The “shoulder-surfer” is that insufferable snoop at Starbucks, at the airport, on the bus, or anywhere else who peers over your shoulder and observes your online moves. Exasperating as it may be to share your love of lolcats and cheezburgers with an unwanted onlooker, there are certainly times when it is appropriate for employers to do so, right?

The Illinois state legislature disagrees. In 2012, Illinois enacted a law (known as the Illinois Right to Privacy in the Workplace Act, for those of you keeping score at home) to restrict an employer’s ability to access employee social media accounts. Similar legislation has been introduced at the federal level and in 35 other states. So far in addition to Illinois, laws have been enacted in Arkansas, California, Colorado, Maryland, Michigan, Nevada, New Jersey, New Mexico, Oregon, Utah, Vermont, and Washington state.

Each of those state laws generally prohibits an employer from requiring that employees or prospective employees divulge their passwords to a social media account. Illinois, however, was clearly not impressed by these other states’ efforts and decided to go one step further: an employer also may not “demand access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.” 820 ILCS 55/10(b)(1). This provision seems designed to prevent literal “shoulder surfing”: i.e., an employer cannot require an employee to show his online profile, even if the employer never asks for the actual password.

In practice, however, the ambiguities in Illinois’ new law may create headaches for employers; some of those are currently being addressed by the legislature, while others are not. For example, the law excludes information that is in the “public domain.” 820 ILCS 55/10(b)(3). But this misunderstands social media: Facebook (and similar sites) allows users to customize the privacy settings for their profile and postings – some content may be visible to everyone, some only to friends, and some to friends of friends. Which setting trips an account into the “public domain”?

The Illinois law also makes no exceptions for times when an employer might legitimately seek access to an employee’s social media whether to investigate harassment or to verify that FMLA leave has not been abused. Jaszczyszyn v. Advantage Health Physician Network, 2012 WL 5416616 (6th Cir. Nov. 7, 2012) (affirming summary judgment on FMLA interference and retaliation claim where employee was terminated after her Facebook photos revealed her spending all day at a drinking festival while on leave secured for other purposes).

Initially, the Illinois law made no distinction between personal accounts and business accounts. The law was amended on August 16, 2013, to make clear that it applies only to “personal accounts” — defined as an account used “exclusively for personal communications unrelated to any business purposes of the employer.” 820 ILCS 55/10(b)(4). Illinois employers may now seek access to a “professional account” when they have a “duty to screen employees or applicants prior to hiring”, or to otherwise comply with federal or Illinois insurance law. A professional account is one that is “created, maintained, used, or accessed by a current or prospective employee for business purposes of the employer.” Even with these amendments, however, the Illinois still fails to appreciate how social media really works – individuals frequently use the same account for both business and personal communications.

Employers who operate in multiple states must now deal with another patchwork of confusing and contradictory state laws. Here, the best option may be to differentiate between screening social media as a hiring tool and screening social media in investigations:

  • First, it is perhaps time to recognize the emerging trend and eliminate the option to seek access to an applicant’s or employee’s account, irrespective of state law (which also eliminates inadvertently identifying protected statuses such as religion or sexual orientation, which are best left unknown).
  • Second, employers should continue to strictly control access and usage of “official” social media accounts, making clear that company-sponsored accounts are to be used exclusively for business purposes. See e.g., PhoneDog, LLC v. Kravitz, No. C 11-3474, 2012 WL 273323, at *1 (N.D. Cal. Jan. 30, 2012) (denying motion to dismiss claims of intentional and negligent interference with economic advantage where employee continued to use company’s Twitter account after termination of employment).
  • Third, with respect to accessing social media in investigations of harassment, theft of trade secrets, etc., this should be determined on a case-by-case basis with guidance from corporate headquarters. There is no reason to handicap investigations in every state based on the worst-case state law.

It is important to remember that these laws do not prohibit employers from conducting general online searches about employees and prospective employees. Nevertheless, employers should still ask themselves several questions before doing so. Is there a policy in place to ensure that all employees and applicants are subjected to the same treatment – are you an equal opportunity Googler? Do the rewards of the search outweigh the risks of uncovering information about protected statuses? Do you give an employee or applicant the opportunity to explain the results of the search? Ultimately, what’s really needed is a dose of common sense: are the results of the search likely to give you information that is relevant to the job? More often than not, the answer might be no.