In today’s digitally driven world, the line between the office and everywhere else has blurred. Employers now have access to an arsenal of tools capable of monitoring employee activity in ways previously unimaginable – tracking keystrokes, analyzing productivity through sophisticated software, even monitoring locations. Especially with the rise of remote and hybrid work, the question inevitably arises, perhaps with a hint of unease: Can we legally monitor our employees like this? Is it “spying,” and where do we draw the line?
While the word “spying” carries a clandestine connotation, the reality of workplace monitoring in the United States is that much of it is, in fact, legally permissible under the right conditions. The critical issue for businesses and their legal counsel isn’t if monitoring can occur, but how it’s implemented. Getting it wrong can lead to legal challenges, damaged morale, and a breakdown of trust. Getting it right requires navigating a complex web of federal and state laws, understanding the nuanced concept of employee privacy, and, crucially, establishing clear, transparent policies. Let’s unpack this landscape, exploring the scope of monitoring, the governing laws, pivotal court decisions, and the best practices to protect your business while respecting your workforce.
Please note this blog post should be used for learning and illustrative purposes. It is not a substitute for consultation with an attorney with expertise in this area. If you have questions about a specific legal issue, we always recommend that you consult an attorney to discuss the particulars of your case.
What Does “Monitoring” Actually Mean Today?
Before diving into the legalities, what activities are we even talking about? Employee monitoring isn’t a single action, but a spectrum of practices used to observe, track, or analyze workforce activities. This can range from the relatively standard, like reviewing work emails for compliance or tracking internet usage on company networks, to more advanced methods.
Think about common digital tools: software that logs application use, systems that track time spent on websites, or even platforms that scan communications on company channels like Slack or Teams. Then there are more intensive techniques: keystroke logging (recording every key pressed), screen monitoring (capturing screenshots or video), and GPS tracking of company vehicles or devices. Some of the most comprehensive suites, often capturing multiple data points to generate productivity scores or flag perceived inactivity, have earned the somewhat loaded labels of “bossware” or “tattleware” among employees wary of their reach.
Beyond the digital, traditional methods like video surveillance (CCTV) in common areas remain prevalent for security. And emerging technologies like biometric scanners (fingerprints, facial recognition) for access or timekeeping, and AI-driven analytics that promise insights into everything from security risks to performance trends, are adding new layers of complexity and potential legal friction.
The Federal Baseline: The ECPA
So, does federal law give employers a green light for this kind of monitoring? The cornerstone federal statute is the Electronic Communications Privacy Act (ECPA) of 1986. Enacted long before the modern internet age, ECPA aimed to balance communication privacy with law enforcement and business needs. It generally prohibits intentionally intercepting wire, oral, or electronic communications while in transit (Title I – Wiretap Act) and accessing stored communications without authorization (Title II – Stored Communications Act or SCA).
However – and this is critical for employers – ECPA contains two major exceptions that often permit workplace monitoring:
- The Business Purpose Exception: Monitoring is allowed if it’s done for a legitimate business reason or occurs in the ordinary course of business. Think quality control, ensuring policy compliance, protecting trade secrets, preventing harassment, or maintaining system security.
- The Consent Exception: Monitoring is permissible if at least one party to the communication consents. In the workplace, consent can be implied – often inferred when an employee uses company equipment after being clearly notified via policy that such use is subject to monitoring. Or, it can be explicit – obtained directly through a signed acknowledgment or agreement. While implied consent might suffice legally in some contexts, obtaining explicit, documented consent is always the safer route.
These ECPA exceptions provide the primary federal pathways for lawful monitoring. But they aren’t blank checks. The business purpose must be genuine and demonstrable, and consent relies on clear, unambiguous communication and acknowledgment. Furthermore, other federal laws, like the National Labor Relations Act (NLRA), can restrict monitoring if it interferes with employees’ rights to organize or discuss working conditions.
The State Law Maze: Adding Layers of Complexity
While ECPA sets a floor, state laws frequently build upon it, often imposing stricter requirements and offering greater privacy protections. This creates a complex “patchwork quilt” of regulations. Operating in multiple states, or employing remote workers across state lines? You need to be aware of the specific laws where your employees work.
