, or accessed by an employee or applicant for business-related communications or for a business purpose of the employer.

Upon review of the definition of personal internet account would certainly include Email, Facebook and Twitter accounts.  The most common of the “personal internet account’s” that falls within this statute is likely Facebook so it would certainly apply to anyone who has a Facebook account with private settings (yet another reason to make sure that your Facebook account is set to “private” and not “public”)  Under this statute Tennessee employers are specifically prevented from the following:

SECTION 4. (a) An employer shall not:

(1) Request or require an employee or an applicant to disclose a password that allows access to the employee's or applicant's personal Internet account;

(2) Compel an employee or an applicant to add the employer or an employment agency to the employee's or applicant's list of contacts associated with a personal Internet account;

(3) Compel an employee or an applicant to access a personal Internet account in the presence of the employer in a manner that enables the employer to observe the contents of the employee's or applicant's personal Internet account; or

(4) Take adverse action, fail to hire, or otherwise penalize an employee or applicant because of a failure to disclose information or take an action specified in Section 4(a)(1)-(3).

This statute even prevents an employer from forcing an employee to show the employer (or prospective employer) their Facebook, email or other internet accounts if the information is private.  A Tennessee employer is not only prevented from taking adverse action against a current employee but it is also prevented from “failing to hire” an applicant for this reason.

There are exceptions to this rule but they are common sense exceptions that are not very significant.  The most notable exceptions include subsection (b)(3) which allows this to be done to conduct an investigation about an employee’s alleged transfer of proprietary, confidential or financial information of the employer.  Another significant exception is subsection (b)(7) which allows access when the information is in the public domain.  The total list of exceptions are found in subsection (b) which provides as follows:

(b) Unless otherwise provided by law, an employer is not prohibited from:

(1) Requesting or requiring an employee to disclose a username or password required only to gain access to:

(A) An electronic communications device supplied by or paid for wholly or in part by the employer; or

(B) An account or service provided by the employer that is obtained by virtue of the employee's employment relationship with the employer, or used for the employer's business purposes;

(2) Disciplining or discharging an employee for transferring the employer's proprietary or confidential information or financial data to an employee's personal Internet account without the employer's authorization;

(3) Conducting an investigation or requiring an employee to cooperate in an investigation if:

(A) There is specific information on the employee's personal Internet account regarding compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct; or

(B) The employer has specific information about an unauthorized transfer of the employer's proprietary information, confidential information, or financial data to an employee's personal Internet account;

(4) Restricting or prohibiting an employee's access to certain web sites while using an electronic communications device supplied by or paid for wholly or in part by the employer or while using an employer's network or resources, in accordance with state and federal law;

(5) Monitoring, reviewing, accessing, or blocking electronic data stored on an electronic communications device supplied by or paid for wholly or in part by the employer, or stored on an employer's network, in accordance with state and federal law;

(6) Complying with a duty to screen employees or applicants before hiring or to monitor or retain employee communications:

(A) That is established under federal law or by a "self-regulatory organization", as defined in the Securities and Exchange Act of 1934, 15 U.S.C. § 78c(a);

(B) For purposes of law enforcement employment; or

(C) For purposes of an investigation into law enforcement officer conduct performed by a law enforcement agency; or

(7) Viewing, accessing, or using information about an employee or applicant that can be obtained without violating subsection (a) or information that is available in the public domain.

This is an important statute for Tennessee employers to know thoroughly.  As a general rule, an employee or applicant cannot be made to disclose private internet account information or even be required to provide temporary access for review by an employer or perspective employer.  Knowing that will keep most employers safe under this new statute. 

One interesting issue that came to mind when I reviewed this statute is the situation where an employer or supervisor is “friends” with an employee on Facebook, for instance, without compulsion (voluntarily).  This statute does not say that an employer cannot take an adverse employment action for something the employer sees on the Facebook account when the employer or supervisor has been voluntarily added by the employee as a “friend” or “contact”.  The plain language says the employer shall not “compel an employee or an applicant” to add the employer as a list of contacts but it does not address voluntary associations which certainly occur.  As a result I believe that providing voluntary access to an employer or supervisor would allow the employer to take adverse employment action against the employee for something they see on the account.