Employee monitoring laws in the US and EU explained

by Liam Martin
employee monitoring laws

With the rise of remote and hybrid work culture, businesses have increasingly turned to different employee monitoring methods.

But employee monitoring isn’t something new.

It’s been around for a long time and involves practices like monitoring clock-ins, using security cameras, and implementing GPS tracking.

Is it allowed?

In some cases, it’s entirely legal; in others, it can invite problems. This demands a good understanding of the employee monitoring laws specific to your country and state.

In this article, we’ll explore the different aspects of employee surveillance and the legality of different monitoring methods. We’ll also cover the main legal risks of employee monitoring, and a few tips to avoid them.

What is employee monitoring?

Before we get into the laws covering specific monitoring methods, let’s first cover what employee monitoring is and why companies do it.

Employee monitoring is the use of various surveillance and data collection methods by an employer. This can include employee monitoring software, keycards, biometrics, and other electronic monitoring practices.

According to a survey by ExpressVPN, 78% of employers accepted using employee monitoring tools. The same survey also found that 59% of employees remain anxious about the possibility of being monitored, highlighting a lack of clear communication and transparency.

Now, you may be wondering why companies monitor their employees.

Why do companies monitor their employees?

Most companies take to monitoring employees for two key reasons:

  • To achieve better employee productivity and work focus.
  • To ensure data security by keeping an eye on the data used and shared by employees.

The success of any monitoring program depends on the strategy and methods a company adopts.

What are some common forms of employee monitoring?

An employer can choose from various employee monitoring methods or use them in combination.

Here is a list of the popular ones:

  • Computer and workstation monitoring.
  • Internet and social media monitoring.
  • Screen content and keystrokes monitoring. 
  • Private messages and email content monitoring.
  • Phone conversations and voicemail monitoring.
  • Video and audio monitoring.
  • Personal devices monitoring.
  • Employee location monitoring.

These employee monitoring methods can be broadly categorized as invasive or non-invasive based on factors like:

  • What is being monitored?
  • Is the employee aware of being monitored?

It qualifies as invasive monitoring if you monitor your employees and gather their personal information without prior notification and consent.

Invasive monitoring can include:

  • Using employee monitoring software that runs in the background without the concerned team member’s awareness.
  • Monitoring remote employees through keystroke and screenshot tracking on computers.
  • Tracking employee activity after their work hours secretly.
  • Recording phone conversations and private messages without the participants’ consent.

However, employee monitoring doesn’t always invade employees’ privacy, especially when you communicate about it to them and obtain their consent. This helps to maintain healthy employer-employee relations and establish workplace fairness. These, in turn, positively affect employee morale and productivity.

Here are a few examples of non-invasive electronic monitoring practices:

  • Using monitoring software that lets employees turn it on or off when they sign in or out from in-office or remote work.
  • Using visibly placed video surveillance cameras in shared spaces.
  • Monitoring the company-owned workstations with prior information to the employees.
  • Recording phone calls with the participants’ consent.

Now that we’ve covered the fundamentals of employee monitoring, let’s get to its legal aspect.

Yes, most employee monitoring methods are legal in the United States (US).

The federal law against privacy invasion, the Electronic Communications Privacy Act (ECPA), allows electronic monitoring of employee communication for legitimate business purposes.

You can also monitor an electronic communication if one of the participating parties has consented to it after being notified in advance. However, you must consider the state law, as some states require the consent of all participating parties.

Similarly, the Stored Communications Act enables employers to monitor employee conversations stored on a company-owned device or cloud storage. This includes email conversations stored on a company computer.

However, you must obtain their prior consent before monitoring the stored private communications, such as those on employees’ social media accounts.

In addition to these laws, the National Labor Relations Board requires employers to obtain consent from the concerned employees’ union (if it exists) before implementing monitoring methods. 

In line with the above-stated laws, there may be instances where you won’t require employees’ consent before monitoring them. However, it’s still recommended that you create a standardized company policy on employee monitoring.

This ensures that:

  • Your employees aren’t confused or apprehensive over your monitoring procedures.
  • Your monitoring activities are more transparent.
  • You’ll find it easier to deal with disputes in the future as everything is clearly outlined.

Again, the quick answer is yes.

Most forms of employee monitoring are legal in the European Union (EU). However, your monitoring policies must abide by the General Data Protection Regulation laws.

What is the GDPR?