Key areas where states often diverge include:
- Notice Requirements: Unlike federal law, several states explicitly require employers to notify employees about electronic monitoring. New York, Connecticut, and Delaware, for instance, mandate prior written notice (with specific requirements for acknowledgment or conspicuous posting) for monitoring emails, internet use, or phone calls. California, under its comprehensive privacy laws (CCPA/CPRA), requires notice at or before collection regarding the categories of personal information collected, which includes data gathered via monitoring.
- Call Recording Consent: This is a major point of difference. While federal law and most states follow a “one-party consent” rule (only one person on the call needs to consent), a significant number of states, including California, Florida, Illinois, Pennsylvania, Washington, Massachusetts, Maryland, and Delaware, require “all-party consent.” If your business records calls involving people in different states, the practical advice is to comply with the strictest standard – obtain consent from all parties. The California Supreme Court case Kearney v. Salomon Smith Barney, Inc. reinforced this, applying California’s stricter all-party rule even when one party was in a one-party consent state.
- Biometric Data: Laws specifically governing fingerprints, facial scans, or voiceprints are proliferating. Illinois’ Biometric Information Privacy Act (BIPA) is the most well-known, requiring written notice, explicit consent, and creating a private right of action that has fueled class-action lawsuits. Cases against companies like Topgolf and Walmart, alleging failure to get proper consent for finger-scan timeclocks, illustrate the high stakes. Texas, Washington, California, and Colorado also have specific biometric regulations.
- AI and Automated Tools: Legislation is emerging to address AI used in hiring, promotion, or performance evaluation, often focusing on bias audits and notice requirements. New York City’s law is an early example.
- Looking Ahead (2025): Proposed legislation signals continued focus. California’s AB 1331 aims to restrict monitoring in off-duty areas and require disabling tools during breaks or off-hours. New York’s A3779/S185 targets automated employment decision tools.
This state-level activity underscores that relying solely on federal law is insufficient and risky.
But Don’t Employees Have Some Privacy Rights at Work?
Beyond specific statutes, there’s the legal concept of an employee’s reasonable expectation of privacy workplace monitoring (REP). It’s a cornerstone of common law invasion of privacy claims. Courts generally agree that employees’ REP is lower at work than at home, but it’s not nonexistent. So, how is REP determined? It’s highly fact-specific, but key factors include:
- Employer Policies (The Big One): Clear, consistently communicated policies stating that company systems are monitored and that employees should have no expectation of privacy drastically reduce REP. Conversely, ambiguous policies or lack of notice can preserve it. The recent California case Militello v. VFarm 1509 (2023) emphasized this, suggesting REP in work email could persist without a clear policy stating otherwise.
- Device Ownership: REP is minimal on employer-provided computers, phones, and networks. It’s significantly higher on personal devices (BYOD), though policies can still impact this. The Supreme Court touched on this in City of Ontario v. Quon (2010), involving pager messages, confirming the fact-specific nature of REP analysis.
- Location: Privacy expectations are high in restrooms, locker rooms, and potentially break areas. They are low in open work areas. Remote work complicates this, extending monitoring into the home. In Hernandez v. Hillsides, Inc. (2009), the California Supreme Court found hidden office cameras intruded on privacy but weren’t “highly offensive” given security needs, though lack of notice was a concern.
- Nature of Communication: Personal messages generally carry higher REP, but using work systems under a monitoring policy often negates this. A critical exception involves attorney-client privilege. The landmark New Jersey case Stengart v. Loving Care Agency, Inc. (2010) held that emails with a personal attorney via a web-based account on a company laptop remained privileged, partly due to the employer’s ambiguous policy.
This REP analysis is vital for defending against privacy torts like “intrusion upon seclusion,” which requires proving an intrusion that is “highly offensive to a reasonable person.” Routine monitoring, especially with clear notice, rarely meets this high bar.
Balancing Needs: Justifying Monitoring and Best Practices
Why do employers monitor in the first place? Common reasons include enhancing productivity, protecting company assets and security (trade secrets, data breaches), ensuring legal compliance, preventing misconduct (harassment, theft), and promoting safety. These are often legitimate business interests. However, even lawful monitoring can erode trust and morale if perceived as excessive or purely punitive.
So, how can businesses monitor effectively and ethically? It comes down to best practices :
- Be Transparent: This is paramount. Clearly communicate what is monitored, why, how data is used, and who sees it. Use clear policies, notices, and handbook sections. No secret surveillance.
