Michigan's Internet Privacy Protection Act & Social Media
This law affects all employers, regardless of size, and also applies to public and private schools. The IPPA prohibits employers or schools from requiring applicants to disclose their password or login information as a condition for admission, hiring or discipline.
Technically, employers and schools are prohibited from accessing a subject's "personal internet account", which is defined in the statute as:
This definition covers just about every social media account you can think of; and then some. Arguably, the IPPA applies to all employee's internet accounts of any kind; not just social media accounts.an account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data.
However, there are broad exceptions to what is out-of-bounds for employers. For example,
- Employers can still access devices owned by the employer as well as the data stored on such devices;
- Accounts created by the employer and used for the employer's business purpose;
- Employers can discipline employees that transfer data owned by the employer onto that employee's personal internet account;
- Employers can access personal accounts when necessary to conduct an investigation for the purpose of complying with laws;
- Employers can access personal accounts when conducting an investigation into work-related conduct, and
- Employers can still access any information about an employee or applicant that is available on the Internet without the use of a password or login information.
The Act also bars an employer from "shoulder surfing" the employee; the practice of monitoring an employee's social media site by directing the employee to log onto the site so the manager can observe recent posts.
Nor can an employer require an employee to disclose information from which the employer can then access the employee's personal internet account.
Violation of the IPPA subjects an employer to a misdemeanor conviction and a fine of $1000 as well as other civil penalties. Violators are also subject to paying the employee's attorney fees.