Compliance & Privacy

Employee Monitoring and the Law: What US Employers Need to Know in 2020

By Elena Vasquez · · 9 min read
Employee Monitoring and the Law: What US Employers Need to Know in 2020
TLDR: US federal law generally permits workplace monitoring on company devices, but state laws add significant requirements around notification and consent. With CCPA now in effect and more states considering privacy legislation, the safest strategy is full transparency and documented consent — regardless of what the law minimally requires.

The Federal Baseline: ECPA and Its Exceptions

The primary federal law governing workplace monitoring is the Electronic Communications Privacy Act (ECPA) of 1986. Yes, 1986 — it was written before the World Wide Web existed. Despite its age, it remains the foundation of US monitoring law.

The ECPA generally prohibits intercepting electronic communications. However, it includes two critical exceptions for employers:

  • The Business Purpose Exception: Employers can monitor communications on systems they provide for legitimate business reasons. This covers monitoring activity on company-owned computers, phones, and networks.
  • The Consent Exception: If an employee consents to monitoring (even implicitly, through an acceptable use policy), the ECPA's protections don't apply.

In practice, these exceptions are broad enough that most workplace monitoring on company devices is legal under federal law. However — and this is important — federal law is just the floor, not the ceiling.

Disclaimer:

This article provides general information, not legal advice. Employment law varies by jurisdiction. Consult qualified legal counsel for guidance specific to your situation.

State Laws: Where It Gets Complicated

Several states impose additional requirements beyond federal law. Here are the most significant as of early 2020:

Connecticut (CGS § 31-48d): Employers must give written notice to employees about the types of electronic monitoring being conducted. This is one of the strongest state notification requirements.

Delaware (19 Del. C. § 705): Similar to Connecticut — employers must provide written notice of electronic monitoring to employees. Notice must be provided at hire and acknowledged in writing.

California (CCPA): The California Consumer Privacy Act went into effect on January 1, 2020. While the initial regulations mostly exempt employee data, this exemption is temporary and expected to expire. California employers should be preparing for a future where employee monitoring data is subject to CCPA requirements — including the right to know what data is collected, the right to access it, and potentially the right to deletion.

New York: No specific employee monitoring statute, but employers who monitor phone calls must inform callers. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act imposes data security obligations that could apply to monitoring data.

2states currently require explicit written notice for electronic monitoring
7+states actively considering employee monitoring legislation in 2020

BYOD Complications

The legal landscape gets murkier when employees use personal devices for work — the Bring Your Own Device (BYOD) scenario. Federal courts have generally held that employees have a greater expectation of privacy on personal devices, even when those devices are used for work.

If you implement monitoring on personal devices, you need:

  • Explicit, written consent — not just a clause buried in an employee handbook
  • Clear scope limitations — monitoring should be limited to work applications and work hours
  • A separation mechanism — the tool should distinguish between work and personal activity

At Teambridg, our agent is designed with BYOD in mind. The pause feature allows employees to stop monitoring during personal time, and our activity tracking only captures application categories — never content, keystrokes, or screenshots. But even with these safeguards, we recommend that BYOD monitoring policies get extra legal scrutiny.

Best Practices for Legal Protection

Regardless of your specific jurisdiction, these best practices will keep you on solid legal ground:

  1. Written monitoring policy: Document what you monitor, why, how data is stored, who can access it, and how long it's retained. Distribute this to all employees.
  2. Signed acknowledgment: Have employees sign an acknowledgment that they've received and understood the monitoring policy. This doesn't need to be enthusiastic consent — just documented awareness.
  3. Consistent application: Apply monitoring policies uniformly. Monitoring some employees but not others with the same job function invites discrimination claims.
  4. Reasonable scope: Limit monitoring to what's necessary for legitimate business purposes. "We monitor everything because we can" is not a defensible position.
  5. Data security: Monitoring data is sensitive. Apply appropriate access controls, encryption, and retention limits. A monitoring data breach could create significant liability.

The legal trend is clear: employee privacy protections are expanding, not contracting. Organizations that adopt ethical monitoring practices today aren't just doing the right thing — they're building compliance resilience for whatever comes next.

Ready to try transparent employee monitoring?

Teambridg is free for teams up to 3 users. No credit card required.

Get Started Free Download Timebridg
legal compliance us-law privacy ECPA state-laws
← Back to Blog