California's Law Barring Demands For Social Media Passwords Sounds Good... But Might Not Be

from the ain't-that-always-the-case? dept

We've been seeing a fair bit of cheering around the news that California became the latest state to sign into law rules that bar organizations and schools from demanding social media passwords from employees and students. In theory, this seems like a good idea. After all, we've heard of more than a few cases where students and employees were asked for their passwords. But we've questioned if there should be a law here, or if people can just deal with it themselves.

And while many people are cheering on California's new law, Eric Goldman points out that we should be wary of the potential for significant unintended consequences. He worries about the broad definitions of what's really covered (hint: it goes beyond just "social media" even though that's all anyone's discussing). More importantly, he worries about the line between "personal" and "professional" accounts. Obviously, if you are managing, say, your employer's Twitter account, it's reasonable for them to have your password. And if it's just your own personal account, it's not. But... that assumes that those two categories are mutually exclusive and distinct, when the reality is they're often not. People use personal accounts for work related things all the time. It wasn't that long ago that we wrote about a dispute concerning who owned a LinkedIn account -- the company or the employee -- when many of the contacts were due to the employment situation. It's not so easy, and Goldman sees trouble ahead:
Thus, the law assumes that social media accounts have only two states: personal or not-personal. Sadly, that’s completely contrary to the cases I’m seeing in court right now. Instead, social media accounts fit along a continuum where the endpoints are (1) completely personal, and (2) completely business-related–but many employees’ social media accounts (narrowly construed, ignoring the statutory overbreadth problem) fit somewhere in between those two endpoints. Indeed, employers and employees routinely disagree about whether or not a social media account was personal or business-related. See, e.g., Insynq v. Mann, Eagle v. Sawabeh, Maremont v. SF Design Group, Kremer v. Tea Party Patriots, and PhoneDog v. Kravitz.
And, he points out, since it's important for companies to have the passwords to "corporate" accounts, while the law makes it illegal to ask for them on "personal" accounts, there's clearly going to be conflict when accounts fall somewhere into that blurry middle, as many of them do:
Putting the two concepts together, employers should require that employees provide them with login credentials for social media accounts relating to their business; but the law makes it illegal for employers to ask for login credentials to “personal” accounts. This puts employers in an obvious squeeze: employers may not know which employee accounts are purely personal and which are a mix of personal and business-related; the statute doesn’t expressly allow employers to access mixed account; and the statute doesn’t give employers a defense if they demand the login credentials because they reasonably but mistakenly thought the account was all or partially business-related. Courts will likely have to create common law exclusions for employers trying to get access to mixed accounts, but only after much angst, confusion and costly–and avoidable–litigation.
So while the intent may be good, the actual law may have some significant problems and costs associated with it. And for what? Was this really that big of a problem? Yes, there were some stories of it happening, but there was no indication that it was really that common. On top of that, in many cases, individuals could handle the situation on their own, without needing the law to back them up.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: california, passwords, social media


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 28 Sep 2012 @ 12:49pm

    I pray it works out. At the very least, this law will eliminate the most egregious offenses and prevent others like it.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Sep 2012 @ 12:55pm

    if you've got a situation where the company doesn't already have the password or control of the account, then it's not the company's account.

    It's stupid that there's even a remote need for a law, but if a company doesn't see the need to sort out who has control from the beginning, then they shouldn't be suing for access to an account on a third party service.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Sep 2012 @ 12:57pm

      Re:

      Point. A good point. Let's see if everyone else sees it that way (I pray they do).

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 28 Sep 2012 @ 1:26pm

      Re:

      Yes, this. Personally, I don't see a continuum or spectrum between a company account and a personal account. If the problem is people conducting business using their personal accounts (of any sort, email, facebook, whatever) for business, then address that problem. It should be expressly disallowed by company policy -- at least, it has been nearly every place I've ever worked.

      If I created the account with my own resources on my own time, it's my account. If I talk business on that account, that doesn't give my employer any right to learn the password. It may give them the right to sue me, depending on my contract, though.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Sep 2012 @ 1:16pm

    This is exactly the reason my accounts are no way connected to my name. You could surf for a year trying to find it and it just does not exist.

    They ask do you use Facebook and I reply no I fucking hate Facebook. Myspace? Fuck Myspace as well the rest. I only enjoy doing my job I have zero time to "make online friends"
    Excellent sir you're hired.

    Then I get off work grab something to eat and log on my FB,Myspace,Linkdin,Steam, and a handful more and game my life away.

    Well at least till the "boss" gets sick of me on the pc lol. I guess I should have married my PC instead. JK, well not really, but yeah really.

    link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    icon
    average_joe (profile), 28 Sep 2012 @ 1:18pm

    FUD, FUD, FUD. Snore.

    link to this | view in chronology ]

    • icon
      Rikuo (profile), 28 Sep 2012 @ 1:22pm

      Re:

      your comment is itself FUD. You just come here, say the article is FUD and don't bother saying why. That is number 5,157 for why us Techdirt regulars hate you.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Sep 2012 @ 1:31pm

      Re:

      I'm pretty sure it's FAP, FAP, FAP

      link to this | view in chronology ]

    • icon
      Gwiz (profile), 28 Sep 2012 @ 1:51pm

      Re:

      FUD, FUD, FUD. Snore.

      Wait. What?

      What part of Mike's or Mr. Goldman's analysis are you referring to and how is it FUD?

