Employers Limited in Regulating Personal Online Activity of Employees and Applicants by 2017 Amendment to Illinois Right to Privacy in the Workplace Act
The Illinois Right to Privacy in the Workplace Act (IRPWA) was amended effective January 1, 2017. The effect of the amendment was to both expand the scope of the law and provide insight to employers about the limitations in regulating employees' and applicants' private social media accounts. While there are some exceptions which will be discussed more fully below, employers are generally much more limited now than they were in the past in regulating personal online activity.
Prior to the amendment, IRPWA prohibited employers from demanding account information, such as social media passwords, from an employee in order to gain access to his or her "social networking websites" (e.g., Facebook, Twitter, etc.).
After the amendment, IRPWA covers "personal online accounts" that are defined as "online accounts" that are "used by a person primarily for their personal purposes." Expanding the scope from "social networking websites" to "personal online accounts" appears intentional so as to encompass broader online activity. The new definition would cover social media accounts (including newer platforms such as Instagram and Snapchat) in addition to likely covering Internet-based e-mail accounts (e.g., Google, Yahoo, MSN, etc.) even though not explicitly stated.
In its amended form, IRPWA prohibits employers from (1) asking, requiring or coercing employees or applicants to provide passwords or other related account information for accessing their personal online accounts; (2) demanding access to employees' and applicants' personal online accounts; (3) asking, requiring or coercing employees and applicants to authenticate or access their personal online accounts in the employer's presence; (4) requiring or coercing employees and applicants to invite employers to join groups affiliated with their personal online accounts; (5) requiring or coercing employees and applicants to join employers' online accounts; and (6) retaliating against employees or applicants for refusing to engage in any of the above activities. By way of example, prohibited conduct would now include scenarios where an employer asks employees to "like" an employer's Facebook or LinkedIn page or "retweet" an employer's tweets. Engaging in any of the aforementioned activities could subject employers to damages and costs, attorney's fees and up to $200 per violation. Employers may also be found guilty of a petty offense.
IRPWA does create certain important exceptions when an employer may ask an employee or applicant to share content from a personal online account. For instance, exceptions to the rule exist (1) when the employer is trying to comply with applicable state or federal law; (2) when an employer is investigating allegations that an employee has impermissibly transferred the company's proprietary or confidential business information to the employee's personal account; (3) when an employer is investigating an allegation of illegal activity or misconduct; and (4) when an employer explicitly prohibits an employee from accessing a personal online account during business hours at the company using a company electronic device or on the employer's network.
In spite of the amendment, employers retain the right to maintain workplace policies addressing the use of company-owned equipment, including PCs, laptops, tablets and smartphones and the extent to which employees access Internet, email and social networking sites on such equipment. Employers may also continue to monitor employees' usage of company-owned equipment, so long as advance notice has been given such as in a handbook or policy, and so long as any personal online account information that is inadvertently captured is destroyed in a reasonably practicable time. Use of the information or enabling a third-party to use the information may result in employer liability.
In light of the amendment to IRPWA, employers are encouraged to revisit and update any social media policies pertaining to employees' use of personal online accounts while working, exceptions applicable to employers and inadvertent disclosures of personal online account information.