Michigan’s Internet Privacy Protection Act (MIPPA)

Michigan’s Internet Privacy Protection Act (MIPPA) prohibits employers and educational institutions from requiring employees and students to provide passwords and login information related to personal Internet accounts.

The Purpose of the Act

The MIPPA protects the privacy of employees and job ap­plicants as well as current and prospective students by allowing them to keep private logins, user names, passwords, and other access information related to their personal Internet accounts.  However, the Act does not interfere with an employer’s ability to monitor its electronic devices or computer systems or investi­gate whether confidential information has been disclosed or an employee has committed work-related misconduct.

Restrictions on Employers

Under the MIPPA, it is unlawful for an employer (defined as any person engaged in business, industry, or the like, and includes any agent, representative, or designee of the employer) to ask an employee or applicant to grant access to, allow observation of, or disclose information that allows access to or observa­tion of the employee’s or applicant’s personal Internet account. Similarly, you cannot discharge, fail to hire, or otherwise penalize an employee or applicant for failing to do so.

However, the Act does not prohibit an employer from re­questing or requiring disclosure of information to gain access to or operate an (1) electronic communica­tions device paid for by the employer or (2) account or service provided by the employer or used for the employer’s business. The Act also doesn’t prohibit you from disciplining or discharging an employee for disclosing your proprietary, confidential, or financial information through the employee’s personal Internet account without your authorization.

The Act does not prohibit employers from conducting an investigation related to activity on an employee’s personal Internet account for the purpose of ensur­ing compliance with applicable laws or prohibitions against work-related employee misconduct or the un­authorized disclosure of proprietary, confidential, or financial data. In addition, it is not unlawful for an employer to investigate whether an employee violated a restriction prohibit­ing access to certain websites while using an electronic communications device paid for by the employer or an employer’s network or resources.

Further, the MIPPA does not prohibit an employer from monitoring, reviewing, or accessing electronic data stored on an electronic communications de­vice paid for by the employer or traveling through or stored on the employer’s network. Finally, the Act does not prohibit or restrict an employer from view­ing, accessing, or using information about an em­ployee or applicant that (1) can be obtained without access information or (2) is available in the public domain.

Restrictions on Educational Institutions

Under the MIPPA, an “educational institution” in­cludes public and private educational institutions. An educational institution cannot ask a current or prospective student to grant access to, allow observa­tion of, or disclose information that allows access to or observation of the individual’s personal Internet account. An educational institution also cannot expel, discipline, fail to admit, or otherwise penalize a cur­rent or prospective student for refusing to grant ac­cess to, allow observation of, or disclose information that allows access to or observation of a personal In­ternet account.

However, the Act does not prohibit an educational institution from requesting or requiring a student to disclose in­formation to gain access to or operate (1) an electronic communications device paid for in whole or in part by the educational institution or (2) an account or ser­vice provided by the educational institution or used by the student for educational purposes. The Act also does not prohibit or restrict an educational institution from viewing, accessing, or using information about a student or applicant that (1) can be obtained without any required access information or (2) is available in the public domain.

Penalties

A violation of the Act is a misdemeanor punish­able by a fine of not more than $1,000. Individuals can sue to recover up to $1,000 in damages plus rea­sonable attorneys’ fees and court costs and injunc­tive relief.