A Guide to Employee Monitoring in the US

In the United States, it is fully within the legal rights of employers to conduct employee monitoring. 

Both federal and state laws generally permit employers to monitor various aspects of their employees’ activities that occur on company-owned devices and networks, as long as there is a legitimate business purpose. 

This monitoring may cover areas such as employee attendance, computer usage, active or idle time, internet activities, screen content, emails, keystrokes, and more. 

However, it is important to note that laws exist to regulate the extent to which monitoring software can be implemented in the workplace.

Further, certain state laws mandate that employers must obtain consent from employees for monitoring activities.

At the federal level, there are no legal obligations for employers to disclose the fact that monitoring is taking place to their employees.

Here are some of the most common laws regulating employee monitoring in the US:

Introduced in July 2022, the American Data Privacy and Protection Act (ADPPA), also referred to as H.R. 8152, is a comprehensive federal law that establishes the framework for data privacy in the United States.

This legislation encompasses various aspects of personal data collection, including storage, sharing, and computer monitoring.

The primary objective of the ADPPA is to limit data collection, specifying that employer-collected employee data may only be processed or transferred for legitimate administrative purposes.

The Fourth Amendment of the United States Constitution protects individual privacy rights and restricts the government from conducting unreasonable searches and seizures.

It establishes the requirement for warrants based on probable cause and specifies that the warrant must precisely detail the items to be searched or seized.

This constitutional provision applies to all branches of government at the federal, state, and local levels.

The Electronic Communications Privacy Act (ECPA), commonly referred to as the Wiretap Act, prohibits the interception of phone calls without the consent of at least one party involved. This means that employers are generally not allowed to wiretap or eavesdrop on their employees’ phone conversations unless there is a legitimate reason and proper legal authorization.

Furthermore, the ECPA extends beyond phone calls and also applies to employee monitoring in general.

Employers must comply with this law when monitoring various forms of communication, such as emails, mail, and other forms of electronic communication between employees.

However, it’s important to note that there are exceptions to this rule. Law enforcement authorities, for example, may have the authority to wiretap individuals suspected of criminal activity, including employees.

The Computer Fraud and Abuse Act (CFAA) is a significant law to combat cybercrimes. The act states that it is illegal for anyone, including employers, to access an individual’s device without a valid reason and without permission. 

Employers can face legal consequences under the CFAA if they access an employee’s device without obtaining their permission.

The Stored Communications Act (SCA) is part of the Electronic Communications Privacy Act and is aimed at addressing issues related to computer hackers and corporate espionage.

This act prohibits employers from intentionally intercepting and storing electronic messages of their employees without their consent.

Violating this act can result in litigation.

The Biometric Information Privacy Act (BIPA), enacted in 2008 as an Illinois state law, governs the handling of biometric data such as fingerprints, facial recognition, and iris scans.

It imposes requirements on companies to obtain written consent from individuals before collecting their biometric information and mandates the protection of its security and confidentiality.

BIPA establishes significant statutory damages for violations of the law. In cases of negligent violation, individuals can seek damages of up to $1,000, while intentional or reckless violations can result in damages of up to $5,000.

Federal legislation in the US does not mandate employers to inform their workers about when they are being monitored. 

However, four US states have mandated employers, through passing legislation, to provide prior notification to their staff regarding the use of monitoring software. These are as follows:

• Connecticut: Under Sec. 31-48d of the Connecticut General Statutes, “employers engaged in electronic monitoring required to give prior notice to employees.”
• Delaware: Under the Delaware Code, Title 19, Chapter 7, Section 705 (§ 19-7-705), employers are to give a “notice of monitoring of telephone transmissions, electronic mail and Internet usage.”. 
• Texas: The Data Privacy and Security Act, which was newly passed by the Texas Senate as Bill: HB 4 offers “regulation of the collection, use, processing, and treatment of consumers’ personal data by certain business entities; imposing a civil penalty.”
• New York: The newly introduced New York assembly Bill A2587 introduced the New York Data Protection Acts, which “requires government entities and contractors to disclose certain personal information collected about individuals.”
  

In the remaining US states, employers have the legal right to monitor employees without obtaining their consent. Additionally, privacy laws generally grant employers discretion in determining the extent to which monitoring software can be utilized.

According to US law, activities carried out on employer-provided devices are not considered private, which means that employers may not be required to inform employees about monitoring in these specific instances.

When it comes to the monitoring of employee devices, except in cases where the employee is using a company-owned device, employers are legally obligated to inform employees about the monitoring of personal devices.

