California Governor Jerry Brown today signed AB 1844, which prohibits employers from requiring job applicants or employees to allow access to their personal social media sites, except if access is reasonably required to investigate allegations of employee misconduct or violation of laws or regulations.  Governor Brown announced his action on various social media sites, including Twitter, Facebook, Google+, LinkedIn and MySpace(!).
Specifically, the new law prohibits employers from requiring or requesting a personal social media user name or password, or requiring or requesting the employee or applicant to (1) access personal social media in the presence of the employer or (2) “divulge any personal social media.”  Presumably, the law could justify a legal action by the employee or an enforcement action by the Labor Commissioner, although a section added to the original text provides that the Labor Commissioner is not required to investigate or determine any violation.
“Social media” is defined as “an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.”  The law prohibits retaliation against an employee who refuses to comply with a demand that violates the statute.
No legislator voted against the law.  Amazingly, in this age of 1000+ page bills, the text of this law is less than a page.  Similar laws have been passed in Maryland and Illinois and are being considered by several other states.
Despite this legislative and gubernatorial smooth sailing, there are problems for employers.  For example, the Securities Industry and Financial Markets Association (SIFMA) sought an exemption for the financial industry from the bill in the legislature and called for a veto from Governor Brown.  SIFMA asserted that regular access to personal social sites was needed in the financial industry to assure regulatory compliance, especially since many people use accounts for both personal and business activity. 
One result of this opposition is the exception for reasonable investigations of misconduct.  Beyond that, it is unclear how courts will handle apparent conflicts with laws requiring company supervision beyond investigations of specific allegations.  For example, federal and state securities laws require supervision of employee-client communications and  retention of relevant records, including social-media information.
Even before this legislation, some courts have limited an employer’s right to access Internet information.  The federal Fair Credit Reporting Act (“FCRA”), 15 U.S.C. §§1681 et seq., and the California Investigative Consumer Reporting Act (“ICRS”), Cal. Civil Code §§1686 etseq., require permission and various disclosures before certain investigations.  Credit Agencies that perform background checks are subject to additional requirements that limit their inquiry and mandate “reasonable procedures” to assure “maximum possible accuracy.”  The FTC has taken the position that companies that assist investigations of employees’ Internet activities are consumer reporting agencies subject to the FCRA.
The federal Stored Communications Act (“SCA”) also appears to be implicated.  The SCA protects privacy by, among other things, prohibiting access without authorization to private electronic communications kept by an Electronic Communications Service (“ECS”).  A social networking site appears to be an ECS.  (see Crispin v. Christian Audigier, Inc. 717 F.Supp.2d 965 (C.D.Cal. 2010).)
The Court of Appeals for the Ninth Circuit, which includes California, has applied the SCA to an employee’s postings on a password protected electronic bulletin board.  (Konop v. Hawaiian Airlines, Inc., 302 F2d 868 (9th Cir. 2002).) Consent that is coerced or required may not count.  In Pietrylo v. Hillstone Restaurant Group, 2009 WL 3128420 (D.N.J. 2009), the court let stand a jury award of $2,500 actual damages and $10,000 punitive damages against an employer for violations of the SCA based on a finding that an employee’s consent allowing an employer to access private information on was coerced.  The employee testified that she only provided her password because it was requested by a manager and that she thought she would have gotten in trouble had she not agreed.  This is not very strong evidence of coercion, yet it was sufficient in this case.
On the other hand, a San Francisco federal judge held that an employer’s well publicized monitoring policy amounted to implied consent.  (Sporer v. UAL Corp., 2009 WL 2761329 (2009).)
Employers need to evaluate these issues carefully, including whether there is any regulatory or other legal justification for requiring access to employees’ social media under the investigation exception or other laws.  The attorneys in CWC’s Labor and Employment Practice Group are well qualified to assist you with those decisions.