Connecticut has joined a list of twenty-one states with a statute designed to preserve the privacy of personal online accounts of employees and limit the use of information related to such accounts in employment decision-making. Legislation directed to online privacy of employees has also passed this year in Montana, Virginia, and Oregon, and such legislation is pending in a number of other states.
Connecticut’s law, effective as of October 1, 2015, applies to “personal online accounts” – broadly defined as online accounts, such as e-mail, social media, and retail-based web sites, used exclusively for personal purposes by a current or prospective employee.
The statute prohibits employers from requiring or requesting that a current or prospective employee: disclose a username or password to his or her personal online account; authenticate or access a personal online account in the presence of the employer; or offer to or accept from the employer an invitation to join a group affiliated with the employee’s personal online account. Employers may not take adverse action against a current employee who refuses to engage in any of the foregoing activities, or fail or refuse to hire a prospective employee as a result of a refusal to engage in such activities.
Exceptions within the law allow employers to request or require that a current or prospective employee provide a user name and password or other means for accessing:
- Any account or service provided by the employer or by virtue of the employment relationship;
- Any account or service used by the employee for the employer’s business purposes; or
- Any computer or smartphone supplied or paid for by the employer.
In addition, employers may require an employee to provide access – but not a password or other means of access – to his or her personal online account in order to conduct an investigation related to (i) ensuring compliance with laws, regulations, or other rules prohibiting employee misconduct, or (ii) a suspected unauthorized transfer of confidential information or financial data to or from any personal online account. However, the employer may only conduct such an investigation pursuant to “specific information” about relevant activity on the employee’s personal online account.
Notably, the law does not restrict the employer’s ability to monitor, access, or block data that is either stored on a computer or phone paid for by an employer or transmitted through or stored on an employer’s network. The law also does not prevent an employer from complying with laws, regulatory requirements, or rules of self-regulatory organizations.