48-3501. Act, how cited.

Sections 48-3501 to 48-3511 shall be known and may be cited as the Workplace Privacy Act.

Source:Laws 2016, LB821, § 1.
48-3502. Terms, defined.

For purposes of the Workplace Privacy Act:

(1) Adverse action means the discharge of an employee, a threat against an employee, or any other act against an employee that negatively affects the employee’s employment;

(2) Applicant means a prospective employee applying for employment;

(3) Electronic communication device means a cellular telephone, personal digital assistant, electronic device with mobile data access, laptop computer, pager, broadband personal communication device, two-way messaging device, electronic game, or portable computing device;

(4) Employee means an individual employed by an employer;

(5) Employer means a public or nonpublic entity or an individual engaged in a business, an industry, a profession, a trade, or other enterprise in the state, including any agent, representative, or designee acting directly or indirectly in the interest of such an employer; and

(6)(a) Personal Internet account means an individual’s online account that requires login information in order to access or control the account.

(b) Personal Internet account does not include:

(i) An online account that an employer or educational institution supplies or pays for, except when the employer or educational institution pays only for additional features or enhancements to the online account; or

(ii) An online account that is used exclusively for a business purpose of the employer.

Source:Laws 2016, LB821, § 2.
48-3503. Employer; prohibited acts.

No employer shall:

(1) Require or request that an employee or applicant provide or disclose any user name or password or any other related account information in order to gain access to the employee's or applicant's personal Internet account by way of an electronic communication device;

(2) Require or request that an employee or applicant log into a personal Internet account by way of an electronic communication device in the presence of the employer in a manner that enables the employer to observe the contents of the employee’s or applicant’s personal Internet account or provides the employer access to the employee's or applicant's personal Internet account;

(3) Require an employee or applicant to add anyone, including the employer, to the list of contacts associated with the employee's or applicant’s personal Internet account or require or otherwise coerce an employee or applicant to change the settings on the employee's or applicant's personal Internet account which affects the ability of others to view the content of such account; or

(4) Take adverse action against, fail to hire, or otherwise penalize an employee or applicant for failure to provide or disclose any of the information or to take any of the actions specified in subdivisions (1) through (3) of this section.

Source:Laws 2016, LB821, § 3.
48-3504. Waiver of right or protection under act prohibited.

An employer shall not require an employee or applicant to waive or limit any protection granted under the Workplace Privacy Act as a condition of continued employment or of applying for or receiving an offer of employment. Any agreement to waive any right or protection under the act is against the public policy of this state and is void and unenforceable.

Source:Laws 2016, LB821, § 4.
48-3505. Retaliation or discrimination.

An employer shall not retaliate or discriminate against an employee or applicant because the employee or applicant:

(1) Files a complaint under the Workplace Privacy Act; or

(2) Testifies, assists, or participates in an investigation, proceeding, or action concerning a violation of the act.

Source:Laws 2016, LB821, § 5.
48-3506. Employee acts prohibited.

An employee shall not download or transfer an employer's private proprietary information or private financial data to a personal Internet account without authorization from the employer. This section shall not apply if the proprietary information or the financial data is otherwise disclosed by the employer to the public pursuant to other provisions of law or practice.

Source:Laws 2016, LB821, § 6.
48-3507. Employer's rights not limited by act.

Nothing in the Workplace Privacy Act limits an employer's right to:

(1) Promulgate and maintain lawful workplace policies governing the use of the employer's electronic equipment, including policies regarding Internet use and personal Internet account use;

(2) Request or require an employee or applicant to disclose access information to the employer to gain access to or operate:

(a) An electronic communication device supplied by or paid for in whole or in part by the employer; or

(b) An account or service provided by the employer, obtained by virtue of the employee's employment relationship with the employer, or used for the employer's business purposes;

(3) Restrict or prohibit an employee’s access to certain web sites while using an electronic communication device supplied by or paid for in whole or in part by the employer or while using an employer’s network or resources, to the extent permissible under applicable laws;

(4) Monitor, review, access, or block electronic data stored on an electronic communication device supplied by or paid for in whole or in part by the employer or stored on an employer’s network, to the extent permissible under applicable laws;

(5) Access information about an employee or applicant that is in the public domain or is otherwise obtained in compliance with the Workplace Privacy Act;

(6) Conduct an investigation or require an employee to cooperate in an investigation under any of the following circumstances:

(a) If the employer has specific information about potentially wrongful activity taking place on the employee’s personal Internet account, for the purpose of ensuring compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct; or

(b) If the employer has specific information about an unauthorized download or transfer of the employer's private proprietary information, private financial data, or other confidential information to an employee’s personal Internet account;

(7) Take adverse action against an employee for downloading or transferring an employer’s private proprietary information or private financial data to a personal Internet account without the employer’s authorization;

(8) Comply with requirements to screen employees or applicants before hiring or to monitor or retain employee communications that are established by state or federal law or by a self-regulatory organization as defined in 15 U.S.C. 78c(a)(26), as such section existed on January 1, 2016; or

(9) Comply with a law enforcement investigation conducted by a law enforcement agency.

Source:Laws 2016, LB821, § 7.
48-3508. Law enforcement agency rights.

Nothing in the Workplace Privacy Act limits a law enforcement agency’s right to screen employees or applicants in connection with a law enforcement employment application or a law enforcement officer conduct investigation.

Source:Laws 2016, LB821, § 8.
48-3509. Personal Internet account; employer; duty; liability.

(1) The Workplace Privacy Act does not create a duty for an employer to search or monitor the activity of a personal Internet account.

(2) An employer is not liable under the act for failure to request or require that an employee or applicant grant access to, allow observation of, or disclose information that allows access to or observation of the employee’s or applicant’s personal Internet account.

Source:Laws 2016, LB821, § 9.
48-3510. Employer; limit on liability and use of certain information.

If an employer inadvertently learns the user name, password, or other means of access to an employee's or applicant’s personal Internet account through the use of otherwise lawful technology that monitors the employer's computer network or employer-provided electronic communication devices for service quality or security purposes, the employer is not liable for obtaining the information, but the employer shall not use the information to access the employee's or applicant's personal Internet account or share the information with anyone. The employer shall delete such information as soon as practicable.

Source:Laws 2016, LB821, § 10.
48-3511. Civil action authorized.

Upon violation of the Workplace Privacy Act, an aggrieved employee or applicant may, in addition to any other available remedy, institute a civil action within one year after the date of the alleged violation or the discovery of the alleged violation, whichever is later. The employee or applicant shall file an action directly in the district court of the county where such alleged violation occurred. The district court shall file and try such case as any other civil action, and any successful complainant shall be entitled to appropriate relief, including temporary or permanent injunctive relief, general and special damages, reasonable attorney's fees, and costs.

Source:Laws 2016, LB821, § 11; Laws 2018, LB193, § 85.