Employee Privacy

The rights of workers to control their personal information and limit employer surveillance of their communications, activities, and personal lives, balanced against the employer's legitimate business interests in monitoring workplace conduct, protecting assets, and ensuring compliance.

TABLE OF CONTENT

What Is Employee Privacy?
Legal Framework for Employee Privacy in the US
Types of Employee Monitoring and Their Legal Boundaries
Biometric Privacy: The Highest-Risk Area for Employers
Employee Privacy in Remote and Hybrid Work
Employee Privacy and Off-Duty Conduct
Building an Employee Monitoring Policy
Employee Privacy Statistics [2026]
Frequently Asked Questions About Employee Privacy

What Is Employee Privacy?

Key Takeaways

✓Employee privacy covers a worker's right to keep personal information, communications, and activities private from employer intrusion, within limits defined by law and business necessity.
✓US law generally favors employer monitoring rights when using company-owned equipment and systems. But state laws, the NLRA, and common-law privacy torts create real boundaries.
✓78% of US employers monitor employee digital activity (email, internet, applications), and 60% use dedicated monitoring software, a figure that doubled during the remote work shift (AMA/Gartner, 2023).
✓The growing use of biometric data (fingerprint scanners, facial recognition time clocks) has triggered a wave of privacy litigation. Illinois BIPA alone has generated over $1.5 billion in settlements.
✓Employees have stronger privacy protections for off-duty conduct, personal devices, medical information, and union organizing activities. Employer monitoring of these areas carries significant legal risk.

Employee privacy is a balancing act. Employers have legitimate reasons to monitor: preventing data theft, ensuring productivity, maintaining security, investigating misconduct, and complying with regulatory requirements. Employees have legitimate expectations of privacy: their personal emails, their medical conditions, their off-duty activities, their conversations with coworkers about working conditions. The law tries to draw a line between these interests, but the line keeps moving. Technology has made monitoring cheaper and more pervasive than ever. Keystroke loggers. Screen capture software. GPS tracking. Email scanning. Video surveillance. Biometric time clocks. Each new monitoring capability creates new legal questions. And the pandemic-driven shift to remote work blurred the boundary between 'workplace' and 'home' in ways that existing privacy law doesn't fully address. For HR professionals, the practical question isn't whether monitoring is legal (it usually is, with conditions). The question is: what monitoring serves a legitimate business purpose, what disclosures are required, and where does the monitoring cross from oversight into invasion?

78%Of US employers monitor employee digital activity including email, internet, and app usage (AMA, 2023)

$1.5B+In settlements paid under Illinois BIPA for biometric data collection without consent (IAPP, 2024)

4States (CT, DE, NY, CO) that require advance notice to employees before electronic monitoring begins

60%Of employers using employee monitoring software, up from 30% pre-pandemic (Gartner, 2023)

Legal Framework for Employee Privacy in the US

Employee privacy rights come from multiple sources: federal statutes, state laws, constitutional protections (public sector only), and common law.

Federal protections

The Electronic Communications Privacy Act (ECPA, 1986) prohibits interception of electronic communications but includes broad exceptions for business use and consent. The business extension exception allows monitoring of communications on company equipment. The consent exception covers monitoring when employees agree (which they typically do through handbook acknowledgment). The Stored Communications Act (part of ECPA) protects stored electronic communications but doesn't apply to employer-provided accounts. The National Labor Relations Act (NLRA) protects employees' rights to discuss wages and working conditions, which limits employer monitoring of union organizing and protected concerted activity. The ADA restricts employer access to medical information.

State monitoring notification laws

Connecticut requires employers to give written notice of electronic monitoring types and methods before monitoring begins. Delaware requires notice of email and internet monitoring. New York's WARN Act (2022) requires written notice to employees that telephone, email, and internet use may be monitored (separate from the federal WARN Act). Colorado's new monitoring rules expand employee notice and consent requirements. California's constitutional right to privacy (Article I, Section 1) provides broader protections than most states, covering private-sector employees. Many other states are considering or have enacted similar disclosure requirements.

Common law privacy torts

Even in states without specific monitoring statutes, employees can sue under four common-law privacy torts: Intrusion upon seclusion (invading a private area where the employee has a reasonable expectation of privacy), Public disclosure of private facts (sharing private information publicly), Appropriation of likeness (using an employee's image without consent), and False light (portraying an employee in a misleading way). These claims are fact-specific and depend on whether the employee had a 'reasonable expectation of privacy' in the specific situation. Courts generally find no reasonable expectation on company-owned devices with proper disclosure, but strong expectations in restrooms, changing areas, and personal devices.

Types of Employee Monitoring and Their Legal Boundaries

Each monitoring method has different legal considerations. Some are broadly permissible with notice, others require caution.

