Social Media

Googling Job Applicants: Legal? Yes. Risky? Yes.

In today’s hiring landscape, it’s almost second nature for employers to type an applicant’s name into Google or check out their social media. If the information is public, it must be fair game, right?

Not exactly. While you can look, doing so without a structured process can expose your organization to significant legal and compliance risks.

Public Information Is Accessible But Comes With Hidden Liability

Employers may view publicly available online content without obtaining specific authorization. However, a simple search can unintentionally reveal protected characteristics such as age, race, religion, disability status, or pregnancy. Once discovered, this information could fuel discrimination claims if the applicant later challenges a hiring decision. The principle is simple: what’s seen can’t be unseen, and that creates risk.

Private Accounts Are Off-Limits

No employer should ever:

  • Request social media passwords
  • Ask applicants to access private accounts
  • Send “friend” requests to gain entry
  • Ask for screenshots of private content

In California, these actions are illegal under Labor Code § 980. Many other states have enacted similar protections.

FCRA Applies If Using An Outside Service

If an employer hires any third-party service to review an applicant’s online presence, the process becomes a consumer report under the Fair Credit Reporting Act (FCRA).That means employers must:

  • Provide a standalone written disclosure
  • Obtain written authorization
  • Follow pre-adverse and adverse action procedures before rejecting based on the report

Ignoring FCRA obligations is one of the most common and expensive hiring pitfalls.

Best Practices To Reduce Risk

To protect your organization and ensure a fair, compliant hiring process:

  • Create a structured, consistent process for any online screening.
  • Use a “firewall” between the person viewing online content and the final decision-maker.
  • Limit reviews to public, job-related information only.
  • Document your screening approach and maintain it across roles.
  • Apply the same process to all candidates to avoid disparate treatment.

 

Disclaimer: This communication is for general informational purposes only and does not constitute legal advice. The summary provided in this alert does not, and cannot, cover in detail what employers need to know about the amendments to the Philadelphia Fair Chance Law or how to incorporate its requirements into their hiring process. No recipient should act or refrain from acting based on any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.

February 24th, 2026|Categories: Compliance Corner, Employment Decisions|Tags: , |

Digital Spring Cleaning

Spring is traditionally a time when people do a deep cleaning of their homes. Have you thought about taking this one step further and doing a digital security deep clean? We recommend reviewing at least every quarter to minimize the risk of identity theft. Here are four steps to get you started to protect your personal data. 

  • Change your passwords. Your company probably automatically asks you to switch passwords every 4-6 weeks. But when is the last time you changed your passwords on your personal social media accounts, subscriptions, or places you shop? You should consider updating these passwords, too. In fact, old passwords can be easy ways for hackers to steal your identity. Delete old accounts you no longer use. You might be surprised to find that some of those are decades old with easily guessed passwords. When you choose your new passwords, do not repeat them across various accounts. You’re just making it easier to get hacked.
  • Review your social media accounts. Have you been cloned on Facebook, Instagram, or other social media platforms? Take a moment and search for yourself on these sites and see if you appear more than once. Don’t wait for your friends to send you a text saying, “I just got a friend request from you, but we’re already friends.” If you’ve been cloned, report it and change your passwords.
  • Avoid oversharing. Think twice before you overshare information or play a social media game that asks you to list personal information about yourself. These simple activities are ways that hackers gather your data. The latest high-risk trend is sharing a picture of your COVID vaccination record with your full name and date of birth clearly visible. Instead, consider sharing a photo of an “I got vaccinated” sticker. 
  • Have you been hacked? A cybersecurity FBI agent once told me, “It used to be a case of not if, but when you’ve been hacked. Now it’s a case of you’ve been hacked, and you either know it or don’t know it yet.” HaveIBeenPwned is one of several free sites where you can check if you’ve been caught up in a security breach.

These four steps will help you do a simple yet effective spring cleaning of your digital presence and protect your online identity. 

March 18th, 2021|Categories: Risk Management|Tags: , , |

New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

  1. The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
  2. Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
  3. Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
  4. Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at EDPB@edpb.europa.eu.

December 12th, 2018|Categories: International, Legislation|Tags: , , , |

Right to be forgotten: sweeping changes are coming

According to a June 26, 2014 article in The Wall Street Journal, GOOGL in Your Value Your Change Short position Google, Inc., started removing results from its search engine under Europe’s new “right to be forgotten,” implementing a landmark ruling by the European Union’s top court that gives individuals the right to request removal of Internet search results  for their own names.

