by Joseph Miller and Alexandra Verven (Fall 2016)
On July 22, 2016, the Illinois General Assembly passed P.A. 99-610 – altering the internet privacy policies of employees. The legislation offers employees greater protection from both employers and potential employers, while maintaining the rights of employers to be involved in employees’ online activities, when necessary.
As of January 1, 2017, it will be unlawful for employers and potential employers to request, require, or coerce an employee or applicant to: (1) provide a username and password to any personal online account; (2) access a personal online account in the employer’s presence; (3) invite the employer to join a group affiliated with a personal online account; (4) join an online account established by the employer; or (5) add the employer to the employee’s or applicant’s list of contacts (e.g., “friends”) to access the personal online account.
Similarly, the legislation makes it unlawful for employers to discharge, discriminate against, retaliate against, or penalize an employee for refusing to perform any of the above activities, or for filing a complaint alleging a violation. Additionally, employers cannot fail or refuse to hire an applicant because of a refusal to provide such information prior to hiring.
Despite many restrictions, employers do, however, still have some right to know about the online activities of their employees. For instance, the law provides that it is permissible for an employer to request or require an employee or applicant to share specific content posted by the employee that has been reported to the employer, without requesting or requiring an employee or applicant to provide a user name and password, for the purpose of: (1) ensuring compliance with applicable laws or regulatory requirements; (2) investigating an allegation, based on receipt of specific information, of the unauthorized transfer of an employer’s confidential information or work-related employee misconduct; (3)prohibiting an employee from using a personal online account for business purposes; or (4) prohibiting an employee or applicant from accessing or operating a personal online account during business hours, while on business property, while an electronic device is supplied by, or paid for by, the employer, or while using the employer’s network or resources to the extent permissible under applicable laws.
The law also covers scenarios where an employer inadvertently receives the username and password that would enable the employer to gain access to the employee’s or applicant’s personal online account. If this occurs through the use of otherwise lawful means, then the employer is not liable for having that information, unless the employer: uses that information, or enables a third party to use that information to access the employee’s personal online account; or after the employee becomes aware that such information was received, does not delete the information as soon as reasonably practicable, unless such information is being used by the employer to investigate an actual or suspected breach of computer, network, or data security.
Employers should be reminded that nothing in the new law prohibits or restricts employers from screening applicants prior to hiring or monitoring employee communications as required under Illinois insurance laws or federal laws.