The Virginia Employee Social Media Privacy Act, VA Code § 40.1-28.7:5 (“VESMPA”), titled “Social media accounts of current and prospective employees,” generally prohibits Virginia employers from (1) requiring employees or prospective employees to disclose their social media usernames and passwords or (2) to “friend” or “connect” with the employer on social media. As with many laws, however, the VESMPA has some exceptions to the general rule.
The VESMPA defines “employer” broadly. The definition includes the catch-all definition under VA Code § 40.1-2:
“Employer” means an individual, partnership, association, corporation, legal representative, receiver, trustee, or trustee in bankruptcy doing business in or operating within this Commonwealth who employs another to work for wages, salaries, or on commission and shall include any similar entity acting directly or indirectly in the interest of an employer in relation to an employee.
In addition, the VESMPA applies to government employers:
“Employer” includes, in addition to the persons enumerated in the definition of employer in § 40.1-2, (i) any unit of state or local government and (ii) any agent, representative, or designee of a person or unit of government that constitutes an employer.
Social Media Accounts Defined
The VESMPA defines social media accounts broadly, to include a wide variety of private social media activity:
“Social media account” means a personal account with an electronic medium or service where users may create, share, or view user-generated content, including, without limitation, videos, photographs, blogs, podcasts, messages, emails, or website profiles or locations.
There are limitations, however. Importantly, “social media accounts” protected by the VESMPA do not include accounts associated with the employer:
“Social media account” does not include an account
(i) opened by an employee at the request of an employer;
(ii) provided to an employee by an employer such as the employer’s email account or other software program owned or operated exclusively by an employer;
(iii) set up by an employee on behalf of an employer; or
(iv) set up by an employee to impersonate an employer through the use of the employer’s name, logos, or trademarks.
The VESMPA provides, as a general rule, that employers cannot require employees or prospective employees to disclose their social media usernames and passwords or to “friend” or “connect” with the employer on social media:
B. An employer shall not require a current or prospective employee to:
1. Disclose the username and password to the current or prospective employee’s social media account; or
2. Add an employee, supervisor, or administrator to the list of contacts associated with the current or prospective employee’s social media account.
Inadvertent Receipt of Social Media Account Information and Prohibition on Use
The VESMPA clarifies that an employer does not violate the law by only inadvertently receiving an employee’s social media login information through an employer-provided device or an employer’s network-monitoring program. However, the employer still may not use the information to access the employee’s social media account:
C. If an employer inadvertently receives an employee’s username and password to, or other login information associated with, the employee’s social media account through the use of an electronic device provided to the employee by the employer or a program that monitors an employer’s network, the employer shall not be liable for having the information but shall not use the information to gain access to an employee’s social media account.
Prohibitions on Retaliation and Discrimination
The VESMPA prohibits employers from taking action against current employees or failing to hire prospective employees for exercising their rights not to disclose social media account information under the VESMPA:
D. An employer shall not:
1. Take action against or threaten to discharge, discipline, or otherwise penalize a current employee for exercising his rights under this section; or
2. Fail or refuse to hire a prospective employee for exercising his rights under this section.
Safe Harbor for Viewing Publicly Available Information
The VESMPA clarifies that it does not prohibit an employer from viewing information about a current or prospective employee that is publicly available:
E. This section does not prohibit an employer from viewing information about a current or prospective employee that is publicly available.
As noted above, the VESMPA contains several exceptions, under which an employer is permitted to require employees to disclose social media usernames and passwords. Generally, these exceptions allow an employer to require disclosure of social media account credentials if necessary to comply with laws or regulations.
In addition, the VESMPA does not prohibit an employer from requesting disclosure of an employee’s credentials for purposes of accessing a social media account if the employer “reasonably believes” the employee’s social media account activity is relevant to a formal investigation or related proceeding by the employer into allegations that the employee violated law or the employer’s written policies.
F. Nothing in this section:
1. Prevents an employer from complying with the requirements of federal, state, or local laws, rules, or regulations or the rules or regulations of self-regulatory organizations; or
2. Affects an employer’s existing rights or obligations to request an employee to disclose his username and password for the purpose of accessing a social media account if the employee’s social media account activity is reasonably believed to be relevant to a formal investigation or related proceeding by the employer of allegations of an employee’s violation of federal, state, or local laws or regulations or of the employer’s written policies. If an employer exercises its rights under this subdivision, the employee’s username and password shall only be used for the purpose of the formal investigation or a related proceeding.
VA Code § 40.1-28.7:5(F). If the employer obtains social media account information under this part of the law, the employee’s username and password may only be used for the purpose of the formal investigation or proceeding.
The VESMPA does not provide a statutory civil right of action for any employee harmed by a violation of its provisions. However, if an employee is terminated in violation of the policy stated in VESMPA, or because the employee exercised the rights created by the VESMPA, the employee may have a common law Bowman claim of wrongful discharge in violation of public policy.
This site is intended to provide general information only. The information you obtain at this site is not legal advice and does not create an attorney-client relationship between you and attorney Tim Coffield or Coffield PLC. Parts of this site may be considered attorney advertising. If you have questions about any particular issue or problem, you should contact your attorney. Please view the full disclaimer. If you would like to request a consultation with attorney Tim Coffield, you may call 1-434-218-3133 or send an email to firstname.lastname@example.org.