INTERNET PRIVACY PROTECTION ACT
Act 478 of 2012

AN ACT to prohibit employers and educational institutions from requiring certain individuals to grant access to, allow observation of, or disclose information that allows access to or observation of personal internet accounts; to prohibit employers and educational institutions from taking certain actions for failure to allow access to, observation of, or disclosure of information that allows access to personal internet accounts; and to provide sanctions and remedies.

History: 2012, Act 478, Imd. Eff. Dec. 28, 2012.

The People of the State of Michigan enact:

37.271 Short title.

Sec. 1. This act shall be known and may be cited as the “internet privacy protection act”.
History: 2012, Act 478, Imd. Eff. Dec. 28, 2012.

37.272 Definitions.

Sec. 2. As used in this act:
(a) “Access information” means user name, password, login information, or other security information that protects access to a personal internet account.

(b) “Educational institution” means a public or private educational institution or a separate school or department of a public or private educational institution, and includes an academy; elementary or secondary school; extension course; kindergarten; nursery school; school system; school district; intermediate school district; business, nursing, professional, secretarial, technical, or vocational school; public or private educational testing service or administrator; and an agent of an educational institution. Educational institution shall be construed broadly to include public and private institutions of higher education to the greatest extent consistent with constitutional limitations.

(c) “Employer” means a person, including a unit of state or local government, engaged in a business, industry, profession, trade, or other enterprise in this state and includes an agent, representative, or designee of the employer.

(d) “Personal internet account” means an account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data.

History: 2012, Act 478, lmd. Eff. Dec. 28, 2012.

37.273 Duties of employer.

Sec. 3. An employer shall not do any of the following:
(a) Request an employee or an applicant for employment to grant access to, allow observation of, or disclose information that allows access to or observation of the employee’s or applicant’s personal internet account. (b) Discharge, discipline, fail to hire, or otherwise penalize an employee or applicant for employment for failure to grant access to, allow observation of, or disclose information that allows access to or observation of the employee’s or applicant’s personal internet account.

History: 2012, Act 478, lmd. Eff. Dec. 28, 2012. 

37.274 Educational institution; prohibited acts.

Sec. 4. An educational institution shall not do any of the following:
(a) Request a student or prospective student to grant access to, allow observation of, or disclose information that allows access to or observation of the student’s or prospective student’s personal internet account.

(b) Expel, discipline, fail to admit, or otherwise penalize a student or prospective student for failure to grant access to, allow observation of, or disclose information that allows access to or observation of the student’s or prospective student’s personal internet account.

History: 2012, Act 478, lmd. Eff. Dec. 28, 2012.

37.275 Certain acts by employer not prohibited or restricted. 

Sec. 5. (1) This act does not prohibit an employer from doing any of the following:
(a) Requesting or requiring an employee to disclose access information to the employer to gain access to or operate any of the following:

(i) An electronic communications device paid for in whole or in part by the employer.

(ii) An account or service provided by the employer, obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes.

(b) Disciplining or discharging an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal internet account without the employer’s authorization.

(c) Conducting an investigation or requiring an employee to cooperate in an investigation in any of the following circumstances:

(i) If there is specific information about activity on the employee’s personal internet account, for the purpose of ensuring compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct.

(ii) If the employer has specific information about an unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to an employee’s personal internet account.

(d) Restricting or prohibiting an employee’s access to certain websites while using an electronic communications device paid for in whole or in part by the employer or while using an employer’s network or resources, in accordance with state and federal law.

(e) Monitoring, reviewing, or accessing electronic data stored on an electronic communications device paid for in whole or in part by the employer, or traveling through or stored on an employer’s network, in accordance with state and federal law.

(2) This act does not prohibit or restrict an employer from complying with a duty to screen employees or applicants prior to hiring or to monitor or retain employee communications that is established under federal law or by a self-regulatory organization, as defined in section 3(a)(26) of the securities and exchange act of 1934, 15 USC 78c(a)(26).

(3) This act does not prohibit or restrict an employer from viewing, accessing, or utilizing information about an employee or applicant that can be obtained without any required access information or that is available in the public domain.

History: 2012, Act 478, lmd. Eff. Dec. 28, 2012.

37.276 Powers of educational institution to gain access to certain information.

Sec. 6. (1) This act does not prohibit an educational institution from requesting or requiring a student to disclose access information to the educational institution to gain access to or operate any of the following:

(a) An electronic communications device paid for in whole or in part by the educational institution.

(b) An account or service provided by the educational institution that is either obtained by virtue of the student’s admission to the educational institution or used by the student for educational purposes. (2) This act does not prohibit or restrict an educational institution from viewing, accessing, or utilizing information about a student or applicant that can be obtained without any required access information or that is available in the public domain.

History: 2012, Act 478, lmd. Eff. Dec. 28, 2012.

37.277 Duties not created by act; liability. Sec. 7.

(1) This act does not create a duty for an employer or educational institution to search or monitor the activity of a personal internet account.

(2) An employer or educational institution is not liable under this act for failure to request or require that an employee, a student, an applicant for employment, or a prospective student grant access to, allow observation of, or disclose information that allows access to or observation of the employee’s, student’s, applicant for employment’s, or prospective student’s personal internet account.

History: 2012, Act 4 78, lmd. Eff. Dec. 28, 2012.

37.278 Violation of provisions of act as misdemeanor; civil action; injunction; damages; written demand and documentation; jurisdiction; affirmative defense.

Sec. 8. (1) A person who violates section 3 or 4 is guilty of a misdemeanor punishable by a fine of not more than $1,000.00.

(2) An individual who is the subject of a violation of this act may bring a civil action to enjoin a violation of section 3 or 4 and may recover not more than $1,000.00 in damages plus reasonable attorney fees and court costs. Not later than 60 days before filing a civil action for damages or 60 days before adding a claim for damages to an action seeking injunctive relief, the individual shall make a written demand of the alleged violator for not more than $1,000.00. The written demand shall include reasonable documentation of the violation. The written demand and documentation shall either be served in the manner provided by law for service of process in civil actions or mailed by certified mail with sufficient postage affixed and addressed to the alleged violator at his or her residence, principal office, or place of business. An action under this subsection may be brought in the district court for the county where the alleged violation occurred or for the county where the person against whom the civil complaint is filed resides or has his or her principal place of business.

(3) It is an affirmative defense to an action under this act that the employer or educational institution acted to comply with requirements of a federal law or a law of this state.

History: 2012, Act 478, Imd. Eff. Dec. 28, 2012.

Download the NEW POAM App!