Friend Me or You’re Fired: An Overview of Wisconsin’s New Internet Privacy Protection Statute

WDC Journal Edition: Summer 2014
By: Sara C. Mills, Crivello Carlson, S.C.

In April of this year, Wis. Stat. § 995.55, entitled “Internet Privacy Protection,” became effective.1 This new statute establishes several rules related to the protection of personal information on the Internet. Specifically, the statute is intended to protect Internet users from invasions of their privacy by employers, educational institutions, and landlords seeking access to information posted on social media sites.

The concept of Internet privacy has become a bit of an oxymoron. Many people use the Internet to share even the most mundane details of their daily life with the world at large, and the very purpose of many social media platforms is to get information out to the largest audience possible. But in our zeal to share our lives with anyone who will listen, some Internet users fail to consider the consequences of their actions. Users often become upset when their online disclosures are seen by certain people or used or interpreted in ways they had not anticipated.2

As a result, courts are being asked with increasing frequency to determine the scope of a “reasonable expectation of privacy” in the online context and to establish parameters for when that expectation applies. Decisions are often based on fact-intensive inquiries and the answer frequently turns on whose technology is being used. For example, many courts have held that employees may not have a reasonable expectation of privacy in communications they send from employer-owned computers or cell phones— even when sending emails from a personal email account.3

Of course, decisions are not uniform and contrary opinions exist.4 In 2010, a New York court examined privacy in the context of online communications and determined that the milieu within which statements are made is itself indicative of the erosion of such a concept altogether.5 According to the court, “[i]n this environment [of social media], privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.”6 In the absence of uniform guidance from courts or a statutory scheme establishing clear boundaries, the court’s comment is entirely accurate.

So it is against this backdrop that Wisconsin’s new Internet privacy law was born. Section 995.55 appears to address situations in which employers, educators, and landlords attempt to circumvent standard privacy controls like password protection in order to learn more about an employee, student, or tenant. The statute applies to “access to, and observation of, the personal Internet accounts of” employees and applicants for employment, students and prospective students, and tenants and prospective tenants.

Under section 995.55, employers7 may not “request or require an employee or applicant for employment, as a condition of employment, to disclose access information for the personal Internet account of the employee or applicant or to otherwise grant access to or allow observation of that account.”8 Note that the legislature used the verb “request” in this section setting forth restrictions. Thus, it appears that an employer may not even ask for this information, let alone require its disclosure.

The statute also prohibits an employer from discharging or otherwise discriminating against an employee who refuses to disclose “access information for, grant access to, or allow observation of the employee’s personal Internet account.”9 Nor may an employer refuse to hire someone because that applicant “refused to disclose access information for, grant access to, or allow observation of the applicant’s personal Internet account.”10

The meat of the new statute is found in its definitions. “Personal Internet account” is defined as an “Internet-based account that is created and used by an individual exclusively for purposes of personal communication.”11 “Access information” includes usernames, passwords, and “any other security information that protects access to a personal Internet account.”12

The definition of “personal Internet account” creates vast potential for confusion because it is based, at least in part, on how or why a person uses any given Internet account. Do you use the account exclusively for personal communication? Each of these three highlighted words opens the door for debate.

Wisconsin courts have had to examine the concept of “personal communication” in the context of open records requests under Wis. Stat. § 19.32. In the 2010 open records case of Schill v. Wisconsin Rapids School District, the Wisconsin Supreme Court described personal emails as ones without a connection to a government function or those that were not “work-related.”13 Personal communications in the Schill case included “an email from a teacher to her spouse about child care responsibilities and an email from a friend to a teacher regarding social plans.”14

In Kasten v. Doral Dental USA, LLC, the Wisconsin Supreme Court was asked to examine the scope of an operating agreement that permitted members of a limited liability company to inspect “company documents” in order to determine whether personal emails could be included in the documents subject to inspection.15 The court construed the term “company” to limit the information available for inspection to that “relating to the business.”16 The court explained that its determination about the personal or social nature of emails was “based on a plain meaning interpretation of the operating agreement,” but it hedged a bit when it noted that other factors may be relevant. It stated that these factors could include whether the company “had in effect a company policy regarding the use of e-mail, employment agreements addressing the ownership of e-mail with those employees whose e-mails were sought, and the terms of these policies and/or agreements.”17

At least in the context of open records law or contract interpretation, there is arguably a (somewhat) cleardivide between the work world and one’s personal life. That division could be used to interpret the applicability of the new privacy statute. However, the legislature’s inclusion of the word “exclusively” in section 995.55 could prove pivotal.18 The Schill and Kasten courts were faced with analyses that allowed them to protect personal communications even though the communications may have been made from employer-provided email addresses. But if a personal Internet account is used for a combination of work-related and personal purposes, it may not be entitled to the protections of section 995.55. If I use my Facebook account mainly for personal reasons but occasionally use it to gather some background information about a litigant for use in a lawsuit, my Facebook account may be fair game to my employer. The same could be true if I use my personal email address or Twitter account for occasional business networking purposes.

