Utah Adopts New Internet Privacy Law; Similar Bill Awaits Signature of Arkansas Governor

By April 12, 2013

On March 26, Utah became the fifth state—joining Delaware, California, Michigan, and New Jersey—to adopt an Internet privacy bill (sometimes referred to as a password protection act) prohibiting colleges and universities from demanding access to students’ or prospective students’ private email or social media accounts.

The bill, H.B. 100, signed by Governor Gary Herbert, reads in relevant part:

A postsecondary institution may not do any of the following:

(1) request a student or prospective student to disclose a username and password, or a password that allows access to the student’s or prospective student’s personal Internet account; or

(2) expel, discipline, fail to admit, or otherwise penalize a student or prospective student for failure to disclose information specified in Subsection (1).

[...]

(1) A person aggrieved by a violation of this chapter may bring a civil cause of action against a postsecondary institution in a court of competent jurisdiction.

(2) In an action brought under Subsection (1), if the court finds a violation of this chapter, the court shall award the aggrieved person not more than $500.

The new Utah law also has sections protecting employees and prospective employees from similar demands to access to private email and social media accounts. While not explicitly referencing higher education, those provisions protect faculty and staff at colleges and universities from these types of privacy intrusions.

Hot on Utah’s heels, last week the Arkansas Legislature also passed legislation prohibiting colleges and universities from demanding passwords or even user names to current or prospective employees’ or students’ social media and private email accounts. The legislation, originally H.B. 1902, now officially Act 998, cleared both houses of the legislature unanimously and has been sent to Governor Mike Beebe’s desk for signature. The legislation, sponsored by Representative Nate Steel (D – Nashville), in part states:

(b) An institution of higher education shall not require, request, suggest, or cause:

(1) A current or prospective employee or student to disclose his or her username and password to the current or prospective employee or student’s social media account; or

(2) A current or prospective student, as a condition of acceptance in curricular or extracurricular activities, to:

(A) Add an employee or volunteer of the institution of higher education, including without limitation a coach, professor, or administrator, to the list of contacts associated with his or her social media account; or

(B) Change the privacy settings associated with his or her social media account.

(c) An institution of higher education shall not:

(1) Take action against or threaten to discharge, discipline, prohibit from participating in curricular or extracurricular activities, or otherwise penalize a current student for exercising his or her rights under subsection (b) of this section; or

(2) Fail or refuse to admit or hire a prospective employee or student for exercising his or her rights under subsection (b) of this section.

This welcome legislation protects current and prospective students, faculty, and staff from intrusive monitoring of their private email and social media accounts. Legislation like Utah’s H.B. 100 and Arkansas’s Act 998 is important because email and social media is an ever-increasing medium of communication which must be free from surveillance to avoid chilling substantial amounts of protected speech.

Kudos to Utah for passing this important legislation! Hopefully, Arkansas Governor Mike Beebe will sign Act 998 into law soon. And hopefully, more states—and Congress—will follow Utah and Arkansas’s examples and adopt similar laws.

Cases: Nationwide: Password Protection Acts