While there is no specific rule prohibiting employers from restricting employees’ social media use during working hours, there are certain laws, discussed below, that employers should consider, particularly with respect to any type of monitoring of employees’ social media use.
The Stored Communications Act (“SCA”) generally prohibits accessing the online account of another without that individual’s consent. In the context of monitoring, accessing or reviewing the employee’s electronic communications, the SCA has been interpreted to allow employers to access employee communications stored on their own electronic communications services (e.g. a company provided email service), as long as access is authorised under the employer’s policies, and the employer has a valid business purpose for doing so. Employee notice of the company’s monitoring policies is critical.
Regarding private email accounts (e.g. gmail, yahoo, etc.) on a company provided device, generally courts have held that an employer cannot access an employee’s private email account. That said, some courts have concluded that an employer can monitor an employee’s private email account, if the employee is using a company provided device or network and has provided written consent to an employer’s policy authorising broad monitoring practices on company provided devices/networks. Additionally, the National Labour Relations Board’s General Counsel recently issued a memorandum advocating limiting electronic surveillance of employees. If adopted by the Board, the proposed standards would apply to all employers subject to the National Labour Relations Act (NLRA), not only unionized employers.
When organisations decide to engage in any level of search or surveillance of their employees, they should consider what their employees’ expectations are concerning privacy. In general, it is best practice to communicate to employees a well-drafted acceptable use and electronic communication policy that informs employees on what they can expect when using the organisation’s systems, whether in the workplace or when working remotely. This includes addressing employees’ expectations of privacy, as well as making clear the information systems and activities that are subject to the policy.
Five states – California, Colorado, Connecticut, Utah, and Virginia – have enacted comprehensive consumer data privacy laws. For example, on 1 January 2020, the California Consumer Privacy Act (CCPA) took effect, with some data privacy requirements paralleling the EU’s General Data Protection Regulation (GDPR), as applied to consumer information. While employees’ personal information is excluded from most of the CCPA’s requirements, employees of covered businesses are entitled to a privacy notice. Under the privacy notice provision, covered businesses are required to inform employees, as described above, with respect to the categories of personal information they collect and the purposes for which the information will be used. In addition, employees are permitted to commence a private right of action, if affected by a data breach caused by a failure of the employer to maintain reasonable safeguards.
Employers may prohibit the employee’s use of social media to disparage the employer or divulge confidential information, and may discipline employees for violating such a prohibition, but must tread carefully for two main reasons:
First, the employee may be protected under a federal or state whistleblower law, which generally protects employees who complain about certain company activities or conditions affecting public health and safety or violating public policy standards, as well as employees who report potential securities fraud violations. For example, the Sarbanes-Oxley Act of 2002 (“SOX”) prohibits employers from terminating employees for “provid[ing] information, caus[ing] information to be provided, or otherwise assist[ing] in an investigation regarding any conduct which the employee reasonably believes constitutes a violation of … any rule or regulation of the Securities and Exchange Commission, or any provision of Federal law relating to fraud against shareholders.” The investigation, however, must be conducted by, among others, a person with supervisory authority over the employee. An employee who reports alleged securities fraud on a company blog monitored by management to detect improper activities within the workplace could be protected, for example, under SOX.
Second, the NLRA affords employees (even those who are not unionised) the right to engage in “concerted activity,” including the right to discuss the terms and conditions of their employment – and even to criticise their employers – with co-workers and outsiders. Not all concerted activities are protected by the NLRA; only those activities that are engaged in for the purpose of collective bargaining or other mutual aid or protection are covered. In general, an employee’s concerted activity will be protected under Section 7 of the NLRA where, for example, the employee’s statements implicate the employee’s working conditions, regardless of how those statements are communicated.
Another example of protected activity under Section 7 occurs when the employee protests supervisory actions. While, these protections are not absolute, employers must treat employee conduct differently based on whether the employee was engaged in protected concerted activity while committing the misconduct. What exactly constitutes protected concerted activity requires further examination and analysis of the facts at issue on a case-by-case basis.
Reference should be made to the guidance issued by the NLRB, which considers in great detail, common types of policies and handbook language limiting employees’ social media. In general, employers should carefully review social media policies to ensure protection of the company’s reputation, without impermissibly limiting employees’ rights to discuss work conditions amongst themselves.
