Colorado Statute Limits Use of Employee’s Personal Social Media Accounts for Business Purposes

March 2, 2021

By: Colin A. Walker

Social media accounts have become ubiquitous in recent years, especially in the business environment. LinkedIn and similar platforms are regularly used for sales, recruiting, networking, and other activities critical to a business’ success. However, employers should beware of laws which limit their ability to require their employees to use personal social media accounts to perform their duties. 

The Colorado Social Media and the Workplace Act, C.R.S. § 8-2-127, limits the control an employer can exercise over an employee’s social media accounts. More specifically, it prohibits:

  • Suggesting, requesting or requiring an employee to provide usernames or passwords for LinkedIn or other social media accounts;
  • Compelling an employee to add contacts to his/her social media contacts;
  • Suggesting, requesting or requiring an employee to change privacy settings on a social media account; and
  • Retaliation against any employee who reports a violation of the policy or who cooperates in an investigation regarding the policy.  

The prohibitions for usernames, passwords, and privacy settings are much broader than the prohibition on adding contacts to an account. The statute prohibits suggesting, requesting, or requiring disclosure of usernames, passwords, and changing privacy settings, but only prohibits compelling adding contacts. 

The statute does not prohibit requiring an employee to disclose usernames or passwords for non-personal accounts or services that provide access to the employer’s internal systems. 

The Colorado Department of Labor and Employment (“CDLE”), which has enforcement authority regarding this statute, is likely to give the employee the benefit of the doubt when there is a question about whether activities covered by the statute are required or merely requested. The CDLE looks to the reality of the relationship between the parties and is likely to view a high level of control as indicating compulsion, even if the language the employer uses is in the form of a request.  

The term “privacy settings” is not defined in the statute and it is not clear on many social media platforms what constitutes a privacy setting. The CDLE has indicted that it regards requesting employees to change the settings relating to who can contact the employee as changing “privacy settings,” explaining that settings relating to the ability of others to find and connect with someone to be within the plain meaning of privacy. It has suggested that changes only of an aesthetic nature might not involve changes to privacy settings. 

While one purpose of the statute was clearly to prohibit employers from snooping on their employees and invading their privacy, the CDLE views preventing the employer from hijacking its employees’ social media accounts for business purposes to be another important objective. If an employer wants its employees to use LinkedIn and similar platforms for business purposes, it may have to provide a separate business LinkedIn account to avoid liability under this statute. 

The CDLE has authority to receive complaints, investigate violations of the statute, and impose fines of up to $1,000 for a first offense and $5,000 for each subsequent offense. Employers which use LinkedIn and other social media platforms in their operations would be well advised to review the statute and their practices to ensure compliance with this law.