Exploring the legality of workplace surveillance's 'gray area'

Effect on employee morale and retention are not the only consideration associated with workplace surveillance

Exploring the legality of workplace surveillance's 'gray area'

By Mickey Chichester and Ellie McPike

For many workers, the “hybrid” work arrangement allows increased flexibility in managing the day and saves time on otherwise inescapable tasks, such as commuting. According to the U.S. Census Bureau’s American Community Survey, the number of people primarily working from home tripled from 5.7% (roughly 9 million people) to 17.9% (27.6 million people) in 2021 alone. As the workplace has adjusted to this reality, more and more employers are adopting technology to monitor output. While workplace surveillance has been deployed in a variety of industries for decades, it has taken on a whole new meaning with so many professions and industries operating in fully remote and hybrid work structures.


Prevalence of Productivity Tracking Tools


A 2022 study of HR technology use found that 95% of HR leaders have either implemented new methods to track and report on the productivity and performance of remote workers or plan to do so. Workplace surveillance can take many forms, with the most common being location tracking, keystroke and mouse monitoring, screen captures, and camera captures. As workplace surveillance becomes more prevalent, employers are implementing innovative ways to monitor their employees, including deploying monitoring software to validate employee-reported work hours. For instance, software is available to monitor an employee’s internet and app usage, observe an employee via video, track files and editing time, and observe an employee’s use of email, phone, voicemail, and instant messages. There is even software that can predict employee activity by using behavioral analytics and biodata through the tracking of employee happiness based on “distinct physical movements.”


Employers should also consider the impact of surveillance and monitoring on employees. To maintain trust between employers and their employees, it is  important for employers to have clear policies pertaining to what may be monitored, realistically set employee expectations, and eliminate ambiguity as to what employers may and may not review or consider.


Impact of Surveillance Tools on the Workplace


Effect on employee morale and retention are not the only consideration associated with workplace surveillance. The law is catching up, or being more widely applied, to tackle some of these associated legal considerations, such as wage and hour issues, privacy issues, and discrimination.


Timekeeping practices can be dismantled by the blurry delineations of when an employee is working and whether an employee takes a legally required break. Changes in duties when employees switch to hybrid or fully remote work can also impact whether the employee remains overtime exempt. For instance, if a switch to remote or hybrid work results in elimination of duties that supported an exemption, reclassification may be required. Consequently, employers should remain cognizant of the duties employees are actually performing as their roles evolve in a hybrid or remote setting. In this way, surveillance assists in employers’ determination of whether their workers are independent contractors or employees.


Employers should also take care to analyze exactly what behaviors they intend to monitor, and determine whether their monitoring tools and resources are, in fact, monitoring those behaviors. If employers want to monitor productivity, an employer may choose to implement software that determines whether employees are using the internet or applications beyond what is needed to perform their job duties, such as a tool that that monitors URLs. However, if a position requires research or surfing the web, this tool could incorrectly provide employers will inaccurate measurements, or measurements outside the employer’s intended purpose. An employer may want to monitor the time an employee is continuously spending online or the time an employee spends in a document to determine when employees are working or to ensure employees are taking breaks. However, if an employer implements a software that tracks how long documents are being edited or “checked out,” the employer could miss the time where an employee is reviewing and editing a hard copy document. If the manner in which people actually work is not considered, monitoring tools could provide a false depiction of an employee’s productivity and worktime.


Another popular tool is one that tracks keylogging, meaning, monitoring every keystroke an employee makes. This tool, in particular, can pose risks, including inaccurate representations of productivity, as well as privacy risks, as many of these types of software record all inputs, including passwords.  If it is truly about monitoring performance, then whatever data is being collected should be a proxy for performance. Some things are relatively easy, like measuring the number of outbound calls a salesperson makes. However, other items may be harder to decipher. For example, for clerical staff, it can be difficult to tell whether people who perform a wide variety of administrative tasks are actually being productive at any given point. If an employer is simply monitoring keystrokes, and the employee is physically making binders or having in-person meetings, the employer will miss that aspect of the employee’s work. However, if the employee is online shopping or browsing their social media, the software might incorrectly mark this employee as having high performance or working more than the employee actually is.


While it has long been legal for organizations to monitor employees using company-owned devices and networks, companies are advised to tread carefully when using surveillance tools with remote employees working in their homes. Employees’ homes are now workplaces, with a blurred line of when one becomes the other. There are true privacy threats concerning the capture of voices other than the employee’s, of recording a child wondering, or the footage of other individuals caught within the Zoom frame.


State Laws


There are a handful of states that have already made strides in enacting privacy legislation concerning employee tracking. For example, New Jersey’s Assembly Bill 3950 went into effect on April 16, 2022. This law requires employers to provide notice to employees for certain types of geotracking. New York’s Notice of Electronic Monitoring went into effect May 7, 2022, which requires employers that “monitor or otherwise intercept” their employees’ telephone calls, e-mail, or internet access or usage to: (1) provide written notice to employees who are subject to the monitoring and obtain their written acknowledgement of the notice; and (2) post the notice in a conspicuous place that is readily accessible to employees subject to electronic monitoring.


Connecticut has a surveillance law that forbids employers from (1) engaging in electronic monitoring in areas designed for the health or personal comfort of employees or for the safeguarding of their possessions, such as restrooms, locker rooms, or lounges and (2) intentionally overhearing or recording employment contract negotiations.


The California Consumer Privacy Act (CPRA) went into effect on January 1, 2023 and is a new and comprehensive legal framework that will apply to the personal information of California residents who are employees, job applicants, independent contractors, and board members, as well as employees’ dependents who receive benefits through the employer.The CPRA provides employees with the right to access, delete, or opt out of the sale of their personal information, including data collected through employee monitoring programs.