GDPR (General Data Protection Regulation) refers to the laws that came into effect in the EU on May 25, 2018. The GDPR aims to ensure that organizations remain accountable and safeguard the personal information they collect.

It emphasizes on:

  • Informing your employees about your data collection methods.
  • Storing only relevant data and updating it regularly.
  • Protecting all the data you collect.
  • Conducting a Data Protection Impact Assessment (DPIA) when dealing with personal data.

Who does the GDPR apply to?

It applies to any organization operating in the European Union (EU) and the European Economic Area (EEA), comprising Iceland, Liechtenstein, and Norway. It also includes those companies that are based outside of the EU but have its citizens as employees.

Now that we’ve covered what employee monitoring is and where it’s legal, let’s understand if employee monitoring activities can get you in trouble legally.

Employee monitoring and its methods have always invited debate on workplace monitoring ethics and trust. 

Since it directly impacts employee privacy, you should proceed cautiously when framing or implementing an employee monitoring policy.

Here are some legal issues that an employer monitoring the staff should consider:

  • Using invasive electronic monitoring methods violates the US federal and state employee privacy laws and the GDPR guidelines.
  • Using monitoring technologies for the surveillance of employee unions’ activities is prohibited by the National Labor Relations Act in the US.
  • Using employee monitoring tools that don’t effectively track employees’ time on remote work can lead to compensation-related issues.
  • Implementing overly strict and invasive electronic monitoring methods can negatively impact employee morale. This can lead to low employee productivity, health problems, burnout, or, worse, workplace accidents. The last one can lead to serious legal problems for the employer.

You can avoid these legal problems by following the practices listed below.

Employee monitoring laws over 8 common monitoring activities

Here are the 8 mostly used employee monitoring methods and their legality.

1. Computer and workstation monitoring

This is a broad-scale form of electronic monitoring that involves tracking employee activity on a company computer or workstation. This includes monitoring stored documents and internet usage.

Why do companies do this?

Employers need to know who has access to the company’s workstations and other facilities and how they are utilized. This can protect them from potential misuse of company-owned workstations and the legal issues arising from the same.

a. US laws over computer and workstation monitoring

The Electronic Communications Privacy Act (ECPA) permits electronic monitoring of all activities on company-owned devices. Also, the Stored Communications Act lets you monitor employee electronic communication saved on company computers.

This includes computer usage that might not even be on-premise. For example, an employee working from home on a company laptop can still be monitored.

b. GDPR rules over computer and workstation monitoring

The GDPR doesn’t directly address computer monitoring.

But its workplace privacy laws do affect different aspects of it.

According to the GDPR, computer monitoring is allowed provided that:

  • Employees are given advance notice of the monitoring through a clear internal policy.
  • It is only done for legitimate business purposes and doesn’t restrict an employee’s right to privacy.

2. Internet and social media monitoring

This is a more specific form of workstation monitoring that focuses on internet use at work.

Companies do this to ensure that their employees are utilizing the internet appropriately and aren’t wasting their time on non-work related social media activities during work hours.

However, this is also done to ensure that your employees aren’t using their internet access to browse potentially dangerous sites that could jeopardize your cybersecurity.

a. US laws over internet and social media monitoring

If an employee is on company time, it’s your right to know if they’re using the internet for work-related purposes only.

What about social media?

It’s legal for employers to establish social media policies.

A social media policy may:

  • Define what sites employees can and can’t access during work hours.
  • Ask them to share their social media account details.
  • Specify what they can and cannot post on social networking sites about the company.

However, you can’t prevent employees from discussing wages or working conditions as that’s protected by federal labor law.

Are these employee monitoring laws standard across the country?

Every state has local laws regarding social media policies, so be sure to read up on them.

For example, states like California and Illinois prohibit employers from asking for employee social media login info.

b. GDPR rules over internet and social media monitoring

The GDPR doesn’t have specific rules on monitoring internet and social media use at work. However, like workstation monitoring, its privacy laws may limit what you can and can’t monitor.

For more information, read up on the GDPR’s laws here.

3. Monitoring screen content and keystrokes

Here, monitoring software is used for logging an employee’s keystrokes and sometimes even taking screenshots of an employee’s computer screen.

Sounds intrusive?

That’s because it is.

But most companies do this for advanced data protection. Since they can monitor everything employees type and access, they have more control over the data shared.

a. US laws over monitoring screen content and keystrokes

In the US, this method usually falls under an employer’s right to monitor activities on company-owned computers.

