For many businesses trying to sort through applicants for an open position at their company, it has become routine to run a Google search of applicants to find out more about them. This can quickly lead to finding their Facebook or other social media account, but did you know that some employers have begun asking for applicants’ Facebook passwords during interviews to look at their activity? In Colorado, you could face serious legal liability for such actions.
Trying to find out as much as you can about an applicant or employee is understandable. For businesses both big and small, nobody wants to waste time, energy, and company resources bringing someone in for an interview that will not be a good fit, but a line must be drawn. Many workers feel their personal privacy is seriously invaded when employers go digging into their personal online accounts.
With these concerns in mind, several states have begun passing laws to combat this practice. In may of last year, Colorado passed C.R.S. § 8-2-127, a so-called “Facebook Law,” which restricts employers’ ability to get social media and other personal online account information from applicants or employees.
While running a Google search and pulling up any publicly available information about an applicant or employee is permissible under this law, employers cannot suggest, request, or require an applicant or employee to disclose means for accessing their personal accounts or services (this includes usernames and passwords). Under this law, you also cannot suggest, request, or require an applicant or employee to change their privacy settings (to make their accounts public for example) or to have them “add” the employer or someone acting on behalf of the employer to their friends list. If an employee or applicant refuses to comply with these kinds of actions from an employer, then it is unlawful to penalize or refuse to hire them because of their refusal.
There are a few exceptions to this law, but aside from allowing the employer to freely view publicly available information, they are pretty narrow. Other exceptions include investigations pertaining to compliance with financial laws and regulations and the unauthorized download of employer proprietary information to a personal web-based account or website.
If you would like to discuss this or other legal concerns related to your employees or the hiring process, be sure to reach out to the Law Office of E.C. Lewis, P.C., home of your Denver Business Lawyer, Elizabeth Lewis, 720-258-6647 or email her at Elizabeth.Lewis@eclewis.com.
In the EU, organizations that collect personal data must do so in accordance with the Data Protection Directive. US businesses must also provide an “adequate level of protection” if they do business with the EU. Personal data can only be gathered under strict conditions and for a legitimate purpose. Further, this information must be managed by the organization in a way that protects certain rights and prevents misuse.
If you are a US company, you can comply with the requirements by joining the US-EU Safe Harbor Program. To do so, you must adhere to the following seven Safe Harbor Privacy Principles:
- Notice-Organizations must notify individuals about the purpose for which they collect and use information about them, contact information of the organization, the means the organization provides for limiting its use and disclosure, and the kind of third parties that the organization discloses your information to if any.
- Choice-Organizations must provide the opportunity to opt out (and if the information is sensitive like health information, it must be in the form of an opt in) of the collection of personal information that will be disclosed to a third party or used for any purpose beyond that of its original collection.
- Onward Transfer-In order to disclose to a third party, an organization must comply with the above Notice and Choice principles.
- Access-Individuals must be able to view, correct, amend, or delete their personal information, with some exceptions.
- Security-Reasonable precautions must be made by organizations to protect personal information.
- Data Integrity-Personal information collected must be relevant to all the purposes it will be used for.
- Enforcement-Organizations must have accessible independent recourse mechanisms for complaints to be resolved and have damages awarded if applicable. They must also have procedures for verifying the adherence to all principles, and to correct problems from any failures to comply.
In Canada, the applicable law is the Personal Information Protection and Electronic Documents Act or “PIPEDA.” It applies to any organization that collects, uses, or discloses personal information in the course of commercial activities. As a US company, you will still fall within the scope of PIPEDA if you have operations in Canada. Also, even if you do not have any Canadian operations but are collecting the personal information of Canadian citizens, you may be found to be within the scope of the law.
Any collection, use, or disclosure of personal information under this law can only be for purposes that a reasonable person would consider appropriate under the circumstances. In addition to this, there are ten principles that are to be followed to comply.
- Accountability-There must be people responsible for your organization’s compliance with the ten principles, protect all personal information, and implement personal information policies and practices.
- Identifying Purposes-The organization must identify, document, and inform the user the reasons for collecting personal information at the time of collection or beforehand.
- Consent-The user must be meaningfully informed of the purposes for collection and use or disclosure of the personal information and then consent to them.
- Limiting Collection-An organization cannot deceive, mislead, or be indiscriminate with their collection of personal information or statements of reasons for collecting it.
- Limiting Use, Disclosure, and Retention-Personal information cannot be used beyond its original purpose for collection or kept longer than is necessary. There must also be procedures in place for retention, destruction, and the resolution of grievances in relation to the data.
- Accuracy-The possibility of disclosing or making a decision based on personal information that is incorrect must be minimized.
- Safeguards-The personal information must be protected from loss, theft, unauthorized access, disclosure, copying, use, or modification, regardless of the information’s form.
- Openness-The organization must have understandable policies for the management of personal information that are readily available to users.
- Individual Access-Users should generally be given the opportunity to access the personal information that the organization possesses.
- Challenging Compliance-The organization must provide simple and easily understandable complaint procedures that inform of all avenues of recourse, investigate all complaints, and take appropriate corrective measures.
COPPA became effective in April of 2000, and it applies to commercial websites that collects personal information from children under 13 years old, whether or not the collection is mandatory or voluntary. Personal information is defined by the act as any information that is individually identifiable, or would allow someone to identify or contact the child. If your website does this, then you must take certain measures in order to comply with this law.
Personal information includes:
- First and last name
- Address including street name
- Online contact information
- Username that functions as online contact information
- Telephone number
- Social Security Number
- Persistent identifier that can be used to recognize a user over time and different website services
- A photo, video, or audio file, containing a child’s image or voice
- Geolocation information sufficient to identify street and city name
- Other information about the child or parent collected from the child when combined with one of the above identifiers
If you collect personal information such as those described above, you must follow these steps to comply with COPPA:
a. You must name the individuals collecting or maintaining personal information, as well as provide their contact information.
b. You must describe the personal information that is collected, how it is collected, how it is used, and whether you disclose the information to third parties, as well as the categories of businesses of the third parties and how they use the information if you do disclose to third parties.
c. You must describe the parents’ rights with regard to the personal information. You must tell parents that you will not require a child to disclose more information than is reasonably necessary to participate in an activity, that they can review their child’s personal information, request its deletion, refuse to allow any further collection or use of the child’s information, agree to the collection and use of the child’s information with the option to disallow any further collection or use of the child’s information, and lastly, the procedures to exercise these rights.
2. You must also give direct notice to parents and obtain verifiable parental consent prior to collecting personal information online from children, with some limited exceptions. Parents must also be given the option to consent to the collection of a child’s information by the website but disallow the disclosure of such information to third parties, unless this information is considered integral to the website, which must be made clear to the parents.
3. You must also maintain the confidentiality, security, and integrity of information collected by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security.
4. You can only collect and keep such information for as long as is necessary to fulfill the purpose it was collected for, and you must take reasonable measures to protect and securely delete the information afterward.
If you have any questions about whether or not your website falls under COPPA or how to comply with COPPA, do not hesitate to reach out to the Law Office of E.C. Lewis, PC, the home of your Denver Business Lawyer, Elizabeth Lewis at 720-258-6647 or email her at Elizabeth.Lewis@eclewis.com.