- Develop Strong Policies: Implement a comprehensive, written policy covering purpose, scope, methods, privacy disclaimers, personal use rules, and data handling. Distribute it widely and, crucially, obtain signed acknowledgments. This is legally required for notice in states like NY, CT, and DE.
- Get Consent When Needed: Secure explicit, informed consent where legally required (all-party call recording states, BYOD, biometrics) or as a best practice.
- Monitor Proportionally: Ensure monitoring is necessary for a specific business goal and use the least intrusive method possible. Don’t collect data you don’t need.
- Limit the Scope: Focus on work-related activities, company devices, and work hours. Avoid private areas (restrooms, locker rooms) and sensitive personal data unrelated to work.
- Secure the Data: Implement robust security (encryption, access controls) and clear retention/deletion schedules.
- Consult Legal Counsel: Given the complexity and state variations, regularly review policies and practices with experienced employment counsel.
Handling Specific Scenarios: BYOD and Remote Work
Two common scenarios require extra caution:
- Bring Your Own Device (BYOD): What about employees using personal phones or laptops for work? Monitoring these devices (employer liability monitoring personal devices) is significantly riskier. It absolutely requires a specific, clear BYOD policy, explicit employee consent (usually via signed acknowledgment), technical measures to separate personal and work data (like Mobile Device Management – MDM ), and monitoring strictly limited to work-related activity. You generally cannot force employees to install monitoring software on personal devices without their agreement.
- Remote Work: Does monitoring change when employees work from home? The same laws apply, but the privacy risks are amplified. Intrusive methods like webcam or microphone access could inadvertently capture personal life details, potentially leading to “intrusion upon seclusion” claims. It’s crucial to strictly limit monitoring to work hours and work activities. Also, be mindful of wage and hour laws (like the FLSA); monitoring tools that track activity must accurately reflect all compensable work time, including offline tasks or short breaks, to avoid wage theft claims.
The Bottom Line
So, can employers monitor employees? Often, yes. But the legality and wisdom of doing so depend entirely on the approach. Navigating the ECPA, the complex patchwork of state laws, and the nuances of employee privacy expectations requires diligence. Success lies in transparency, clear and acknowledged policies, demonstrating legitimate business needs, obtaining consent when required, limiting intrusion, securing data, and treating employees fairly. Given the evolving legal landscape and technological advancements, ongoing consultation with employment law counsel isn’t just advisable – it’s essential for compliance and risk management.
Contact Tishkoff
Tishkoff PLC specializes in business law and litigation. For inquiries, contact us at www.tish.law/contact/. & check out Tishkoff PLC’s Website (www.Tish.Law/), eBooks (www.Tish.Law/e-books), Blogs (www.Tish.Law/blog) and References (www.Tish.Law/resources).
References
City of Ontario v. Quon, 560 U.S. 746 (2010).
Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified as amended in scattered sections of 18 U.S.C.).
Fisher Phillips. (n.d.). Stengart v. Loving Care: An Employer-Friendly Decision In Favor Employee Privacy Rights in Workplace Computers and Email. Retrieved from https://www.fisherphillips.com/en/news-insights/non-compete-and-trade-secrets-blog/stengart-v-loving-care-an-employer-friendly-decision-in-favor-employee-privacy-rights-in-workplace-computers-and-email.html
Hernandez v. Hillsides, Inc., 47 Cal. 4th 272, 211 P.3d 1063 (2009).
Jibble. (n.d.). Employee Monitoring in the US: Legal Case Studies. Retrieved from https://www.jibble.io/article/employee-monitoring-us-legal-case-studies
Katz Banks Kumin LLP. (n.d.). Privacy Rights in the Remote Work World: Can My Employer Monitor My Activity? Retrieved from https://katzbanks.com/employment-law-blog/privacy-rights-remote-work-world-can-my-employer-monitor-my-activity/
Militello v. VFarm 1509, 89 Cal. App. 5th 610 (2023).
O’Connor v. Ortega, 480 U.S. 709 (1987).
Skadden, Arps, Slate, Meagher & Flom LLP. (2022, September). Every Move You Make: Workplace Monitoring Technologies Create Opportunities and Risks. Skadden Quarterly Insights. Retrieved from https://www.skadden.com/insights/publications/2022/09/quarterly-insights/every-move-you-make
WorkTime. (n.d.). Most Asked Questions on US Employee Monitoring Laws. Retrieved from https://www.worktime.com/most-asked-questions-on-us-employee-monitoring-laws Google apps