However, as this is such an intrusive method of employee tracking, it’s best that you get  employee consent before using such software. Avoid using monitoring tools that covertly run on an employee’s computer, as that could set you up for legal issues later.

b. GDPR rules over monitoring screen content and keystrokes

Remember, the GDPR is all about privacy protection.

That’s why, in most cases, it’s illegal to use monitoring tools that log keystrokes or take screenshots of your employee’s screens. The impact on employees’ privacy is considered too high to be justifiable, even on company-owned equipment.

4. Monitoring private messages and emails

While monitoring employee emails is common, some companies even track private messages sent and received on company equipment.

As with keystroke logging, this is done for security reasons. When you know who your employees interact with, you can better control who has access to sensitive information. 

This way, you can prevent a potential data breach from happening.

a. US laws over monitoring private messages and emails

Any electronic mail or private message sent or received on a company-owned device is considered company property. That’s why it is legal for companies to monitor private messages and emails.

However, as this can be seen as a direct breach of workplace privacy, it’s recommended that your company is very transparent about what you’re tracking and obtain your employee’s consent.

Is employee consent always required?

States like Connecticut and Delaware require you to inform employees that you’ll monitor their electronic activity, including email accounts.

However, this isn’t the standard across the United States, so you should consider your local and state law.

b. GDPR rules over monitoring private messages and email content

The GDPR doesn’t directly address electronic mail monitoring.

However, it has a few workplace privacy protections that you must adhere to.

Email monitoring is permitted as long as the following applies:

  • The employee is aware of and has agreed to the monitoring.
  • Employee data obtained through email monitoring is safely processed.
  • Employers have a retention period for emails and delete them after the period is up.

5. Monitoring company phone conversations and voicemails

Monitoring company phone conversations and voicemails isn’t just about listening to a conversation. It might also involve recording employee conversations. 

Employers do this to safeguard the company against any potential data breaches.

a. US laws over monitoring company phone conversations and voicemails

You can only monitor calls and voicemails for legitimate business reasons. For example, recording how your employees interact with leads is a good way to see how well they’re performing.

What about personal calls?

Things can get complicated when employees don’t use separate cell phones for private and business purposes. Remember, if it’s a company-owned phone, you do have the right to monitor what it’s used for.

However, the ECPA has an important exception to this. When the employer realizes the call is personal, they must stop monitoring it.

Does the employment law ever demand consent for recording phone calls?

Yes.

Federal law and many state employee monitoring laws allow employers to record phone calls after acquiring the required consent.

This means prior consent is required to record any employee communication.

While federal law requires one person’s consent in the conversation, other states, like Maryland, may require everyone involved in conversion to give prior consent.

For example, if you’re recording a group call with six members, each of them has to give you prior consent, or else it’ll be considered illegal.

b. GDPR rule over monitoring company phone conversations and voicemails

The GDPR categorizes phone conversations and voicemails as personal information, which means that businesses must obtain the participants’ explicit consent before monitoring them.

The participant must give specific, unambiguous consent, like giving oral acceptance to be recorded during a call.

6. Video surveillance

Video surveillance is another common form of workplace surveillance that employers use for security reasons and to ensure the health and physical safety of the staff. 

For example, if you own a factory, monitoring your employees through video will help you step in when something goes wrong and endangers your workers.

a. US laws over video surveillance

Federal law allows video surveillance as long as it’s for legitimate business reasons. This could be to prevent theft or maintain general security. 

However, the video recording shouldn’t include an audio recording with it; if it does, the employer must also follow federal and state laws for audio monitoring.

You should notify the employees about video surveillance and register their consent.

What about security cameras in private spaces?

Though laws between states vary, monitoring private spaces is usually prohibited. This is especially true when the act is considered physically invasive, such as using hidden video cameras in locker rooms or restrooms.

States like California and New York even have laws (California Consumer Privacy Act and New York Labor Law) that restrict where and when a video camera can monitor employees.

b. GDPR rule over video surveillance

Identifiable faces are considered personal data, and most workplace surveillance tapes usually capture people who have not consented to be filmed.

Under the GDPR, this can be problematic as they need to be notified of:

  • The fact that they’re being monitored.
  • The purpose of monitoring.
  • How long the footage will be stored.
  • Who has access to the footage.

7. Monitoring personal devices

As more people use their personal devices for work, the laws over device monitoring have become a little more confusing.