      From what I have gleaned, it seems like the new law itself is what is creating the FUD all by itself. Fear of litigation. Uncertainty as to what constitutes a personal or business account. Doubt as to how deal with the situation from either side.

      link to this | view in chronology ]

    • icon
      The Groove Tiger (profile), 28 Sep 2012 @ 2:17pm

      Re:

      Help! Police! Fud!

      link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 28 Sep 2012 @ 2:21pm

      Re:

      FUD, FUD, FUD. Snore.


      Hey AJ. I get that you're going to toss continuous ad homs at me all the time and attack anything I write because of whatever weird fetish you have for such things, but I'm a bit surprised that you'd now go after Professor Goldman, someone you've claimed to respect.

      I can't think of anyone who doesn't respect Professor Goldman. If you have a disagreement with what he wrote, you might try actually laying it out, rather than your all too typical childish response.

      link to this | view in chronology ]

    • identicon
      btr1701, 28 Sep 2012 @ 8:07pm

      Re:

      > FUD, FUD, FUD. Snore.

      And you wonder why everyone thinks you're an asshole.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Sep 2012 @ 1:28pm

    In the presence of such a law, companies will clarify which accounts belong to them by "owning" them from the beginning -- directing the employee to open them, make a written record, record the password. They will be quite nervous about forcing the distinction to be explicit. And that will be a good thing.

    The ownership of the account will be by designation. Then if content gets on the wrong account -- tough, it doesn't affect the ownership of the account. Any more than keeping work records at home compromises your dominion over your apartment, or vice versa.

    But -- as an academic, I always consider my professional account to be my own property. And it is fully mixed.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Sep 2012 @ 1:30pm

    In the presence of such a law, companies will clarify which accounts belong to them by "owning" them from the beginning -- directing the employee to open them, make a written record, record the password. They will be quite nervous about forcing the distinction to be explicit. And that will be a good thing.

    The ownership of the account will be by designation. Then if content gets on the wrong account -- tough, it doesn't affect the ownership of the account. Any more than keeping work records at home compromises your dominion over your apartment, or vice versa.

    But -- as an academic, I always consider my professional account to be my own property. And it is fully mixed.

    link to this | view in chronology ]

  • identicon
    PRMan, 28 Sep 2012 @ 1:31pm

    Re:

    Wow, Mike. I would have pegged you as going the other way on this one. This is a great law to set the standard for the rest of the US, as it's a simple way to bypass the "can't ask you about wife, family, children, religion, orientation, ethnicity, etc. in an interview" law.

    link to this | view in chronology ]

  • icon
    vilain (profile), 28 Sep 2012 @ 1:45pm

    Doesn't matter for big companies

    In the end, big companies make their own rules. If someone hiring does the wrong thing in California, there may be legal consequences for failing to hire because you declined to give access to your social media. But it requires the lawyers become involved.

    While it's not required to get various forms of Trust and Durable Power of Attorney documents notarized, Wells Fargo requires all documents be notarized. Don't like it, bank somewhere else. Or sue.

    link to this | view in chronology ]

  • icon
    letherial (profile), 28 Sep 2012 @ 2:00pm

    you are grasping straws now, of course its a good thing that employers cant ask for your personal passwords, you cant look at it any other way, as far as the line that you refer to...its not really there, and if it is there, its the employers fault as personal and professional is often a easy line to see.

    lets face the facts, had the ruling gone the other way you would be arguing against it with a different argument.

    link to this | view in chronology ]

  • identicon
    bshock, 28 Sep 2012 @ 2:32pm

    and the big deal is...?

    Okay, I grant you, most laws these days are total bullshit. Even knowing how threatened Very Serious People get when you invoke the BS word, I would call the vast majority of state and federal laws enacted in the U.S. (at least) to be complete bullshit, designed only to give politicians an excuse to promote themselves. As someone who has spent some time in California over the last few months, I suspect this description is even more apt for any law passed in that state.

    But in this case, what's the major problem? Okay, so maybe the distinction between personal and company social media accounts isn't realistic. How is that going to lead to more problems? Companies were suing for access to personal accounts previously, so I don't see this increasing. Is this law going to harm companies, such that their employees steal all the business from them? Again, I could see that happening already anyway.

    Please explain the "unintended consequences" in terms of actual damage.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Sep 2012 @ 2:45pm

    No penalty

    Section 2: "Notwithstanding any other provision of law, the Labor Commissioner, who is Chief of the Division of Labor Standards Enforcement, is not required to investigate or determine any violation of this act." In other words, no penalty for breaking the law.

    link to this | view in chronology ]

  • identicon
    btr1701, 28 Sep 2012 @ 8:06pm

    Already a loophole...

    So now instead of asking for the password, they'll just turn their backs, ask the employees to sign in for them, then peruse their accounts. No asking for passwords, same result.

    link to this | view in chronology ]

  • identicon
    btr1701, 28 Sep 2012 @ 8:13pm

    Facebook

    It's interesting that many employers now not only want to see your Facebook account, but if you don't have one, they assume you deleted it in anticipation of applying for the job-- or never opened an account just so you wouldn't have to let anyone else see it when you entered the work world-- and consider it an attempt on your part to hide something from them.

    I know of several police departments that have that policy.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Sep 2012 @ 7:49am

    I don't get the argument of how this can possibly be bad. Am I maintaining it for the company? If yes, it's theirs. If no, it's mine. There is no gray area, it's pretty clean cut. Frankly, you're trying WAY too hard to make something far too complicated if you manage to produce a situation that actually has gray area here. At that point, flip a bloody coin. It's quicker, cheaper, and probably more likely to give the correct answer than the courts.

    link to this | view in chronology ]

  • identicon
    Slicerwizard, 29 Sep 2012 @ 5:44pm

    "And you wonder why everyone thinks you're an asshole."

    Pretty sure it's because he's an asshole.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.