Under the laws of the United States, employers are authorized to monitor systems that t1`hey own. 

As stated in the Electronic Communications Privacy Act (ECPA), if an employer supplies a computer that belongs to the company, they typically have the right to monitor all actions performed by employees on that device. 

Such monitoring encompasses activities like accessing stored documents/files, downloads, internet usage, and tracking active or idle time. 

Furthermore, company-provided devices used outside of the workplace may also be subject to monitoring.

According to US law, if an employer provides a device to an employee, such as a computer or smartphone, that device is considered the property of the company.

As a result, the employer has the legal authority to monitor various aspects of the device, including internet activity, GPS location tracking, and even viewing the content displayed on the screen.

Federal law may seemingly restrict employers from monitoring personal devices such as laptops, tablets, and phones.

However, the law allows for monitoring if there are established policies, such as Bring Your Own Device (BYOD) policies, that support monitoring the use of employee personal devices for work-related purposes.

The US Constitution safeguards employees from unauthorized searches of personal belongings, as outlined in the Fourth Amendment.

It should be noted that this protection applies only to the government sector and does not extend to unreasonable searches and seizures in the private sector.

However, an employer can gather information from an employee’s personal computer under certain circumstances, such as with a court order or a clear workplace policy allowing computer monitoring within the company premises.

US employers possess the authority to oversee the utilization of their owned computer equipment.

This includes monitoring computer usage during work hours, as well as before and after hours, including breaks.

One common reason for monitoring is to ensure that employees refrain from engaging in inappropriate internet activities on company-owned computers. It is important to note that employers are legally permitted to monitor computers when there are valid business justifications.

However, in some cases, obtaining employee consent may be necessary to monitor them during breaks.

US employers have the authority to monitor a device owned by the company, even outside of business hours, although there are certain limitations.

If an employee utilizes the device for personal communication outside of work hours, the employer cannot conduct monitoring unless it has been explicitly stipulated in the employment agreement between the employee and the employer.

In most cases, employers are not allowed to mandate the installation of monitoring software on employees’ personal devices.

However, the employer may enforce the installation of monitoring software if an employee utilizes personal devices for work purposes to ensure adherence to company policies and regulations.

When it comes to employee usage of company phones, alongside the fourth amendment, the Electronic Communications Privacy Act (ECPA) of 1986 prohibits the intentional interception of wire, oral, or electronic communications. 

However, certain instances permit such interceptions. For example, employers have the right to monitor company systems as long as there is a valid business rationale behind it. Further, service providers are legally permitted to access electronic communications.

Federal law also allows for the recording of phone conversations with the consent of at least one party (one-party consent law).

However, it is essential to note that each state in the US has its own regulations regarding the number of parties required to provide consent for phone conversation recording.

According to US law, any email sent or received by an employee on a company system, whether business-related or personal, is considered the property of the employer and can be accessed or reviewed by the company whenever necessary.

The majority of employers in the United States have policies in place that grant them the authority to monitor employee emails.

However, consent requirements vary by state.

For instance:

• In California and Illinois, employers are required to obtain consent from third parties before accessing employees’ emails.
• In Connecticut and Delaware, employers must inform workers about email monitoring practices.
• Colorado and Tennessee have laws that mandate companies to establish email monitoring policies.

Under certain circumstances, it is legally permissible in the United States to monitor employees’ private messages and email content.

The legality hinges on whether a private email or message was transmitted or received using the employer’s equipment or network.

If the communication occurred on a personal device, employers may be able to monitor it if there is an established policy in place.

However, the law prohibits employers from monitoring password-protected private messages and email accounts without the employee’s consent.

If there is a valid business reason for doing so, the use of video monitoring systems in the workplace is allowed in the US under federal laws. However, there are specific areas where this may be prohibited.

States like California, New York, and West Virginia have regulations that restrict the use of video monitoring systems in places such as restrooms, locker rooms, and other areas where individuals have a reasonable expectation of privacy.

Additionally, employers have an obligation to inform employees about the presence of video monitoring systems and obtain their consent in certain cases.

It’s important to note that video recordings should not include audio, according to federal wiretap laws in US states that require consent from all parties involved (Two-Party Consent States).

It is possible today for employer-provided devices like cell phones or laptops to be used in the US for surveillance purposes, including activating the device’s webcam. 

However, it is crucial to emphasize that monitoring employees through their personal devices in such a manner is against the law.

