Search form

Connecticut Enacts Personal Social Media Protection; Oregon Poised to Add Twist to Its Law

By Joseph J. Lazzarotti
  • May 28, 2015

Connecticut has become the 21st state to enact a law limiting an employer’s ability to access the personal social media accounts of job applicants and employees. The new law (Public Act 15-6), signed by Governor Dannel P. Malloy on May 19, 2015, will become effective on October 1, 2015, and applies to all private and public employers, regardless of size.

Taking protection of employee social media accounts a step further, an Oregon measure, S.B. 185 A, would amend the state’s existing law (ORS  659A.330) to prohibit employers from requiring employees or job applicants: (i) to establish or maintain personal social media accounts; or (ii) to authorize the employer to advertise on their personal social media accounts. The Oregon bill, unanimously passed by the legislature, awaits consideration by the Governor.

The Connecticut Law

Similar to the social media privacy laws of other states, Connecticut’s law prohibits employers from requesting or requiring an employee or applicant to provide a user name and password, password, or any other authentication means for accessing a personal online account. 

A personal online account is one that is used by the employee or applicant “exclusively for personal purposes and unrelated to any business purpose of such employee’s or applicant’s employer or prospective employer, including, but not limited to, electronic mail, social media and retail-based Internet web sites.”

Under the law, employers also are prohibited from requiring an employee or applicant to authenticate or access a personal online account in front of the employer. Further, employers are prohibited from requiring an employee or applicant to invite the employer or accept an invitation from the employer to join a group affiliated with the employee’s or applicant’s account. 

The Connecticut law does not prohibit employers from conducting certain investigations, such as one to ensure compliance with state or federal laws or regulatory requirements or prohibitions against work-related employee misconduct based on the receipt of specific information about activity on an employee’s or applicant’s personal online account. In addition, the law does not “prevent an employer from complying with the requirements of state or federal statutes, rules or regulations, case law or rules of self-regulatory organizations.” 

Employers may monitor, review, access, or block electronic data stored on an electronic communications device paid for, in whole or in part, by the employer, or traveling through or stored on the employer’s network. This may be helpful for employers who have a duty to monitor certain employee communications. For example, in expressing concerns over the effects of state social media laws, the Financial Industry Regulatory Authority (FINRA) noted that its Regulatory Notices 10-06 and 11-39 provide that securities firms must establish procedures to review registered representatives’ written and electronic business correspondence, including interactive electronic communications that the firm or its personnel send through social media sites. In addition, FINRA requires firms to adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are reasonably supervised to make certain that their communications are fair and balanced. Of course, employers in regulated businesses should review carefully the prohibitions, as well as the exceptions, under state laws in order to shape a strategy for compliance.

The Oregon Bill

The bill would amend Oregon’s existing law (ORS  659A.330) to prohibit employers from requiring employees or job applicants: (i) to establish or maintain personal social media accounts; or (ii) to authorize the employer to advertise on their personal social media accounts. Under the bill, employers subject to the Oregon law will have to exercise caution in approaching employees about using employees’ personal accounts for business purposes. As with social media account protection laws themselves, which have spread widely, this twist in Oregon may be followed elsewhere.

As a way of enhancing their exposure and reach in social media, some employers are trying to leverage their employees’ social media presence to promote more broadly the companies’ products and services. Putting aside potential labor, wage and hour, and other employment issues, the Oregon bill would address potential privacy issues resulting from the practice of compelling employees to allow employers to use employees’ personal social media accounts to advertise. 

If the bill is enacted, employees may refuse to allow their personal accounts to be used for business purposes. That, of course, may address some of the concerns FINRA and others raise about being able to monitoring employees’ business communications in their personal social medical accounts. Another effect may be the difficulty in determining whether the employer required, or the employee permitted, the personal online account to be used for advertising the company’s products or services. For certain types of employment, increased exposure and sales of the company’s products and services would result in direct benefits to the employee, as well as the employer.


The rise of states’ limitations on employers’ ability to access the personal social media accounts of job applicants and employees is a challenge for employers, particularly those that have employees in many states. Virginia and Montana are two states thus far to have enacted such laws in 2015: Virginia’s law goes into effect on July 1 (see our article, Virginia Limits Employer Access to Social Media Accounts of Employees and Applicants), and Montana’s law went into effect on April 23.

For additional information and assistance with these and other laws, please contact a member of our Privacy, e-Communication and Data Security practice or the Jackson Lewis attorney with whom you regularly work.

©2015 Jackson Lewis P.C. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Jackson Lewis and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.

Reproduction of this material in whole or in part is prohibited without the express prior written consent of Jackson Lewis P.C., a law firm with more than 900 attorneys in major cities nationwide serving clients across a wide range of practices and industries. Having built its reputation on providing premier workplace law representation to management, the firm has grown to include leading practices in the areas of government relations, healthcare and sports law. For more information, visit

See AllRelated Articles You May Like

March 11, 2019

New Jersey Bills Would Give Consumers Control Over Their Personal Data Privacy

March 11, 2019

New Jersey has joined a growing list of states considering legislation on data privacy to promote transparency, accountability, and individual choice. One bill would create new obligations for commercial entities whose online website or services collect personally identifiable information (PII) from individuals in New Jersey. A second... Read More

January 28, 2019

California Consumer Privacy Act: FAQs for Employers

January 28, 2019

Data privacy and security regulation is growing rapidly around the world, including in the United States. In addition to strengthening the requirements to secure personal data, individuals are being given an increasing array of rights concerning the collection, use, disclosure, sale, and processing of their personal information.... Read More

January 25, 2019

Actual Harm Not Required to Sue Under Illinois Biometric Information Privacy Law

January 25, 2019

The Illinois Supreme Court has ruled that individuals need not allege actual injury or adverse effect, beyond a violation of his or her rights under the Illinois Biometric Information Privacy Act (BIPA), in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive... Read More