STATE OF MICHIGAN

96TH LEGISLATURE

REGULAR SESSION OF 2012

Introduced by Reps. Nesbitt, Opsommer and Horn

ENROLLED HOUSE BILL No. 5523

AN ACT to prohibit employers and educational institutions from requiring certain individuals to grant access to, allow observation of, or disclose information that allows access to or observation of personal internet accounts; to prohibit employers and educational institutions from taking certain actions for failure to allow access to, observation of, or disclosure of information that allows access to personal internet accounts; and to provide sanctions and remedies.

The People of the State of Michigan enact:

Sec. 1. This act shall be known and may be cited as the “internet privacy protection act”.

Sec. 2. As used in this act:

(a) “Access information” means user name, password, login information, or other security information that protects access to a personal internet account.

(b) “Educational institution” means a public or private educational institution or a separate school or department of a public or private educational institution, and includes an academy; elementary or secondary school; extension course; kindergarten; nursery school; school system; school district; intermediate school district; business, nursing, professional, secretarial, technical, or vocational school; public or private educational testing service or administrator; and an agent of an educational institution. Educational institution shall be construed broadly to include public and private institutions of higher education to the greatest extent consistent with constitutional limitations.

(c) “Employer” means a person, including a unit of state or local government, engaged in a business, industry, profession, trade, or other enterprise in this state and includes an agent, representative, or designee of the employer.

(d) “Personal internet account” means an account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data.

Sec. 3. An employer shall not do any of the following:

(a) Request an employee or an applicant for employment to grant access to, allow observation of, or disclose information that allows access to or observation of the employee’s or applicant’s personal internet account.

(b) Discharge, discipline, fail to hire, or otherwise penalize an employee or applicant for employment for failure to grant access to, allow observation of, or disclose information that allows access to or observation of the employee’s or applicant’s personal internet account.

Sec. 4. An educational institution shall not do any of the following:

(a) Request a student or prospective student to grant access to, allow observation of, or disclose information that allows access to or observation of the student’s or prospective student’s personal internet account.

(b) Expel, discipline, fail to admit, or otherwise penalize a student or prospective student for failure to grant access to, allow observation of, or disclose information that allows access to or observation of the student’s or prospective student’s personal internet account.

Sec. 5. (1) This act does not prohibit an employer from doing any of the following:

(a) Requesting or requiring an employee to disclose access information to the employer to gain access to or operate any of the following:

(i) An electronic communications device paid for in whole or in part by the employer.

(ii) An account or service provided by the employer, obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes.

(b) Disciplining or discharging an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal internet account without the employer’s authorization.

(c) Conducting an investigation or requiring an employee to cooperate in an investigation in any of the following circumstances:

(i) If there is specific information about activity on the employee’s personal internet account, for the purpose of ensuring compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct.

(ii) If the employer has specific information about an unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to an employee’s personal internet account.

(d) Restricting or prohibiting an employee’s access to certain websites while using an electronic communications device paid for in whole or in part by the employer or while using an employer’s network or resources, in accordance with state and federal law.

(e) Monitoring, reviewing, or accessing electronic data stored on an electronic communications device paid for in whole or in part by the employer, or traveling through or stored on an employer’s network, in accordance with state and federal law.

(2) This act does not prohibit or restrict an employer from complying with a duty to screen employees or applicants prior to hiring or to monitor or retain employee communications that is established under federal law or by a self-regulatory organization, as defined in section 3(a)(26) of the securities and exchange act of 1934, 15 USC 78c(a)(26).

(3) This act does not prohibit or restrict an employer from viewing, accessing, or utilizing information about an employee or applicant that can be obtained without any required access information or that is available in the public domain.

Sec. 6. (1) This act does not prohibit an educational institution from requesting or requiring a student to disclose access information to the educational institution to gain access to or operate any of the following:

(a) An electronic communications device paid for in whole or in part by the educational institution.

(b) An account or service provided by the educational institution that is either obtained by virtue of the student’s admission to the educational institution or used by the student for educational purposes.

(2) This act does not prohibit or restrict an educational institution from viewing, accessing, or utilizing information about a student or applicant that can be obtained without any required access information or that is available in the public domain.

Sec. 7. (1) This act does not create a duty for an employer or educational institution to search or monitor the activity of a personal internet account.

(2) An employer or educational institution is not liable under this act for failure to request or require that an employee, a student, an applicant for employment, or a prospective student grant access to, allow observation of, or disclose information that allows access to or observation of the employee’s, student’s, applicant for employment’s, or prospective student’s personal internet account.

Sec. 8. (1) A person who violates section 3 or 4 is guilty of a misdemeanor punishable by a fine of not more than $1,000.00.

(2) An individual who is the subject of a violation of this act may bring a civil action to enjoin a violation of section 3 or 4 and may recover not more than $1,000.00 in damages plus reasonable attorney fees and court costs. Not later than 60 days before filing a civil action for damages or 60 days before adding a claim for damages to an action seeking injunctive relief, the individual shall make a written demand of the alleged violator for not more than $1,000.00. The written demand shall include reasonable documentation of the violation. The written demand and documentation shall either be served in the manner provided by law for service of process in civil actions or mailed by certified mail with sufficient postage affixed and addressed to the alleged violator at his or her residence, principal office, or place of business. An action under this subsection may be brought in the district court for the county where the alleged violation occurred or for the county where the person against whom the civil complaint is filed resides or has his or her principal place of business.

(3) It is an affirmative defense to an action under this act that the employer or educational institution acted to comply with requirements of a federal law or a law of this state.

This act is ordered to take immediate effect.

Clerk of the House of Representatives

Secretary of the Senate

Approved

Governor

EHB 5523