Sainabou M. Sonko, Nathan D. Coulter
In August 2013, Arkansas enacted a statute intended to regulate employers’ ability to access social media account of employees. This statute, entitled “Social Media Accounts of Current and Prospective Employees,” applies to employers in both the public and private sector and, as such, has a broad reach. At its core, the statute protects employees’ privacy and social media use through its prohibition against any request or suggestion from the employer that would cause a current or prospective employee to: (1) disclose his or her social media username and password; (2) add a fellow employee, supervisor or administrator to his or her social media contact list; or (3) change the privacy settings associated with his or her social medial account. See A.C.A. § 11-2-124. While the statute has been in effect for nearly seven years, there are currently no judicial decisions or Attorney General Opinions addressing its application.
Here is what we know about the social media statute:
- The term “social media” is defined very broadly under the statute. As defined in A.C.A. § 11-2-124, a “social media account” includes all commonly known social media platforms (e.g., Facebook, Instagram, Twitter), as well as any personal account with an electronic medium or service where users can view, create or share user-generated content, including videos, blogs, podcasts, messages and e-mails so long as those accounts were not: (i) opened at the employers requested, (ii) provided by the employer (e.g., company e-mail account); or (iii) set up by the employee with the intent to impersonate the employer through use of the employer’s logo, name or trademarks.
- An employer who inadvertently receives the login information to an employee’s social media account due to that employee’s use of an electronic device provided by the employer is not liable for receipt of the employee’s login information. The statute, however, provides that, in such cases, the employers cannot then use the login information to gain access to the employee’s social media account. Further, given that the statute protects only against “inadvertent” discovery of the employee’s login information – and in light of the statute’s primary purpose – an employer who intentionally seeks an employee’s login information through a company-issued electronic device is presumably in violation of the statute.
- The statute does not prohibit an employer from viewing information about a current or prospective employee that is publicly available on the internet. It also does not prohibit the employer from exercising its “existing rights or obligations” to request an employee’s social media login information if it is “reasonably believed” that the employee’s social media account is relevant to a formal investigation or proceeding concerning allegations of the employee’s violation of federal, state or local laws or of the employer’s written policies.
- An employer may not retaliate against a current or prospective employee for exercising his or her rights under the statute.
Here is what the statute does not tell us:
- While the statute affirmatively protects the employers’ right to view information publicly available on the internet, the statute is silent as to whether such publicly available information can be used as the basis for employment-related decisions. Further, it is unclear whether information publicly available on the internet can be used by the employer as a basis for instituting a “formal investigation or related proceeding” against the employee, which would then allow the employer to request that the employee disclose his or her social media login information.
- Despite its clear intent to protect the privacy rights of employee, the statute is silent as to the remedy available to employees for an employer’s violation. Despite the Legislature’s presumptive intent to give current and prospective employees the right to sue for violations of the statute, the statute itself does not explicitly provide for a private right of action – i.e., an employee does not have an affirmative right to sue for an employer’s violation of the statute. Interestingly, nearly one year after the statute was enacted, Arkansas Administrative Code 010.14.1-500 was enacted “to provide clarification for the enforcement and administration” of the social media statute. See Ark. Admin. Code 010.14-1-500. While the subsequently enacted Administrative Code clarified that the Arkansas Department of Law (DOL) was charged with civil enforcement of the statute, it failed to provide clarification on the remedies available to an employee under the statute.
- The statute does not address instances where an employer seeks access to the employee’s social media account without requiring the employee to disclose his or her login information. For example, can an employer require the employee (or prospective employee) to log into his or her own social media account in the employers’ presence? Presumably, such conduct by the employer is inconsistent with the statute’s purpose, even if not expressly prohibited.
- It is also unclear whether an employee or prospective employee would be required to exhaust all available internal complaint or administrative processes prior to filing lodging any complaints to the DOL concerning an employer’s alleged violation of the statute.
Given the increasing prevalence of social media use in the employment context, the questions raised by the statute will most likely be addressed through practice and litigation over time.
A a full version of the social media statute and the accompanying Administrative Code 010.14.1-500 are available here.