And what exactly is intended by the word “communication?” The answer may seem obvious. At least one Wisconsin court said as much when it explained that the definition is readily ascertainable from a dictionary: “to send information or messages[,] sometimes back and forth.”19

But the ways in which we use the Internet are ever-evolving, and whether certain online conduct qualifies as “communication” will not always be so clear-cut. New apps and websites facilitate non- traditional modes of communication and require careful analysis. For example, photosharing sites like Instagram, Pinterest, Imgur, and Flickr are big business. In 2012, Facebook purchased Instagram for $1 billion and by early 2014 the site had 200 million active monthly users.20 Apps like Instagram allow users to create an account with which they upload and share their photos via the Internet. These apps also often offer features like the ability to add artsy filters to photos and to follow and comment on other users’ photos. Websites like Imgur and Flickr also allow users to curate collections of other people’s photos.s

But not everyone uses these Internet-based programs the same way. I may use a photosharing app as free editing software or as free online storage for my favorite photos. Perhaps I have no intention of proactively sharing my photos with anyone. But the act of uploading the photo into the app online does involve “sending information,” inasmuch as some server somewhere is receiving my data. And occasionally, someone might “follow” my account and therefore see what I’ve uploaded, even if I have not sought out any audience. Is this a “communication” within the meaning of the statute? Does my intent (or lack thereof) matter? Should the legislature amend section 995.55 to require a showing of intent?

These considerations may seem trivial to people who do not use social media. But we no longer live in a world in which “personal Internet account” includes only personal email accounts. When questions about potential liability arise in the context of Internet regulations, lawyers must ensure that they do not rely on outdated assumptions that are based on their own experiences.

Ultimately, clear answers to these questions will probably require court involvement. Until the judiciary has spoken, employers would be best counseled to simply avoid potential liability altogether by ceasing any practice that involves asking employees for access information related to any kind of social media account. This advice is true even for something as seemingly innocuous as sending an employee a “friend request” on Facebook. The statute prohibits employers from requesting or requiring employees to “otherwise grant access to or allow observation of that [personal Internet] account.”21 By sending a “friend request” to an employee, an employer is arguably requesting that the employee allow the employer to observe the employee’s account in violation of the statute.

However, there is one area in which the new statute is crystal clear: almost everyone is an “employer.” An “employer” includes “any person engaging in any activity, enterprise, or business employing at least one individual.”22 The definition also includes the state, political subdivisions, and pretty much every office, department, or agency in state and local government. The legislature and the courts are also employers under the new law.23

The new privacy statute does not completely tie employers’ hands, though. It does not appear to prohibit employers from viewing information that is otherwise publicly available online. If an employer is truly curious about an employee’s online presence, nothing in the statute prohibits the employer from doing a little legwork to find social media accounts. A simple Google search could reveal some, if not all, of a person’s social media accounts—especially if that person has only minimal privacy settings in place. An employer may still view or observe accounts that the employer has located through its own efforts.

Additionally, employers may still restrict or prohibit employees’ access to the Internet and personal Internet accounts while employees are using “an electronic communications device supplied or paid for in whole or in part by” the employer.24 The same ability to restrict exists if an employee is using the employer’s “network or other resources.”25 Unfortunately, the phrase “other resources” is vague. However, a reasonable interpretation is one that includes technology resources such as computers and cell phones.

An employer may also require an employee to disclose access information needed for the employer to access or operate “an electronic communications device,” “an account,” or a “service” supplied or paid for in whole or in part by the employer.26 The terms “account” and “service” are vague, but given the spirit of the statute, it is reasonable to read them to refer to online accounts or services like email or a virtual private network (VPN).

The new statute explicitly states that employers may request or require an employee to disclose his or her “personal electronic mail address.”27 This is one of the only provisions in the new statute that does not appear to apply equally to employers, educational institutions, and landlords, though. The statute does not contain any similar provisions in the sections pertaining to educational institutions or landlords.

