On December 13, 2012, the Michigan Legislature passed House Bill HB 5523, the Internet Privacy Protection Act (IPPA). Governor Rick Snyder signed it into law on December 28, 2012.
Similar to laws already on the books in Maryland, Illinois and California, the IPPA prohibits
Under the new law, an employer may not discharge, discipline, fail to hire, or otherwise penalize an employee or applicant who declines such requests.
The goal of the law is to ensure that employees and applicants are judged on their skills and abilities, rather than on private online activity. It does, however, permit employers to access employees’ use of employer equipment and systems and allows for investigations, under certain circumstances, of employees’ personal social media accounts.
The new regulations apply to every employer in Michigan. Businesses operating in Michigan must interpret and address the new regulations, and their human resources policies and practices must be amended to ensure compliance.
In general, the Internet Privacy Protection Act prohibits Michigan employers from:
1) Requesting from an applicant or employee “access information” (i.e., user name, password, login information or other security information that protects access to a personal Internet account) in order to gain access to the applicant’s or employee’s personal Internet account.
2) Disciplining, terminating, failing to hire or otherwise penalizing an employee or applicant for not providing to the employer access information regarding personal Internet accounts.
These new regulations apply to all supervisors and managers. It is not hard to imagine that situations may arise in which employees voluntarily give a supervisor or manager access to a personal Internet account (e.g., the employee “friends” his or her supervisor on Facebook, and the manager accepts). These common and entirely voluntarily occurrences can inadvertently lead to a greater risk for violation of the new law if the supervisor accepts the invitation.
Imagine if the supervisor discovers information about the employee that he or she otherwise would not have, and the employee is subsequently denied a promotion or terminated. The burden of proof would lie with the employer regarding whether that information was not used in making the employment decision.
In order to avoid an unintentional violation of the new law, we would advise Michigan employers to consider implementing a policy in which managers are prohibited from accessing information on personal Internet accounts of non-management employees.
Michigan’s Internet Privacy Protection Act allows for several exceptions, under which employers may:
Employers are encouraged to use safe screening techniques for new hires. Using third parties to perform background checks for criminal convictions and motor vehicle records is perfectly acceptable as long as the employer and the third party comply with the laws.
Violating the Internet Privacy Protection Act is considered a misdemeanor punishable by a fine of more then $1,000. Employers should be able to lawfully obtain information about employees’ Internet activities when it is warranted and necessary. However, Michigan employers must be familiar with all of the IPPA provisions in order to avoid mistakes and potentially exposing their HR staff to prosecution.