Time is ‘TikTok’-ing — ‘Being Real’ About Preemptively Addressing Employees’ Confidentiality and Privacy Breaches on Social Media
The newest and hottest forms of social media — TikTok and BeReal — pose similar risks to an employer’s workplace as did the “old” forms, like Snapchat, Instagram, and Facebook; namely, that employees can unintentionally (or intentionally) expose confidential or private information to their followers. Unlike earlier forms of social media, however, TikTok and BeReal have come to incentivize users to share workplace content.
One popular TikTok trend over the last few years has been “A day in my life…” content, in which users show curated snippets of otherwise average days. Many videos prominently feature the workplace, showing laptop screens, colleagues, and offices. During the recent bout of tech layoffs, many users posted videos of the days they were laid off, exposing the difference between workplace reality and the romanticized posts that are far more typical. Comparatively, BeReal limits users to one post per day, with a notification that goes off at a different time every day, prompting users to post two simultaneously taken photos from the front and back cameras on their phones. Due to BeReal’s emphasis on immediacy, when the notification goes off during the workday, many times BeReal shots feature an image of an employee on the back view, and, most concerning, their computer screen on the front.
The rise of TikTok and BeReal merit a reminder to employers to ensure that their social media policies protect both their and their employee’s confidential and private information, while taking into account key legal risks brought to light by these platforms and issues surrounding the enforceability of these policies.
1. Being Real About Social Media and the NLRA
If an employer institutes a policy prohibiting employees from featuring their workplace or work materials in TikToks and BeReals, the employer must be able to justify the policy under the latest National Labor Relations Board (NLRB) case law. In The Boeing Company (2017), the NLRB determined that, when evaluating employer policies that could reasonably be interpreted to interfere with employee rights under the National Labor Relations Act (NLRA), it would look at (i) the nature and extent of the potential impact on NLRA rights, and (ii) the employer’s legitimate justifications associated with the rule. More recently, applying Boeing in Medic Ambulance Service (2021), the NLRB upheld an employer’s policy prohibiting employees on social media from engaging in “inappropriate communications,” disclosing confidential information, using the employer’s name to denigrate or disparage causes or people, and posting photos of coworkers.
That decision explained that the non-disclosure in the social media policy requirements at hand met the Boeing factors because it referenced copyrighted or trademarked information and trade secrets rather than information traditionally associated with Section 7 rights, like employees’ contact information, wages, or other terms and conditions of employment. Similarly, the prohibition on posting photos of coworkers without their consent and from posting pictures of company-owned equipment without prior written permission clearly was permissible because it was linked to protecting the company’s confidentiality interests and employees’ privacy interests.
However, as the current NLRB General Counsel Jennifer A. Abruzzo has noted, the NLRB is expected to continue striking down employer-protective rulings that were instituted during the Trump administration and more generally narrow employer protections. Thus, it is likely that even narrowly tailored social media policies can be viewed as violative of the NLRA in the future. As we recently reported, the Board’s recent decision in McLaren Macomb (2023) prohibiting, among other things, confidentiality and non-disparagement clauses in severance agreements is a timely reminder of the Biden Board’s renewed emphasis on employee rights.
In light of these rulings and possible changes to Board Law in the near term, key considerations for drafting enforceable social media policies applying to unionized workforces include:
- Avoid broad stroke prohibitions that could be interpreted to restrict Section 7 activities, such as prohibitions on discussions of wages and benefits with coworkers, as well as discussions about improving the terms and conditions of employment.
- Focus instead on prohibiting employees from taking photos of valuable or confidential information and spell out the explicit business reasons why social media recordings by an employee is damaging to the business and therefore prohibited.
- Include a NLRA savings clause that provides the policies do not impede and are not intended to impede employees’ Section 7 rights.
2. No Such Thing as “Private” Settings When it Comes to Employee Privacy
Employers should also consider whether apps like BeReal and TikTok expose them to heightened legal risks under state biometric privacy laws, such as the Illinois Biometric Information Privacy Act (BIPA). Recently in Cothron v. White Castle System Inc. (Feb. 17, 2023), the Illinois Supreme Court held that claims under the BIPA accrue on every scan or collection of biometric information and allowed “per scan” damages to employees, meaning employers face huge liability exposure for continuous violations of the Act. Additionally, in a 2022 case, Ronquillo v. Doctor’s Associates, LLC, the Northern District of Illinois federal court held that the BIPA applies even to third-parties that collect biometric information under the Act.
TikTok’s privacy policy specifically provides that it collects biometric info, including “biometric identifiers and biometric information as defined under U.S. laws, such as face-prints and voiceprints.” Although TikTok has recently settled a class action lawsuit for violating the BIPA, courts have not considered the BIPA in light of an employer’s obligations to employees using TikTok over its systems. Given the ever-increasing list of pro-plaintiff decisions under the BIPA, risk of employer liability is very real for employers that permit employees to use these apps over employer systems and devices or require employees to use company-sponsored accounts.
While federal and state government entities are drawing attention to the security risks these apps pose, private employers lag behind. Key considerations for drafting social media policies targeted at restricting risk for privacy law violations may include:
- Consider prohibiting the use of social media apps that collect biometric information on company systems and devices. Such a measure has the added benefit of protecting company confidential information and trade secrets from an unintentional disclosure.
- If TikTok and BeReal are essential components, for example, of your business’ marketing and public relations outreach programs, consider requiring a BIPA-compliant written consent form or notification to employees who use the company’s accounts on these platforms. More information on drafting BIPA compliant policies was recently addressed here.
Conclusion
Just like the apps themselves, the law on social media use, employee privacy, and confidentiality is in constant flux these days. Narrowly and carefully drafting social media policies that anticipate further developments in all these arenas is critical to protecting an employer’s legitimate business interests. Employers who have not recently reviewed their social media policies to ensure legal compliance should consider doing so.