Colorado has joined several other states in a growing trend that restricts employers from inquiring about social media account information. The Governor signed the new legislation on May 11, 2013, that restricts employer access to personal information through electronic communication devices. The new social media privacy law became effective upon passage.
The new law applies to public and private employers in the state and to “an agent, a representative, or a designee of the employer.” Exempt from the law are the Department of Corrections, County corrections departments, or any state or local law enforcement agency.
The Act restricts employers in three ways. First, employers are restricted from suggesting, requesting, or requiring an applicant or employee to disclose user name, password, or other means for accessing the person’s personal account or service. Second, employers may not cause an applicant to make such a disclosure. Third, employers must not compel an applicant or employee to add anyone, including the employer, to his or her list of contacts, or change privacy settings associated with a social media account.
Employees are protected under the Act from retaliation for refusing to disclose the protected information. Employers may not take any adverse employment action against an applicant or employee based on these restrictions. Adverse action is a refusal to hire an applicant, or the discharge, discipline, or other penalty or threat, made by an employer against an employee because he or she will not disclose the information.
Two exceptions to the restrictions are spelled out in the Act. Employers are permitted to conduct investigations into employee web-based accounts if it has information that the employee used a personal account for business purposes when the investigation is to ensure compliance with securities or financial law or regulatory requirements. An employer may also investigate if the employer has information about an unauthorized downloading of its proprietary or financial information to a personal web-based account.
Nothing in the law prohibits an employer from requiring an employee to disclose user name, password, or other means for accessing non-personal accounts or services that provide access to its internal computer or information systems.
Persons who believe they have been injured as a result of a violation of this law may file a complaint with the Department of Labor and Employment. The law provides that the Department may create rules regarding penalties for violations, including imposing fines of up to $1,000 for the first violation and up to $5,000 for each subsequent violation.
The Act is available at: http://www.leg.state.co.us/clics/clics2013a/csl.nsf/fsbillcont3/