Can employees still be monitored?

Let’s see:

a. US laws over monitoring personal devices

Monitoring of personal devices is allowed as long as the employer has already defined clear-cut policies about it.

What kind of policy allows the monitoring of personal devices?

This is usually in the form of a Bring-Your-Own-Device (BYOD) policy.

The BYOD can appear in an agreement, employment contract, or onboarding document.

What does agreeing to a Bring-Your-Own-Device policy mean?

With a well-defined BYOD policy, employers can obtain an employee’s consent to gather data on their device.

However, as the device is used for personal and business use, BYODs usually can’t enforce extremely intrusive monitoring methods.

b. GDPR rule over monitoring personal devices

As the GDPR heavily focuses on protecting employees from an invasion of privacy, it’s very strict about personal device monitoring.

It prevents employers from using scanning software that can access employees’ personal information available on their devices.

For a more detailed look at this, click here.

8. Monitoring employee location

Monitoring employees’ location is useful in the case of a workforce comprising field workers and for delivery and transportation businesses. 

It is done through GPS tracking that provides real-time information about the employees’ location during working hours.

a. US laws over monitoring employees’ location

The ECPA doesn’t directly address employee location tracking, so you should consider the concerned state’s laws before proceeding with it. 

Just like with other types of monitoring, it is recommended that you inform the remote workers about how and when their location will be monitored. It can be easily done either through a digital or written notice.

Additionally, you should account for factors like:

  • Who owns the vehicle to be tracked (company or employee)?
  • Who owns the phone to be tracked?
  • Does the employee use the tracked phone or vehicle for personal purposes?

B. GDPR rule over monitoring employees’ location

GDPR requires employers to conduct a DPIA if they want to track the location of remote workers. The DPIA will, in turn, provide you with a legal basis for tracking your employees. 

It is important to note that you can’t use just the employees’ consent as a legal basis for location tracking. There should be two or more other valid reasons. 

Let’s take a look at what could be those reasons:

  • A legal obligation requires you to track employees’ location.
  • It is required to ensure the employee’s safety or that of any other person.
  • It is required for the fulfillment of an employee’s duties stated in the work contract.
  • It is required for the fulfillment of activities carried out in the public interest.
  • It is required in the interest of the employer or a third party, given that the fundamental rights of the employee do not outweigh these interests.

Now, let us consider the possible legal repercussions of employee tracking.

3 best practices to implement employee monitoring successfully

Now that you know what’s legal and what isn’t, you might be wondering:

How do I implement employee monitoring the right way?”

While all this can seem overwhelming, there are some best practices you can follow to streamline this process:

1. Always look at the relevant laws

As employee and workplace monitoring can vary with countries, states, and even counties – be sure to consult all the possible laws before monitoring your employees.

This is particularly important when implementing monitoring methods for a globally-distributed team of remote employees. This is because workplace privacy related restrictions can get more stringent in this case.

Ideally, consult with law firms to ensure you’re complying with what’s legal. This is especially important when a certain employment law changes, and you need to update your policies.

2. Be transparent about everything

While it’s not mandatory to inform your employees of certain monitoring measures, it’s always a good idea to be transparent about them. Additionally, it is recommended that you obtain their written consent at the time of hiring regarding the monitoring methods that you’ll be using.

Inform your employees through a digital or written notice about:

  • What you’re tracking.
  • Why you’re tracking it.
  • When you’ll be tracking it.

This way, they’ll have a better idea of the reasoning behind your measures and will be more receptive to them. Moreover, this’ll promote workplace fairness at your company. 

3. Use employee-friendly tools

Another good way of implementing employee monitoring is by using a transparent time tracking or monitoring software application.

Avoid using employee monitoring tools that secretly monitor the staff members, like keyloggers that run in the background. This can lead to decreased employee trust and also set you up for legal issues.

Instead, use time tracking tools like Time Doctor that allow your employees to control when they’re monitored. This way, you get their consent by default and won’t face the issues associated with covert monitoring.

You can check out all of Time Doctor’s features here.

Summing it up

While the various employee monitoring laws can seem overwhelming at first, they all follow a basic principle: always have a good reason to monitor your employees and respect their personal privacy.

Once you follow all the tips we mentioned here and the applicable laws, you’ll have no difficulty implementing an effective monitoring policy at your company.

View a free demo of Time Doctor

help managers focus on what matters most
time doctor ratings

Related Posts