SETH KAIMAN
HNI Account Manager
On December 13, 2012, the Michigan Legislature passed House Bill HB 5523, the Internet Privacy Protection Act (IPPA). Governor Rick Snyder signed it into law on December 28, 2012.
Similar to laws already on the books in Maryland, Illinois and California, the IPPA prohibits employers from requesting that an employee or applicant grant access to, allow observation of, or disclose information that allows access to or observation of “personal Internet accounts,” such as Gmail, Facebook and Twitter.
Under the new law, an employer may not discharge, discipline, fail to hire, or otherwise penalize an employee or applicant who declines such requests.
The goal of the law is to ensure that employees and applicants are judged on their skills and abilities, rather than on private online activity. It does, however, permit employers to access employees’ use of employer equipment and systems and allows for investigations, under certain circumstances, of employees’ personal social media accounts.
The new regulations apply to every employer in Michigan. Businesses operating in Michigan must interpret and address the new regulations, and their human resources policies and practices must be amended to ensure compliance.
What is Prohibited Under the IPPA?
In general, the Internet Privacy Protection Act prohibits Michigan employers from:
1) Requesting from an applicant or employee “access information” (i.e., user name, password, login information or other security information that protects access to a personal Internet account) in order to gain access to the applicant’s or employee’s personal Internet account.
2) Disciplining, terminating, failing to hire or otherwise penalizing an employee or applicant for not providing to the employer access information regarding personal Internet accounts.
These new regulations apply to all supervisors and managers. It is not hard to imagine that situations may arise in which employees voluntarily give a supervisor or manager access to a personal Internet account (e.g., the employee “friends” his or her supervisor on Facebook, and the manager accepts). These common and entirely voluntarily occurrences can inadvertently lead to a greater risk for violation of the new law if the supervisor accepts the invitation.
Imagine if the supervisor discovers information about the employee that he or she otherwise would not have, and the employee is subsequently denied a promotion or terminated. The burden of proof would lie with the employer regarding whether that information was not used in making the employment decision.
In order to avoid an unintentional violation of the new law, we would advise Michigan employers to consider implementing a policy in which managers are prohibited from accessing information on personal Internet accounts of non-management employees.
What is Allowed? Exceptions Under the Michigan IPPA.
Michigan’s Internet Privacy Protection Act allows for several exceptions, under which employers may:
- Request or require an employee to disclose access information in order for the employer to gain access to an electronic device or service paid for by the employer.
- Discipline or discharge an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal Internet account without the employer’s authorization.
- Conduct an investigation or require an employee to cooperate in an investigation regarding regulatory compliance or the unauthorized transfer of the employer’s proprietary information
- Restrict or prohibit an employee’s access to certain websites while using an electronic communications device paid for, in whole or in part, by the employer or while using an employer’s network or resources.
- Monitor, review, or access electronic data stored on an electronic communications device paid for, in whole or in part, by the employer, or traveling through or stored on an employer’s network.
- Comply with the duty to screen employees or applicants prior to hiring or to monitor or retain employee communications that is established under federal law or by a self-regulatory organization as defined in the Securities and Exchange Act of 1934.
- View, access, or utilize information about an employee or applicant that can be obtained without any required access information that is available in the public domain.
Employers are encouraged to use safe screening techniques for new hires. Using third parties to perform background checks for criminal convictions and motor vehicle records is perfectly acceptable as long as the employer and the third party comply with the laws.
Violating the Internet Privacy Protection Act is considered a misdemeanor punishable by a fine of more then $1,000. Employers should be able to lawfully obtain information about employees’ Internet activities when it is warranted and necessary. However, Michigan employers must be familiar with all of the IPPA provisions in order to avoid mistakes and potentially exposing their HR staff to prosecution.