State legislatures are increasingly legislating in the area of employee and student online privacy. Privacy practitioners should be aware that there is now a proposed uniform law for the states to consider enacting.  At its recent annual meeting in Stowe, Vermont, the Uniform Law Commission adopted a proposed uniform state law titled “Uniform Employee and Student Online Privacy Protection Act” (ESOPPA).  ESOPPA is the result of a two-year effort by the Commission to study the issues involved in online privacy and draft proposed legislation aimed at protecting an employee or student’s login information to certain personal online accounts.

What is the ULC?

Created in 1892, the Uniform Law Commission develops and drafts uniform legislation for consideration by state legislatures. The Commission is comprised of several hundred judges, law professors, legislative staff, legislators and attorneys in private practice (“Commissioners”).  Each state, the District of Columbia, Puerto Rico and the U.S. Virgin Islands appoint Commissioners.  I serve as a Commissioner for Virginia and attended the annual meeting in Vermont.

What is ESOPPA?

ESOPPA was drafted to address the situation where employers and education institutions attempt to require or coerce an employee or student to disclose login information to personal online accounts. The Act applies to employers and public and private post-secondary educational institutions and their agents or designees. See § 2 of the Act.

The Act is designed to protect an employee or student’s login information to, and content, on “protected personal online accounts.” These accounts can take a variety of forms – social media, personal finance, etc.  The crucial determinates are that the online account is protected by a login requirement and is a personal account. See § 2.

In addition to a typical definition of employee, ESOPPA’s definition also includes prospective employees, independent contractors and unpaid interns. ESOPPA’s definition of student includes current and prospective students. See § 2.

What does ESOPPA Prohibit?

ESOPPA prohibits an employer or post-secondary educational institution from “requesting, requiring or coercing an employee [or student]” to (i) disclose to such entity the employee or student’s login information to a “protected personal online account” or to disclose the content of such account; (ii) alter the account settings for the protected personal online account in such a way that makes the information or login information more accessible by others; or (iii) login to a protected personal online account in the presence of the entity in such a way that allows viewing the login information. See §§ 3 and 4.

The proposed Act also prohibits an employer or post-secondary educational institution from retaliating against an employee or student who does not comply with a request for access that is in violation of the Act or refusing to accept a “friend” request or “unfriending” the entity from the employee or student’s protected personal online account.

What does ESOPPA allow?

ESOPPA allows an employer or post-secondary educational institution to:

  1. Access information that is available to the general public;
  2. Comply with federal or state law, court order or requirements of certain regulatory organizations;
  3. Require or request access to the content (but not the login information) of a protected personal online account when the entity has “specific facts” about the account to ensure compliance with federal or state law or work or school related misconduct, or to investigate non-compliance with such laws or policies.  A covered entity may also require access to content based on specific facts about the account in order to protect against health or safety threats; threats to the entity’s IT systems, communications infrastructure or other property; or the disclosure of proprietary information.  If an employer or educational institution accesses the content of an account through this exception (#3), the entity is required to (i) only access relevant content, (ii) only use the content for the reason it is being accessed and (iii) not change the content unless necessary for the underlying reason for needing access (i.e. the “specified purpose.”);
  4. Request an employee or student to allow the entity to “friend” them on an online account or request the person to not “unfriend” the entity from the online account; and
  5. Conduct network system monitoring and the acquisition of login information through such a program as long as the entity complies with certain retention, use, and disposal requirements.

See §§ 3 and 4.

What remedies are provided under ESOPPA?

ESOPPA allows the state attorney general to obtain injunctive or other equitable relief and seek a $1,000 civil penalty for each violation of the Act, but limits the total recovery to $100,000 when the same act results in multiple violations. See § 5.

ESOPPA provides a private right of action for an employee or student to bring a civil action against the offending employer or post-secondary educational institution, respectively, to obtain injunctive relief, actual damages and costs and attorney fees. Such remedies are not exclusive nor do they supplant any other remedy available under other laws. See § 5.

Why does it matter?

Increasingly, states are legislating in this area of the law. According to the National Council of State Legislatures, in 2015, 23 states introduced or considered legislation on employee or student online privacy, with nine states enacting a law.  In 2016, 15 states considered such legislation and three states enacted laws in this area.  States are taking a variety of approaches to address the issues involved in online privacy in the employment and student contexts.

The Uniform Law Commission has a record of producing draft legislation that is appealing to state legislatures. One of the Commission’s most well-known products is the Uniform Commercial Code, the entirety of which is adopted in virtually every state. The uniform acts produced by the Commission, often set the standard for what the legislation contains, even when a state does not adopt the entirety of the proposed uniform act. Among other things, states may use the definition section of a proposed act, or adopt the burden of proof or elements of a claim from a uniform act.  As such, it is important for the employers, post-secondary educational institutions and advisors to those entities to be aware of the consideration by the various states of uniform acts such as ESOPPA.

Click Here to View the Proposed Act