Finally, if an employer violates the new statute, it could be very costly. The statute sets a maximum forfeiture of $1,000, but this cap may not apply to violations involving wrongful discharge, discipline, or discrimination where the employee was attempting to enforce her rights.28 The statute prohibits an employer from discharging, disciplining, or discriminating against an employee who exercises her rights under the new statute, opposes a prohibited practice, files a complaint attempting to enforce such a right, or testifies or assists in any action to enforce such a right.29 If an employer violates that provision, the employee may file a complaint with the Department of Workforce Development (“DWD”).30 The DWD will process the complaint in the same manner as an employment discrimination complaint. If the DWD finds that a violation has been committed, it may “order the employer to take such action authorized under s. 111.39 as will remedy the violation.”31

Under the statutory scheme applicable to employment discrimination complaints, if wrongful discharge or discrimination occurs, the DWD examiner “may endeavor to eliminate the practice by conference, conciliation or persuasion.”32 However, if the practice continues, the DWD may hold a hearing and award compensation—and sometimes back pay as well. Compensation awarded in lieu of reinstatement must be at least “500 times the hourly wage of the person discriminated against when the violation occurred,” but not more than compensation of “1,000 times the hourly wage of the person discriminated against when the violation occurred.”33 So, although section 995.55(6)(a) sets a $1,000 cap on damages for a violation of 995.55(2)(a), the statute may allow significantly higher damages where the employer has violated 995.55(2)(a)2.34

These two damage provisions are not entirely compatible. One sets a relatively low cap on damages while the other invokes a statutory scheme that would inevitably result in damages well beyond the cap. The most reasonable interpretation is one that uses the cap for “lesser” violations, like asking for personal access information. The cap probably would not apply to more serious violations, like firing someone who refused to disclose personal access information.

The basic goal of the new statute is to protect individual privacy in contexts where power disparities could easily be exploited. On its face, the statute establishes basic and realistic boundaries for an individual’s reasonable expectation of privacy. Nevertheless, the language of section 995.55, along with the subject matter it attempts to regulate, will more than likely result in confusion as the statute is prospectively applied. And because of the ever- evolving nature of “personal Internet accounts” and the fluid ways in which we communicate online, this is a statute—and a topic—that courts will need to regularly revisit for the foreseeable future.

Sara C. Mills is an attorney with the law firm of Crivello Carlson, S.C., in Milwaukee, Wisconsin. She concentrates her practice on litigation and appellate work in state, federal, and administrative forums. Her work includes representation of individuals, corporations, municipalities, and their insurers. She received a Master of Arts degree in United States History and Museum Studies from the University of Wisconsin-Milwaukee, and her law degree cum laude from Marquette University Law School. Sara is also a frequent contributor to Crivello Carlson’s blog, On the Docket, the manager of Crivello Carlson’s Twitter and Facebook accounts, and an avid user of all things social media.

1 See 2013 Wisconsin Act 208.
2 For example, in January 2014, what is believed to be the first case in the U.S. involving allegations of libel and defamation stemming from “tweets” posted on Twitter was tried before a jury. Courtney Love, a 90s rock star and the widow of Kurt Cobain, was sued by her former attorney for defamation arising from statements Love made via her Twitter account. Love’s defense included the argument that she intended the tweet to be a private, direct message but she accidentally posted it as a public tweet. The offending tweet alleged that Love’s attorney had been “bought off” when the lawyer refused to get involved in a dispute involving Kurt Cobain’s estate. After an 8-day trial, the jury came back with a defense verdict. The “landmark case” has been referred to by the media as the “Twibel” lawsuit. See, e.g., k-chow/why-courtney-love-twibel_b_4688426.html. In a previous Twitter-based defamation lawsuit against Love, Love agreed to settle the claims by paying the plaintiff $430,000. See content/article/2011/03/04/AR2011030400676.html.
3 See U.S. v. Simons, 206 F.3d 392 (4th Cir. 2000); City of Ontario v. Quon, 560 U.S. 746 (2010).
4 See Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010).
5 See Romano v. Steelcase, Inc., 907 N.Y.S.2d 650 (N.Y. Sup. 2010).
6 Id.
7 For simplicity, this Article will discuss only the employer/employee provisions of the statute due to their substantial overlap with the provisions dealing with the landlord/ tenant and educational institution contexts.
8 Wis. Stat. § 955.55(2)(a)1. (emphasis added).
9 Wis. Stat. § 995.55(2)(a)2.
10 Wis. Stat. § 995.55(2)(a)3.
11 Wis. Stat. § 955.55(1)(d).
12 Wis. Stat. § 995.55(1)(a).
13 2010 WI 86, ¶ 16, 327 Wis. 2d 572, 786 N.W.2d 177.

© 2014 Wisconsin Defense Counsel. All rights reserved. Mills, Sara C., Friend Me or You're Fired: An Overview of Wisconsin's New Internet Privacy Protection Statute, Wisconsin Civil Trial Journal (Summer 2014)