The Drafting Committee on Employee and Student Online Privacy Protection (formerly known as the Drafting Committee on Social Media Privacy) met in Dallas on February 26-27, 2016 and made great progress. This was our fourth face-to-face meeting in less than a year working on this challenging topic. Although we contemplate some telephone follow up, this was also our last face-to-face before formal consideration by Style Committee and then final consideration at the Annual Meeting in Stowe, Vermont, in July 2016.
At the meeting, the Committee addressed a wonderful revised draft prepared by Reporter Dennis Hirsch. A great deal of effort has been put into the current draft, and not surprisingly, the project is attracting more and more attention and input, including significant input from various technology, social media, and other groups. Based on input from a variety of different sources and after a good deal of discussion, the Committee made a number of important decisions. Among them were the following:
- The final draft will not expressly protect “metadata” for a variety of reasons, including definitional, but it will address the topic in its provisions on protected information. There was a consensus that protected information would include any information accessible to an account holder. A significant amount of time was spent discussing whether the act needed to capture this concept in a definition of “content” or “protected content” or whether it can be handled in the substantive provisions. The Reporter will consider the best method of implementation.
- A discussion of the civil action provisions (Section 6 of the current draft) yielded various changes. In an action by an Attorney General, the draft will now provide that the relief may include a civil penalty of up to $[1,000] per violation with a cap of $[100,000] per occurrence. In a civil action brought by an employee or student, the draft will now provide that the relief may include actual damages, without a statutory minimum damage provision. In deference to other local law provisions, the draft will now not contain a statutory directive for an award of attorneys’ fees for a frivolous action.
- It was agreed that an employer or educational institution would not be limited in its use of information about an employee or student acquired incidentally from a third party except that it will be barred from using the information to require, request, or coerce the employee or student to give it access to a protected account unless the information falls within specified exceptions (e.g., it implicates health or safety).
The Committee determined that the act should apply to public and private educational institutions and leaned towards limiting it to post-secondary institutions. However, strong arguments were made to extend the act to secondary and perhaps pre-secondary schools and it was agreed that a final decision would be made in a follow-up conference call.
The Committee continues to make a number of other changes intended to simplify and clarify the draft. We look forward to presenting an outstanding draft for final approval this summer in Stowe.
Samuel A. Thumma, Chair, Drafting Committee on Employee and Student Online Privacy Protection Act