Monitoring Type	Prevalence	Legal Status	Key Restrictions
Email monitoring (company accounts)	73% of employers	Generally legal with notice	NLRA protections for protected concerted activity; some states require written disclosure
Internet/browsing monitoring	66% of employers	Generally legal with notice	Must disclose; can't monitor personal browsing on personal devices during breaks
Keystroke logging	26% of employers	Legal with notice, but controversial	Some courts have found excessive keystroke logging invasive; disclosure essential
Screen capture/recording	32% of employers	Legal with notice	Risk of capturing personal data; must disclose frequency and scope
GPS tracking (company vehicles)	47% of employers with fleets	Legal during work hours	Must stop tracking after work hours; some states require consent
Video surveillance (workplace)	Widespread	Legal in work areas with notice	Prohibited in restrooms, changing areas, break rooms (some states); audio recording has stricter rules
Phone call monitoring/recording	Common in call centers	Legal with disclosure	Federal: one-party consent; 11 states require all-party consent; must notify callers
Biometric data collection	Growing (time clocks, building access)	State-dependent, high-risk	Illinois BIPA requires written consent; TX, WA have similar laws; major litigation area
Social media monitoring	Used by some employers	Limited	Can view public posts; accessing private accounts is generally prohibited; NLRA protections apply

Biometric Privacy: The Highest-Risk Area for Employers

Biometric data collection has become one of the most expensive privacy compliance issues in employment law, driven primarily by Illinois BIPA litigation.

Illinois BIPA: the template for biometric regulation

The Illinois Biometric Information Privacy Act (2008) requires employers to provide written notice identifying the specific biometric data being collected, the purpose, and the retention period. Employees must provide written consent before collection. The employer must publish a retention and destruction policy. BIPA provides a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. These per-violation damages have produced staggering settlements: BNSF Railway ($228 million verdict), Facebook ($650 million settlement), TikTok ($92 million settlement), and dozens of workplace time clock cases.

Biometric laws in other states

Texas CUBI (Capture or Use of Biometric Identifier) prohibits capture of biometric identifiers without consent but is enforced by the attorney general, not private lawsuits. Washington HB 1493 requires notice and consent for biometric identifiers but has no private right of action. New York City's biometric identifier law requires businesses (not specifically employers) to disclose biometric collection. Several other states (Maryland, Arkansas, Montana) have enacted or proposed biometric privacy statutes. The trend is clear: biometric regulation is expanding, and employers using fingerprint or facial recognition systems need compliance programs in every state where they operate.

Practical compliance for biometric time clocks

If your company uses fingerprint or facial recognition time and attendance systems, implement these steps immediately: provide written notice to all employees before enrollment, obtain signed consent forms, publish a biometric data retention and destruction policy (don't keep data longer than 3 years after last use or termination), offer an alternative time tracking method for employees who decline biometric enrollment, store biometric templates encrypted and separate from other employee data, and include biometric data policies in your employee handbook.

Employee Privacy in Remote and Hybrid Work

Remote work expanded employer monitoring into employees' homes, creating new tensions between oversight and privacy.

The monitoring surge

The percentage of employers using employee monitoring software jumped from 30% pre-pandemic to 60% by 2023 (Gartner). Tools like Hubstaff, ActivTrak, Teramind, and Time Doctor capture screenshots, track application usage, log keystrokes, and measure 'active time.' Some employers use webcam monitoring to verify employees are at their desks. This level of surveillance was unthinkable in office settings but became normalized for remote workers. The legal and ethical implications are still being sorted out.

Legal considerations for home monitoring

Monitoring employees working from home raises unique issues: cameras can capture family members, children, and private living spaces. Audio monitoring may violate two-party consent recording laws in 11 states. Screen monitoring on personal devices can capture personal financial, medical, or legal information. GPS tracking on personal phones can track off-duty movement. Courts haven't fully addressed these scenarios, but the trend in legislation and case law is toward requiring explicit consent, clear disclosure of monitoring scope, and limiting monitoring to work-related activities during work hours.

Employee Privacy and Off-Duty Conduct

What employees do outside of work is generally their own business, but the boundaries aren't always clear.

Off-duty conduct protection laws

Over 30 states have laws protecting employees from adverse employment actions based on lawful off-duty conduct. Originally passed to protect smokers, these laws now protect any legal activity conducted outside work hours and off company premises. Colorado's law is one of the broadest: employers can't terminate for any lawful activity off-premises during non-working hours. California prohibits adverse action for lawful off-duty use of cannabis (effective 2024). New York protects off-duty recreational activities and political activities.

