(820 ILCS 55/10) (from Ch. 48, par. 2860)
    Sec. 10. Prohibited inquiries; online activities.
    (a) It shall be unlawful for any employer to inquire, in a written application or in any other manner, of any prospective employee or of the prospective employee's previous employers, whether that prospective employee has ever filed a claim for benefits under the Workers' Compensation Act or Workers' Occupational Diseases Act or received benefits under these Acts.
    (b)(1) Except as provided in this subsection, it shall be unlawful for any employer or prospective employer to:
        (A) request, require, or coerce any employee or prospective employee to provide a user
    
name and password or any password or other related account information in order to gain access to the employee's or prospective employee's personal online account or to demand access in any manner to an employee's or prospective employee's personal online account;
        (B) request, require, or coerce an employee or applicant to authenticate or access a
    
personal online account in the presence of the employer;
        (C) require or coerce an employee or applicant to invite the employer to join a group
    
affiliated with any personal online account of the employee or applicant;
        (D) require or coerce an employee or applicant to join an online account established by
    
the employer or add the employer or an employment agency to the employee's or applicant's list of contacts that enable the contacts to access the employee or applicant's personal online account;
        (E) discharge, discipline, discriminate against, retaliate against, or otherwise
    
penalize an employee for (i) refusing or declining to provide the employer with a user name and password, password, or any other authentication means for accessing his or her personal online account, (ii) refusing or declining to authenticate or access a personal online account in the presence of the employer, (iii) refusing to invite the employer to join a group affiliated with any personal online account of the employee, (iv) refusing to join an online account established by the employer, or (v) filing or causing to be filed any complaint, whether orally or in writing, with a public or private body or court concerning the employer's violation of this subsection; or
        (F) fail or refuse to hire an applicant as a result of his or her refusal to (i) provide
    
the employer with a user name and password, password, or any other authentication means for accessing a personal online account, (ii) authenticate or access a personal online account in the presence of the employer, or (iii) invite the employer to join a group affiliated with a personal online account of the applicant.
    (2) Nothing in this subsection shall limit an employer's right to:
        (A) promulgate and maintain lawful workplace policies governing the use of the
    
employer's electronic equipment, including policies regarding Internet use, social networking site use, and electronic mail use; or
        (B) monitor usage of the employer's electronic equipment and the employer's electronic
    
mail without requesting or using any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's personal online account.
    (3) Nothing in this subsection shall prohibit an employer from:
        (A) obtaining about a prospective employee or an employee information that is in the
    
public domain or that is otherwise obtained in compliance with this amendatory Act of the 97th General Assembly;
        (B) complying with State and federal laws, rules, and regulations and the rules of
    
self-regulatory organizations created pursuant to federal or State law when applicable;
        (C) requesting or requiring an employee or applicant to share specific content that has
    
been reported to the employer, without requesting or requiring an employee or applicant to provide a user name and password, password, or other means of authentication that provides access to an employee's or applicant's personal online account, for the purpose of:
            (i) ensuring compliance with applicable laws or regulatory requirements;
            (ii) investigating an allegation, based on receipt of specific information, of the
        
unauthorized transfer of an employer's proprietary or confidential information or financial data to an employee or applicant's personal account;
            (iii) investigating an allegation, based on receipt of specific information, of a
        
violation of applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct;
            (iv) prohibiting an employee from using a personal online account for business
        
purposes; or
            (v) prohibiting an employee or applicant from accessing or operating a personal
        
online account during business hours, while on business property, while using an electronic communication device supplied by, or paid for by, the employer, or while using the employer's network or resources, to the extent permissible under applicable laws.
    (4) If an employer inadvertently receives the username, password, or any other information that would enable the employer to gain access to the employee's or potential employee's personal online account through the use of an otherwise lawful technology that monitors the employer's network or employer-provided devices for network security or data confidentiality purposes, then the employer is not liable for having that information, unless the employer:
        (A) uses that information, or enables a third party to use that information, to access
    
the employee or potential employee's personal online account; or
        (B) after the employer becomes aware that such information was received, does not delete
    
the information as soon as is reasonably practicable, unless that information is being retained by the employer in connection with an ongoing investigation of an actual or suspected breach of computer, network, or data security. Where an employer knows or, through reasonable efforts, should be aware that its network monitoring technology is likely to inadvertently to receive such information, the employer shall make reasonable efforts to secure that information.
    (5) Nothing in this subsection shall prohibit or restrict an employer from complying with a duty to screen employees or applicants prior to hiring or to monitor or retain employee communications as required under Illinois insurance laws or federal law or by a self-regulatory organization as defined in Section 3(A)(26) of the Securities Exchange Act of 1934, 15 U.S.C. 78(A)(26) provided that the password, account information, or access sought by the employer only relates to an online account that:
        (A) an employer supplies or pays; or
        (B) an employee creates or maintains on behalf of or under direction of an employer in
    
connection with that employee's employment.
    (6) For the purposes of this subsection:
        (A) "Social networking website" means an Internet-based service that allows individuals
    
to:
            (i) construct a public or semi-public profile within a bounded system, created by
        
the service;
            (ii) create a list of other users with whom they share a connection within the
        
system; and
            (iii) view and navigate their list of connections and those made by others within
        
the system.
        "Social networking website" does not include electronic mail.
        (B) "Personal online account" means an online account, that is used by a person
    
primarily for personal purposes. "Personal online account" does not include an account created, maintained, used, or accessed by a person for a business purpose of the person's employer or prospective employer.
(Source: P.A. 98-501, eff. 1-1-14; 99-610, eff. 1-1-17.)