Virginia joined California as the second state to enact a comprehensive data privacy law, enacted also on January 1, 2023. Similar to the CPRA, Virginia’s Consumer Data Protection Act (VCDPA), and grants Virginia residents the right to access, correct, delete, know about, and opt out of the sale and processing of their personal information for “targeted advertising” purposes. However, the law does not apply to HR data or employee/applicant data.


Colorado became the third state to pass a data privacy law, which goes into effect on July 1, 2023.This law creates personal data privacy rights for Colorado residents, and the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling. Like the VCDPA, employment data is excluded from the scope of this law. However, employers should still be aware of the VCDPA and Colorado’s  requirements to ensure compliance if handling consumer data.


Although these are  first state legislations of its kind, they are  certainly not the last, as there are similar bills in motion across the United States. For instance, Alabama, Minnesota, South Carolina, and Massachusetts are all working on legislation in this space.


Before New York passed SB S2628, Delaware passed a comparable law in 2017 that requires employers provide notice to employees upon hire to inform employees that they will be monitored. Delaware does not, however, require that notice be posted within the workplace.


Similarly, Connecticut passed a law that requires employers to provide their employees notice of monitoring, and for it to be conspicuously displayed in the workplace. Unlike Delaware and New York, Connecticut does not require a written notice to employees upon hire. 


Impending Federal Laws


Although there is no current federal law specifically addressing workplace surveillance, it is only a matter of time. For instance, the “Stop Spying Bosses Act”  was introduced in the Senate on February 2, 2023. Its listed purposes are to prohibit, or require disclosure of, the surveillance, monitoring, and collection of certain worker data by employers, and for other purposes. The bill is broad in scope, applying to both to employees and applicants. Ultimately, the bill would require disclosure of certain workplace surveillance, including: “detection, monitoring, interception, collection, exploitation, preservation, protection, transmission, or retention of data concerning activities or communications with respect to the covered individual, including through the use of a product or service marketed, or that can be used, for such purposes, such as a computer, telephone, wire, radio, camera, sensor, electromagnetic, photoelectronic, handheld or wearable device, or photo-optical system.”Aside from the bill’s notice requirement, there is a prohibition of certain workplace surveillance, such as using data collected through workplace surveillance on a covered individual for a purpose that is not disclosed in accordance with the business purposes for which the data are being used…” The bill includes substantial fines for violations of the Act, including damages, statutory damages up to $100,000.


Although this bill may never be enacted, it is important to take note that lawmakers are taking notice of this topic, and for employers to consider whether enacting stricter protocols, including notices, would be a way to ease the transition and implementation, if and when federal guidelines are created.


Tips for Monitoring Policy Implementation


Employers should also consider whether the workplace surveillance practices employed cause the employer to learn information it simply does not want to know. For instance, an employer may discover through email or chat tools that an employee is a member of a protected class or engaging in protected activity. If this employee is later disciplined or terminated and files suit, at the very least, the employee might be able to demonstrate employer knowledge of the protected characteristic, which it may not have otherwise had.


Employers should be intentional in their communications to employees about what behaviors are being monitored and how they are using the data derived from monitoring. Consider the following tips when developing a companywide monitoring policy: (1) Be clear in what exactly is governed by the monitoring policy (e.g., electronic communications, telephones, company property and premises, etc.) and inform employees that monitoring and searches can occur at any time, for any reason, with or without any further notice; (2) Explicitly state equipment’s ownership by highlighting that the organization's computer and telephone systems and other equipment are the property of the employer, and employees should not maintain any expectation of privacy while using them or personal property to conduct company business; (3) Be transparent in the reasoning behind the monitoring policy (e.g., to monitor performance, HR violations, etc.); (4) Communicate potential outcomes of violating the monitoring policy, or otherwise participating in unauthorized use of the company’s information systems, such as discipline, up to and including termination; (5) Ensure the disciplinary action pursuant to the monitoring policy is implemented fairly and consistently throughout the workplace to avoid potential discriminatory application; (6) Include a written acknowledgement in the new-hire documents that requires all new hires to agree to abide by its terms as a condition of employment with the company; (7) Circulate postings, notices, or other methods of reminders, that require employees to reaffirm their understanding of the policy at regular intervals; (8) Provide employees with an outlet or space to provide feedback regarding potential burnout, high levels of stress, or other problematic effects from the monitoring policy.


Moving forward, it is paramount for employers to weigh the potential risks and benefits of surveillance and work with their legal counsel to implement legally compliant programs and practices. In addition, employers should monitor and track any changes in legislation in this space, as it is constantly evolving.



Michael A. Chichester, Jr. is a shareholder at Littler and Co-Chair of the Robotics, AI and Automation Practice Group. Michael represents employers in labor and employment relations and employment litigation defense of all types. He can be reached at [email protected]


Margaret "Ellie" McPike is an associate in Littler’s San Francisco office. Ellie represents and advises employers in a diverse range of employment law and traditional labor matters arising under federal and state laws. She can be reached at [email protected]

Recent articles & video

Thought Leader Series: How AI and Tech are disrupting HR

Meta rehiring staff after massive job cuts: reports

2 in 5 workers in Canada don't know what an EAP is

Legal compliance in ESG: Guarding against ‘greenwashing’ allegations

Most Read Articles

Canadian HR Awards winners 2023 revealed

Amazon hiring 6,000 workers in Canada

Employer challenges claim of worker who ‘sexually harassed subordinate’