Prince Yeates employment lawyers Mark Wagner and John Chindlund recently completed a broad summary of Utah employment law for inclusion in an upcoming compendium of state labor and employment laws for Primerus, an exclusive international society of nearly 200 independent peer-reviewed law firms in more than 40 countries. Although the summary was generally intended to educate in-house counsel and other Primerus member law firms, we thought we would share it with you in a series of weekly FAQs over several months. Our ninth installment is below.
Question of the Week: Does Utah have any laws on employee privacy?
Utah has several statutes and various common law (non-statutory) doctrines that bear on employee privacy.
Several Utah statutes implicate employee privacy rights in various aspects. These statutes are discussed briefly below.
Genetic Information Privacy
The Genetic Testing Restrictions on Employers Act, Utah Code § 34A-11-101 et seq., requires employers to comply with Utah’s Genetic Testing Privacy Act (GTPA). The GTPA, in turn, prohibits employers from requesting, asking about, accessing, or considering private genetic information in connection with a decision related to hiring, promotion, or retention. Id. § 26-45-103(1). The GTPA provides an exception that allows an employer to seek an order from a court or administrative agency compelling the disclosure of private genetic information in either of the following two situations:
- an employment-related judicial or administrative proceeding in which the individual has placed his or her health at issue, or
- an employment-related decision in which the employer has a reasonable basis to believe that the individual’s health condition “poses a real and unjustifiable safety risk requiring the change or denial of an assignment.”
The GTPA defines “private genetic information” as information about the genetic makeup of a person or a direct relative of the person that comes from a genetic test or DNA analysis. Notably, however, it does not include information that comes from a routine physical examination; a routine chemical, blood, or urine analysis; a test for drugs or HIV infection; or a test performed because the person has signs or symptoms of a disease, illness, impairment, or disorder. Id. § 26-45-102(7)
The GTPA provides a private right of action to a person whose rights have been violated under the statute. Such a person may seek the following relief for each violation:
- equitable relief,
- actual damages sustained,
- $100,000 if the violation is a result of an intentional and willful act,
- Punitive damages if the violation is the result of a malicious act, and
- reasonable attorney fees.
In addition, the attorney general may bring an action against an employer seeking to enjoin any violation and to recover a civil fine of up to $25,000 per intentional violation along with reasonable costs of investigation and litigation. Id. § 26-45-106.
Intercepting Employee Communications and Implanting RFID Tags.
Interception of Communications Act, Utah Code § 77-23a-1, et seq. (ICA). The ICA generally prohibits employers (and other “persons”) from intentionally or knowingly intercepting or trying to intercept (or getting anyone else to do so) wire, electronic, or oral communications of employees (or other persons). Id. § 77-23a-4(1)(b). However, employers may intercept such communications if they have employee consent to the interceptions or if they are a party to the intercepted communications—unless the interceptions are for committing criminal or tortious acts. Id. § 77-23a-4(7)(b). Violations of this portion of the ICA are third-degree felonies. Id. § 77-23a-4(10)(a).
The ICA also prohibits employers (and other persons) from requiring employees to have radio frequency identification (RFID) tags implanted under their skin. Id. § 77-23a-4.5. Violations of this prohibition are class A misdemeanors. In addition, person whose rights are violated under this provision may sue for actual damages, compensatory damages, punitive damages, injunctive relief, or any combination. Id.
Photographing, Recording, and Electronically Monitoring Employees
Privacy Violation, Utah Code § 76-9-402. This statute prohibits persons (including employers) from installing or using devices for observing, photographing, hearing, recording, amplifying, or broadcasting sounds or events in any private places unless they have the consent of the persons who are entitled to privacy in those places. It doesn’t matter if the devices are installed inside or outside of the private places. Violations of this statute are class B misdemeanors.
Communication Abuse, Utah Code § 76-9-403. This statute bars persons (including employers) from intercepting, without the consent of the sender or receiver, messages by telephone, letters, or other methods of private communication. It further bars employers from divulging, without the consent of the sender or receiver, the existence or contents of any such messages if employers know that the messages were illegally intercepted. Violations of this statue are also class B misdemeanors.
Private Social Media and Internet Accounts
Internet Employment Privacy Act (IEPA), Utah Code § 34-48-101 et seq. The IEPA prohibits employers from asking applicants or employees to disclose usernames and passwords to personal Internet accounts (e.g., email, social media, etc.). It also prohibits employers from refusing to hire or taking adverse action against applicants or employees for failing to disclose such information. Id. § 34-48-201. However, employers may require employees to disclose usernames and passwords to gain access to electronic communications devices supplied by or paid for in whole or in part by the employers or to accounts or services provided by the employers in connection with the employees’ employment and used for the employers’ business purposes. Id. § 34-48-202. Applicants or employees whose rights under the IEPA are violated may sue for a penalty of up to $500. Id. § 34-48-301.
Social Security Numbers, Birth dates, and Driver License Numbers
Employment Selection Procedures Act, Utah Code § 34-46-101 et seq. (ESPA). The ESPA forbids employers of 15 or more persons from asking for social security numbers, dates of birth, or driver license numbers before making a job offer Id. § 34-46-201(1). The ESPA provides an exception if the applicant consents to the request and the employer asks all applicants for the position for the same information at a time in the selection process when the employer does one of the following:
- obtains a criminal background check;
- secures a credit history report;
- acquires a driving record;
- conducts a review of its internal records to determine if the applicant previously applied for a position with, or was previously employed by, the employer; or
- collects the information to provide to a government entity to determine eligibility for or participate in a government service, benefit, or program that requires the information be collected on or before the day on which an offer of employment is made.
Id. § 34-46-201(2). The ESPA also prohibits an employer from using such information (or any information about an applicant obtained through the “initial selection process”) for any purpose other than determining whether to hire the applicant (including for marketing, profiling, reselling the information, or a similar use). Id. § 34-46-202. It further prohibits employers from providing such information to anyone else except for one of the following reasons:
- as required by law;
- to a government entity for the purpose of determining eligibility for or participating in a government service, benefit, or program;
- if the applicant applies for another position with the employer; or
- if the applicant becomes an employee and the information is used by the employer for a performance review or promotion application that is also applied to other employees in a similar position.
The ESPA requires that employers maintain a specific policy about the retention, disposition, access, and confidentiality of information about applicants obtained through an initial selection process; show the policy to applicants on request before requiring them to provide any such information; and dispose of the information within two years after it is obtained if the applicants are not hired in that period. Id. § 34-46-203. The ESPA directs the Antidiscrimination and Labor Division of the Utah Labor Commission to investigate alleged violations of the statute, conduct administrative adjudications of complaints of violations of the statute, and, order violating employers to cease and desist and/or pay a $500 fine. Id. § 34-46-301.
Use of Employee Names and Pictures for Advertising
Abuse of Personal Identity Act, Utah Code § 45-3-1 et seq. (APIA). The APIA bars persons (including employers) from publishing advertisements containing any person’s name, title, picture, or portrait in such a way that “expresses or implies that the individual approves, endorses, has endorsed, or will endorse” the subject of the advertisement, without the consent of the person portrayed. Id. § 45-3-3. A person whose rights under the APIA are violated may sue for injunctive relief, damages, punitive damages, and reasonable attorney fees and costs. Id. § 45-3-4.
Utah Common Law
There are four types of invasion of privacy claims that can be maintained under Utah common law: (1) intrusion upon solitude/seclusion; (2) appropriation of a person’s name or likeness; (3) public disclosure of embarrassing private facts; and (4) publicity that places the person in false light in the public’s eye. Each is discussed briefly below.
1. Invasion of Privacy – Intrusion Upon Seclusion. An employee can this claim by showing the following:
- there was an intentional substantial intrusion, physical or otherwise, on the employee’s solitude or seclusion; and
- the intrusion would be highly offensive and objectionable to a reasonable person.
2. Invasion of Privacy – Appropriation of Name or Likeness. An employee can establish this claim by showing that the employee’s name or likeness has some intrinsic value and that either or both were used for someone else’s benefit, on more than an incidental basis, without the employee’s consent. See Cox v. Hatch, 761 P.2d 556 (Utah 1988).
3. Invasion of Privacy – Private Facts Made Public. An employee can establish this claim by showing the following:
- the disclosure of facts about the employee was public and not private,
- the facts the employer disclosed were private, and
- the matter made public would be highly offensive and objectionable to a reasonable person.
Invasion of Privacy – False Light. An employee can prove this claim by showing the following:
- the employer publicized a matter concerning the employee that put the employee in front of the public in a false light;
- the false light would be highly offensive to a reasonable person; and
- the employer knew it would paint the employee in a false light or did not care that it would.
See Jensen v. Sawyers, 2005 UT 81. Notably, the publication involved in this type of claim does not necessarily have to be defamatory and does not have to be about private facts. An employee conceivably may be placed in a false light even by “the dissemination of praiseworthy but untrue information about that person, if a reasonable person would find the information highly objectionable.” Id. at ¶46.
Check back next week for more Utah Employment Law FAQs.
Mark A. Wagner concentrates his practice in employment law, homeowners association law, and health care law, and serves as Chair of the firm’s Employment and Labor Practice Group.