Not to be outdone when it comes to privacy legislation, California Senate recently approved SB 1348 requiring online data brokers who sell consumer information to provide an opt-out mechanism and consumer access to the data.  The bill, which now moves to the State Assembly for consideration, gives California consumers the right to review the information maintained by a data broker and request that it be permanently removed, within 10 days. Once removed, the information cannot be reposted or sold to a third-party. Notably, the bill attempts to include consumer reporting agencies in the category of data brokers.

Although there is no actual movement on the federal level, the Federal Trade Commission (the “FTC”) urges that Congress consider enacting legislation to make data broker practices more visible to consumers and allow greater control over the immense amounts of personal information that is collected about them and shared by data brokers. In its study presented in a report issued May 27, 2014, the FTC found that data brokers operate with a fundamental lack of transparency.

July 9th, 2014|Categories: Legislation|Tags: , |

FFIEC finalizes guidance for social media risk management

The Federal Financial Institutions Examination Council (FFIEC) released on December 11, 2013 final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau. The guidance provides considerations that financial institutions may find useful in performing risk assessments and developing and evaluating policies and procedures regarding social media. 

January 17th, 2014|Categories: Risk Management|Tags: , |

Illinois amends its password protection law to exclude financial services firms

In August 2013, Illinois passed an amendment to its existing password protection law that lifts restrictions for financial services firms, enabling them to monitor their employees’ business-related social media communications. Effective January 1, 2014, the law will no longer apply when an employer requests access to a “professional account” to “monitor or retain employee communications as required under the state’s insurance or federal law or by a self-regulatory organization. The amendment also permits Illinois employers to seek access to a professional account when the employer has “a duty to screen applicants or employees prior to hiring.”

September 12th, 2013|Categories: Legislation|Tags: , , |

New Jersey enacts law for social media password protection

Continuing a nationwide momentum of restricting employers’ access to personal social media content of applicants and employees, in August 2013, New Jersey passed Act 2878 joining eleven other states (Maryland, Illinois, California, Michigan, Utah, New Mexico, Arkansas, Colorado, Washington, Oregon, and Nevada) with similar laws. Dozens more states and the U.S. Congress are considering comparable legislation. New Jersey’s new law, which becomes effective December 1, 2013, prohibits employers from asking or requiring that applicants or employees “provide or disclose any user name or password, or in any way provide the employer access to a personal account through an electronic communications device.”

September 12th, 2013|Categories: Legislation|Tags: , |

FINRA is spot-checking social media communications

In posting a Targeted Examination Letter (often referred as a sweep letter) on its website earlier this month, FINRA invoked Rule 2210(c)(6), which states that each FINRA firm’s written (including electronic) communications are subject to a periodic spot-check procedure.

FINRA’s sweep letter seeks, among other things, an explanation of how the firm is using social media at the corporate level in conducting its business; the identity of all individuals who post and/or update content; how the firm’s registered representatives and associated persons generally use social media to conduct the firm’s business; written supervisory procedures concerning the production, approval and distribution of social media communications; the measures to monitor compliance with the firm’s social media policies; and a tabular list of the firm’s top 20 producing registered representatives (based on commissioned sales) who used social media for business purposes to interact with retail investors.

June 27th, 2013|Categories: Legislation|Tags: , |

California limits social media use by employers and educational institutions

Effective January 1, 2013, California will join Maryland and Illinois in significantly restricting employers’ access to their employees’ and job applicants’ social media accounts. Signed into law by Governor Jerry Brown on September 27, 2012 and fittingly announced via Twitter, AB 1844 provides that an employer cannot require or request an employee or applicant to do any of the following:

  • disclose a username or password for the purpose of accessing personal social media;
  • access personal social media in the presence of the employer;
  • divulge any personal social media, except as provided in subdivision.

The law also prohibits an employer from discharging, disciplining, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions. However, an employer is not prohibited from terminating or taking an adverse action against an employee or applicant if otherwise permitted by law.

The law does preserve an employer’s rights and obligations to request that an employee divulge personal social media information reasonably believed to be relevant to an investigation of allegation(s) of employee misconduct or violation of applicable laws and regulations, provided that the information is used solely for purposes of that investigation or a related proceeding. An employer is also not precluded from requiring or requesting that an employee disclose a username or password for the purpose of accessing an employer-issued electronic device.

A companion law, AB 1349 that establishes similar requirements for postsecondary education institutions in regard to their students also goes into effect on January 1, 2013.

January 7th, 2013|Categories: Employment Decisions|Tags: , |
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top