United States Social Media Privacy Laws by State
Updated November 12, 2025
Over the past decade, many states in the United States have enacted laws commonly known as Social Media Privacy Laws (also referred to as Personal Online Account Privacy Laws). These laws aim to protect individuals' privacy by limiting access to their personal online accounts, including social media. This has created challenges for background screening companies and employers, particularly when preparing consent forms that may request a candidate's social media usernames or handles for screening purposes.
These state laws vary in scope and language, but they generally impose restrictions on an employer's ability to access a candidate's or employee's personal social media accounts during hiring or employment decisions. Most laws focus on three key prohibitions:
Requesting Login Credentials: Employers cannot request or require login information (e.g., usernames andpasswords) for personal online accounts, including social media.
Requiring Access in Presence: Employers cannot demand that a candidate or employee log in to their account in the employer's presence to display social media content.
Conditioning Employment on Connections: Employers cannot require a candidate or employee to add the employer or hiring manager as a "friend" or connection as a condition of employment.
Implications for Social Media Background Screening
For background screening purposes—where reports are limited to publicly available posts to comply with the Federal Trade Commission's (FTC) Fair Credit Reporting Act (FCRA)—only the first prohibition (requesting login credentials) is typically relevant. Passwords should never be requested, as they are unnecessary for reviewing public content.
In most states, laws explicitly reference "login information" or "credentials" as including both username and password together. In these cases, requesting only a username (without a password) is generally permissible, as it does not grant full account access.
However, in a subset of states, the law's language is ambiguous (e.g., phrased as "username or password"), which could be interpreted as prohibiting requests for either a username or a password. To avoid risk, employers and screeners should err on the side of caution in these states and avoid requesting usernames.
Current State of the Law
As of November 2025, 28 states have enacted some form of social media privacy law applicable to employers. This is an increase from 27 states as of April 2022, with New York being the most recent addition (effective March 12, 2024). New York's law prohibits employers from requesting or requiring access to personal social media accounts, including usernames and passwords, and bars retaliation for refusing such requests.
The table below lists all 28 states, grouped alphabetically. States where the law specifically or ambiguously prohibits requesting usernames alone are bolded (8 states total, based on phrasing like "username or password"). These interpretations are conservative; always consult legal counsel for your specific situation.
State Key Provisions Summary |
Arkansas | Prohibits requesting or requiring username or password; cannot coerce access. |
California | Prohibits requesting username and password; cannot require login or friending. |
Colorado | Prohibits requesting or coercing username or password; broad anti-retaliation. |
Connecticut | Prohibits requesting login credentials (username and password). |
Delaware | Prohibits requesting username and password; applies to educational institutions too. |
Hawaii | Prohibits requesting access information for personal accounts. |
Illinois | Prohibits requesting username and password; cannot require disclosure of content. |
Louisiana | Prohibits requesting username or password; anti-retaliation protections. |
Maine | Prohibits requesting or requiring access to personal accounts. |
Maryland | Prohibits requesting username or password; cannot discipline for refusal. |
Michigan | Prohibits requesting username or password; broad privacy protections. |
Montana | Prohibits requesting login credentials for personal accounts. |
Nebraska | Prohibits requesting username or password; applies to public employees. |
Nevada | Prohibits even suggesting or requesting username or password. |
New Hampshire | Prohibits requesting access to personal online accounts. |
New Jersey | Prohibits requesting username or password; cannot require friending. |
New Mexico | Prohibits requesting login information for personal accounts. |
New York | Prohibits requesting or requiring access, including usernames and passwords; no retaliation. |
Oklahoma | Prohibits requesting credentials for personal social media. |
Oregon | Prohibits requesting or requiring access to personal accounts. |
Rhode Island | Prohibits requesting username or password for personal accounts. |
Tennessee | Prohibits requesting password; focuses on access denial. |
Utah | Prohibits requesting login credentials. |
Vermont | Prohibits requesting access to personal online content. |
Virginia | Prohibits requesting login information. |
Washington | Prohibits requesting or requiring access to personal accounts. |
West Virginia | Prohibits requesting credentials for social media. |
Wisconsin | Prohibits requesting username or password; anti-coercion rules. |
Notes on the Table:
This summary draws from state statutes and focuses on employer-applicant/employee contexts. Some laws also apply to educational institutions or landlords.
The bolded states (Arkansas, Colorado, Louisiana, Maryland, Michigan, Nebraska, Nevada, New Jersey) use language that could prohibit username requests alone due to ambiguity (e.g., "or" instead of "and").
No federal law exists, but FCRA compliance remains critical for screenings.
Recommendations
For Consent Forms: Only request usernames in states where explicitly allowed. Avoid passwords entirely.
Best Practices: Limit screenings to public posts. Document compliance with FCRA.
Consult Experts: Always review with your internal compliance team or legal counsel before implementing social media screening. Laws evolve, and interpretations can vary.
For the latest details, visit the National Conference of State Legislatures (NCSL) resource on Privacy of Employee and Student Social Media Accounts. Additional guidance is available from Ferretly at sales@ferretly.com.