On December 28, 2012, Michigan Governor Rick Snyder signed into law the state’s new Internet Privacy Protection Act (IPPA), prohibiting employers and educational institutions in the Great Lakes State from demanding that employees and students provide them with access to personal Internet and social media accounts.
Michigan joins Delaware, New Jersey, and California as the fourth state in the U.S. to enact legislation protecting students’ right to privacy online. Maryland and Illinois have similar laws that apply in the employment context, but not in the context of higher education.
With a few notable exceptions, Michigan’s IPPA bans educational institutions from requesting that students or prospective students grant the institution access to “personal internet accounts,” like Facebook, MySpace, private email accounts, and Twitter. This prohibition forbids universities from requiring disclosure of passwords, or from requiring that they be permitted to monitor those accounts. The new law also prohibits educational institutions from “Expel[ling], disciplin[ing], fail[ing] to admit, or otherwise penaliz[ing]” those who fail to grant access to their personal Internet accounts.
Violators of this law are guilty of a misdemeanor punishable by a $1,000 fine. Plus, the IPPA allows students or prospective students to sue universities for up to $1,000 and reasonable attorneys’ fees for violations of this law. A thousand bucks might not be much, but attorneys’ fees can add up. Hopefully, a misdemeanor charge and the threat of paying attorneys’ fees will give this law sufficient teeth.
The IPPA, however, provides some important exceptions. For example, under the IPAA, if a student is provided her smartphone by her college, or if the school pays part of the data usage bill, the school then has the right to demand access to those accounts to monitor how those devices are being used. This also means that universities in Michigan may still demand access to internet accounts provided by the school. So, while Michigan State University (for example) may not require access to a student’s private Gmail account, the school may still demand access to the student’s account on the university-provided email system. Moreover, nothing in the law prohibits universities from viewing, accessing, or utilizing information about a student or applicant that can be obtained without any required access information or that is available in the public domain. In other words, if a student’s Facebook page can be viewed by the public, her college has the right to check it out.
Laws like Michigan’s IPPA are generally good news for student privacy rights and for free speech. Students should not have to give up their ability to communicate privately as a requirement for getting an education at a state university, or indeed at any university that claims to provide free speech to its students. It’s hard to think of a more effective way to chill student speech than the pervasive administrative surveillance that social media monitoring programs make possible today. The IPPA’s passage is therefore a welcome development for students in Michigan. Hopefully more states will soon follow suit.