Social Media and Hiring: Can You Use Facebook to Screen Job Applicants?

The consensus seems to be that the popular employer practice of demanding Facebook passwords from job applicants and screening their pages is both morally "wrong" and "illegal." Although we are not qualified to pronounce judgment on morality, we do have a decent grasp of the law.

Bottom Line on Top:
You Can But That Does Not Mean You Should
There is no law that expressly bans you from demanding job applicants' passwords and using them for a background check. But as a practical matter, once you start checking a job applicant's profile on Facebook or another social network site (which for simplicity's sake, we will refer to collectively as "Facebook"), you bring privacy and EEOC laws into play. And, given the limited value of the information you are likely to find on Facebook, the risks may very well outweigh any benefits you accrue from the search.

Facebook Screening & Privacy Laws
Federal laws like the Fair Credit Reporting Act ban employers from conducting personal background checks on employees and job applicants without their written authorization. Comments, photos and other Facebook postings are arguably among the personal information that cannot be collected without authorization. Doing a Facebook check without authorization could also get you into trouble in states like California that impose even stricter restrictions on employer collection of personal information about job applicants from third parties.

But there is a huge loophole in the privacy laws: Consent is not generally required to collect personal information that is publicly available. Postings on a social networking site have been consistently recognized as publicly available information by courts, arbitrators and privacy commissions.

Reasonable Expectations of Privacy
Job applicants might also have privacy rights under collective bargaining agreements, individual employment contracts or common law, i.e., case law made by judges. To hold you liable for a privacy infraction, job applicants would have to show they had a "reasonable expectation" of privacy in their Facebook postings.

The operable word is "reasonable." Thus while there are plenty of Facebook users who assume otherwise, postings on social networks are not private communications. Thus it would not be reasonable to expect Facebook postings to be kept confidential. However, the job applicant would have a stronger argument to the extent the employer circumvents the host site's privacy controls to gather the information.

Example: Margie, a recent college grad who has opted to limit her Facebook network to other recent grads, applies for a job with XYZ Labs. Finding its access to Margie's network blocked, XYZ has an employee pose as a grad so he can "friend" Margie and join her network. XYZ then uses the information in processing her application. In these circumstances, Margie would be in a position to argue that she had a reasonable expectation of privacy.

Directly asking for a Facebook password makes it harder for job applicants to claim that your check violated their reasonable privacy expectations. So is directly notifying them of the check in advance.

Job applicants' privacy rights are also subject to the employer's right to collect, use and disclose personal information to perform legitimate business functions.

Key Question: Does demanding a job applicant's Facebook password and conducting a pre-employment count as collecting and using personal information for a legitimate business purpose?

Answer: It depends.

Impact on You: To avoid liability, you must make sure your particular use falls on the "reasonable" side of the "it depends" line.

What to Do
The best way to do this is to conduct a privacy assessment before searches to determine if they are reasonable. Consider these eight factors in your assessment:

1. Does the Search Serve a Legitimate Business Purpose? YES __ NO __
Searching Facebook is faster and simpler than traditional background check methods. But simplicity is not enough. To justify a search as reasonable, you must consider what information you can collect about the job applicant that they cannot get from traditional screening methods such as reference checks and interviews.

2. Does the Search Collect Only Relevant Information? YES __ NO __
For a Facebook search to be reasonable, it must provide relevant information and only relevant information. Relevant means information about the applicant's qualifications. Personal information typically found on Facebook may be not only irrelevant, like what the applicant looks like or her recipe for lasagna, but illegal to look at during the course of a hiring process. Especially dangerous are photographs and other materials that reveal the applicant's race, gender, religion, family status, disability, age, and other personal characteristics protected by anti-discrimination laws.

Moreover, once you come into possession of such information, you cannot un-possess it. Electronic search records will show that you accessed the information and wind up as Exhibit A in the rejected applicant's discrimination suit. You can argue that you did not look at the information; the problem is that merely possessing it is evidence that it factored into your employment decision.

3. Are You Searching Only Relevant Sites? YES __ NO __
Social media site checks can range from simple Facebook profile checks to sweeping searches of blogs, micro-blogs and file sharing sites. Decide in advance what websites you plan to check and make sure each site provides access to the exact relevant information you are seeking.

4. Is Information Collected Current and Accurate? YES __ NO __
Ensure that the information you collect is current and accurate. The problem is that social media sites tend to be littered with inaccurate information like mislabeled photographs and out of date bios. Moreover, simply looking at the information is deemed the equivalent of collecting it. So you need to have safeguards in place before doing your search.

5. Will Search Reveal Information Only About the Applicant? YES __ NO __
One of the biggest challenges you face when getting access to a job applicant's Facebook profile is to keep the search focused on just that individual and avoid capturing information about third parties like the individual's "friends" who did not provide their password or consent for your search.

6. Do You Notify Applicants of the Search? YES __ NO __
While demanding a password notifies the applicant that you plan to do the search, you should also disclose key aspects of the search, including:

• All the sites you intend to search;

• The information you are seeking and why you deem it relevant;

• How you intend to use the information you collect; and

• A statement that your lab is an equal opportunity employer and that the search is not intended to collect information about the applicant's race, sex, age, religion and other personal characteristics protected by employment discrimination laws.

Consider asking applicants to sign a form giving express consent to the search. (See the Model Notification below for language you can add to your job application.) And keep in mind that applicants can withdraw their consent at any time; when and if they do, you can no longer use the information to make your decision on their application.

7. Are Your Search Methods on the Level? YES __ NO __
Actual searches must be appropriate, consistent with the methods described in the application notification and in line with the host site's use restrictions and applicant's indicated privacy preferences. Practices that make Facebook searches "unreasonable" would include having individuals at your lab "friend" applicants to gain access to their privacy-protected information (as in the Margie example above) and doing the search from a personal account to hide your tracks.

8. Do You Limit Use of Information Collected to Stated Purpose? YES __ NO __
Remember that privacy restrictions apply not just to the information's collection but also its use. To be reasonable, the use must be consistent with the stated purpose for which it was collected, i.e., to evaluate the applicant's fitness for the job. Example: Your Facebook search reveals that the applicant is the regional director of a notorious hate group:

• Appropriate: Rejecting the applicant on the basis of the information;

• Inappropriate: Sending the applicant's file to the police.

Conclusion
You have every right to demand Facebook passwords to check job applicants as long as you keep your search "reasonable" under privacy laws. But when you trawl social networks, you are likely to dredge up irrelevant, outdated and off-limits information that undermines the "reasonableness" of your search.

Takeaway: At the end of the day, labs determined to use the internet for preemployment screening are better advised to concentrate on professional rather than social network sites.