Engaging in monitoring activities beyond work hours could be perceived as an infringement on an individual’s personal privacy and space, which may result in potential legal conflicts.

On an employee’s work computer, it is permissible for employers in the US to monitor the screen contents and the number of keystrokes entered per hour.

It is important to keep in mind that employers have the ability to access any activities conducted by an employee on their work computer, particularly when there is a well-defined and documented workplace policy in place.

Regulations regarding GPS usage vary across different states. 

In general, if an employee utilizes a company device, the employer is typically permitted to monitor the employee’s geolocation. 

This means that if an employee takes a company-provided laptop outside of the office, the employer has the authority to track the device’s location.

However, if the vehicle in question is owned by the employee, employers are required to obtain consent from the employee before implementing GPS tracking.

Company-owned vehicles give the employer the legal right to monitor their geolocation, even when the employee is off-duty.

There are restrictions on the scope of information that employers can gather through GPS tracking.

It is prohibited to utilize GPS tracking for monitoring an employee’s personal activities or collecting data pertaining to their religion, political opinions, or other legally protected attributes.

Unauthorized tracking of an employee’s location without prior agreement and written consent between the employer and the employee is not permitted and is considered spy tracking.

Generally, employers are required to acquire the employee’s consent and provide notification before implementing GPS tracking.

In the US, employers generally have the right to monitor employees’ internet usage during paid hours to ensure it is work-related, with each state having its own regulations.

This includes monitoring websites visited, time spent online, and implementing restrictions on certain sites.

Regarding the monitoring of social media activities, it is generally legal in the US, with each state having its own regulations.

Some states allow employers to conduct pre-employment background checks and establish policies limiting social media use during working hours.

However, certain states have laws protecting employees from being required to provide their social media account credentials, including user names or passwords, to employers.

Monitoring an employee’s internet activity outside of work hours without their consent is considered unlawful. 

However, if the employee is using a device provided by the company, the employer may have the right to monitor their internet usage.

US employers are allowed to keep the data collected from their employees’ internet activity.

However, using it for personal purposes or sharing it with third parties without the employee’s consent is prohibited.

After ensuring that monitoring is conducted in a legal and accurate manner, employee monitoring can serve as a tool for employers to mitigate workplace harassment and discrimination.

By monitoring employee communication, employers can proactively identify and address potential issues.

Employers have the option to utilize monitoring to identify criminal activity, but they must adhere to specific conditions, such as conducting monitoring activities under the supervision of law enforcement agencies.

Further, employers cannot independently engage in monitoring to detect criminal activity without a valid reason or at their own discretion.

Employers may monitor personal relationships among employees during working hours to address conflicts, ensure productivity, understand workplace dynamics, enforce policies, and prevent harassment or discrimination.

The monitoring of personal relationships among employees in the US is authorized during working hours, but employers are not permitted to monitor such relationships outside of work hours.

Enacted in 1986, the Electronic Communications Privacy Act (ECPA) at the federal level safeguards the employer’s right to monitor employees and their activities.

This act, specifically Title II known as the Stored Communications Act (SCA), grants employers the authority to review files and data produced by employees while on the job, as long as there are legitimate business justifications supporting such actions.

If certain evidence is collected by an employer through monitoring programs to prove certain allegations against an employee, they may have the right to initiate legal action against the employee.

However, it’s important to note that the employee can make a counterclaim if the employer violated any laws or regulations during the monitoring process.

Under US data protection laws enacted in 1998, employers are obligated to safeguard the “sensitive personal information” of employees. 

Further, both federal and state laws exist to protect employees’ privacy in the workplace including the Video Privacy Protection Act and the California Consumer Privacy Act (CCPA), which provide employees with the right to request information about the collection of their private data. Also, the legislation safeguarding written, oral, and electronic communications is the Electronic Communications Privacy Act (ECPA), enacted in 1986.

It is important for employees to recognize that their privacy rights are constrained within the workplace, as workplace policies may limit certain privacy expectations, particularly in relation to company-owned equipment.

US employees have the option to take legal action against their employer if they have violated monitoring laws, which can occur as a breach of confidentiality if the employer makes an employee’s personal information publicly accessible to third parties constitutes a violation of privacy or as a violation of privacy if the employer performs excessively invasive monitoring practices, such as intercepting personal messages, wiretapping, keylogging, and similar actions, which can infringe upon an individual’s personal boundaries.

Non-compliance with employee monitoring laws can have severe consequences, including lawsuits, financial penalties, reputational harm, and in certain instances, potential criminal charges.