Social media and off-duty speech

Employees' social media posts create a gray area. Public posts criticizing the employer may be protected under the NLRA if they constitute 'protected concerted activity' (discussing wages, working conditions, or collective action). However, posts that are merely personal complaints, racist/harassing content, or disclosure of trade secrets generally aren't protected. Over 25 states have laws prohibiting employers from requiring employees to provide social media login credentials. Employers can view public social media but can't coerce access to private accounts.

Building an Employee Monitoring Policy

A well-drafted monitoring policy protects the employer legally and builds employee trust through transparency.

State clearly what is monitored: email, internet, phone, video, GPS, keystrokes, screen activity. Be specific about scope, methods, and frequency.
Explain why monitoring occurs: security, compliance, productivity measurement, client service quality. Tie each monitoring type to a legitimate business purpose.
Disclose who has access to monitoring data and how long it's retained. Limit access to those with a genuine need to know.
Address personal use: if employees can use company devices for limited personal purposes, clarify that personal activity on company devices may be captured by monitoring systems.
Include the policy in the employee handbook and require written acknowledgment during onboarding. Update the acknowledgment when monitoring practices change.
Address remote/hybrid workers specifically: what monitoring applies to home offices, whether personal devices are monitored, and webcam/audio recording policies.
Reference applicable state laws (Connecticut, Delaware, New York disclosure requirements) and ensure the policy meets the strictest applicable standard.
Review the policy annually with employment counsel, especially as new monitoring technologies are adopted or new state laws take effect.

Employee Privacy Statistics [2026]

Data points reflecting the current state of employee monitoring and privacy litigation.

78%

Of US employers monitoring employee digital activityAMA, 2023

60%

Of employers using dedicated monitoring software (doubled since pre-pandemic)Gartner, 2023

$1.5B+

In BIPA settlements for biometric data violations in workplace settingsIAPP, 2024

30+

States with off-duty conduct protection laws limiting employer reach into personal livesNCSL, 2024

Frequently Asked Questions

Can an employer read employee emails on a company account?

Generally, yes. Courts have consistently held that employees have no reasonable expectation of privacy in company-provided email accounts, especially when the employer has a policy stating that email may be monitored. The key is having a clear, written policy that employees acknowledge. However, the NLRA protects employee communications about wages and working conditions, even on company email (Purple Communications, 2014). Monitoring attorney-client privileged communications can also create legal issues.

Can an employer monitor personal devices used for work?

It depends on the BYOD policy and state law. Employers can generally monitor company data and applications on personal devices if there's a clear BYOD agreement authorizing it. But monitoring personal applications, messages, and activities on the employee's own device goes too far in most jurisdictions. Use containerization (MDM solutions that separate work and personal data) and limit monitoring to the work container. California and several other states provide stronger personal device protections.

Can employers monitor employees' personal social media?

Employers can view publicly posted social media content. They can't require employees to provide login credentials for private accounts (prohibited in 25+ states). They can't create fake accounts to friend or follow employees for monitoring purposes. And they can't take adverse action against employees whose social media posts constitute NLRA-protected concerted activity (discussing wages or working conditions). Employers should have clear social media policies that distinguish between protected speech and conduct that violates company rules.

Are employers allowed to drug test employees?

Federal law doesn't require drug testing for most private employers (exceptions: DOT-regulated transportation and federal contractors under the Drug-Free Workplace Act). State laws vary significantly. Some states allow testing at any time, others only allow it pre-employment, upon reasonable suspicion, or after workplace accidents. The trend toward cannabis legalization has complicated drug testing. New York, California, and several other states now prohibit adverse action based on off-duty cannabis use. Medical marijuana users have protections in many states. Test policies must align with current state law, which changes frequently.

What privacy rights do employees have regarding their medical information?

The ADA requires employers to keep medical information in separate, confidential files with restricted access. Managers generally shouldn't know the specific diagnosis behind an accommodation request, only the functional limitations and accommodations needed. FMLA certifications must be kept confidential. Workers' compensation records are separate from personnel files. Employers can't share employees' medical information with coworkers or include it in general personnel records. GINA prohibits employers from requesting genetic information. While HIPAA doesn't directly cover most employment records, state medical privacy laws often fill the gap.

Can an employer install cameras in the workplace?

Video surveillance is generally legal in common work areas with proper notice. Cameras are prohibited in restrooms, changing rooms, locker rooms, and any area where employees have a reasonable expectation of privacy. Some states restrict cameras in break rooms and lunch areas. Audio recording has stricter rules: 11 states require all-party consent for audio recording (California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Pennsylvania, Washington). The NLRA restricts surveillance that would chill union organizing activity. Always post visible notices informing employees and visitors that video surveillance is in operation.

Written by Adithyan RK

Fact-checked by Surya N

Published on: 25 Mar 2026|Last updated: