Confused about employee monitoring laws?
As more people adopt remote work as a result of COVID-19, businesses have been forced to use remote monitoring measures to keep a check on their worker’s productivity.
But employee monitoring isn’t new.
It’s been around for ages and involves things like monitoring clock-ins, using security cameras, and implementing GPS tracking.
Is it allowed?
In some cases, it’s entirely legal and in others – it can be problematic.
To clear everything up, we’ll be covering everything you need to know about employee monitoring laws to ensure that your business complies with what’s allowed.
This Article Covers:
(click on the links to jump to a section)
- Computer and workstation monitoring
- Internet and social media monitoring
- Screen content and keystroke monitoring
- Monitoring emails and private messages
- Monitoring phone conversations
- Video surveillance
- Monitoring personal devices
What Is Employee Monitoring?
Before we get into the laws covering specific monitoring methods, let’s first cover what employee monitoring is and why companies do it.
Employee monitoring is the use of various surveillance and data collection methods by an employer. This can include employee monitoring software, keycards, biometrics – and various other methods.
Why do companies do this?
Most companies monitor their employees for two key reasons:
- To ensure that their employees are productive and focused on their work
- To keep an eye on the data their employees share for data security reasons
What are some common forms of employee monitoring?
Here’s a quick look at the most common employee monitoring methods:
- Computer & workstation monitoring
- Internet and social media monitoring
- Monitoring screen content and keystrokes
- Monitoring private messages and email content
- Monitoring company phone conversations and voicemail
- Video and audio monitoring
- Monitoring personal devices
However, it’s important to note that not all monitoring methods were created equal.
Each of these methods varies in terms of effectiveness and legality.
Luckily, we’ll break down each method later on in the article!
Is It Legal To Monitor Employees in the United States?
The quick answer is, yes, most employee monitoring methods are legal in the United States (US).
Additionally, federal legislation doesn’t require employers to disclose monitoring activity to workers. However, it’s still recommended that you create standardized company policies over employee monitoring.
This ensures that:
- Your employees aren’t confused or apprehensive over your monitoring procedures
- Your monitoring activities are more transparent
- You’ll find it easier to deal with disputes in the future as everything was clearly outlined
Is It Legal To Monitor Employees in Europe?
Again, the quick answer is yes.
Most forms of employee monitoring are legal in the European Union (EU). However, it’s essential that your monitoring policies abide by the GDPR laws.
What is the GDPR?
GDPR (General Data Protection Regulation) refers to the laws that came into effect in the EU on May 25, 2018. The GDPR aims to ensure that organizations remain accountable and safeguard the personal information they collect.
- Informing your employees about your data collection methods.
- Ensuring that you get their consent for personal data collection.
- Protecting all the data you collect.
Who does the GDPR apply to?
It applies to any organization operating in the EU, including those that are based outside of it but have employees in the EU.
The Laws Over 7 Common Monitoring Activities
Now that we’ve covered what employee monitoring is and where it’s legal, let’s get into outlining the various monitoring methods you can use at your company:
1. Computer & Workstation Monitoring
This is a broad-scale form of monitoring that involves tracking employee activity on a company computer or workstation. This includes monitoring stored documents and internet usage.
Why do companies do this?
Employers want to know who has access to company equipment and what was done with it. This can safeguard them against equipment misuse – which might lead to legal complications later on.
US laws over computer & workstation monitoring
The Electronic Communications Privacy Act (ECPA) permits an employer to monitor all activities on a computer that is company property.
This includes computer-usage that might not even be on-premise. So if you’re working from home on a company laptop, your activities can still be legally monitored.
GDPR rules over computer & workstation monitoring
The GDPR doesn’t directly address computer monitoring.
But its privacy laws do affect different aspects of it.
According to the GDPR, computer monitoring is allowed provided:
- Employees are given advance notice of the monitoring through a clear internal policy.
- It is only done for a legitimate business purpose and doesn’t restrict an employee’s fundamental right to privacy.
2. Internet and Social Media Monitoring
This is a more specific form of workstation monitoring that focuses on internet usage at work.
Companies do this to ensure that their employees are using the internet for appropriate reasons and aren’t wasting all of their time watching cat videos on Facebook!
However, this is also done to ensure that your employees aren’t accessing potentially dangerous sites that could jeopardize your data security.
US laws over internet and social media monitoring
If you’re on company time, it’s your employer’s right to know if you’re using the internet for work-related purposes.
What about social media?
It’s legal for employers to establish social media policies.
A social media policy may:
- Define what sites you can and can’t access during work hours.
- Ask you to share your social media account details.
- Specify what you can and cannot post on social networking sites about your employer.
However, most employer policies can’t prevent you from discussing wages or working conditions as that’s protected by federal labor law.
Are these laws standard across the country?
Every state has local laws regarding social media policies so be sure to read up on them.
For example, states like California and Illinois prohibit employers from asking for employee social media login info.
GDPR rules over internet and social media monitoring
The GDPR doesn’t have specific rules on monitoring internet and social media use at work. However, similar to workstation monitoring, their privacy laws may limit what you can and can’t monitor.
For more information, read up on the GDPR’s laws here.
3. Monitoring Screen Content and Keystrokes
This is another common form of workstation monitoring.
Here, monitoring software is used to log an employee’s keystrokes and sometimes even take screenshots of an employee’s computer screen.
That’s because it is.
But most companies do this for advanced data protection. As they can monitor everything you’re typing and can see what you’re accessing, they have more control over the data you’re sharing.
US laws over monitoring screen content and keystrokes
In the US, this method usually falls under an employer’s right to monitor activities on company-owned computers.
However, as this is such an intrusive method of employee monitoring, it’s best that you get your employee’s consent before using such software. Avoid using tools that covertly run on an employee’s computer as that could set you up for legal issues later on.
GDPR rules over monitoring screen content and keystrokes
Remember, the GDPR is all about privacy protection.
That’s why, in most cases, it’s illegal to use tools that log keystrokes or take screenshots of your employee’s screens. The impact on employees’ privacy is considered too high to be justifiable, even on company equipment.
4. Monitoring Private Messages and Emails
This is another common – and controversial – form of employee monitoring.
While monitoring employee emails is common practice, some companies even track private messages sent and received on company equipment.
As with keystroke logging, this is done for security reasons. When you know who your employees are interacting with, you can better control who has access to sensitive information. This way you can prevent a potential data breach from happening.
US laws over monitoring private message and emails
Any email or private message sent or received on a company-owned device is considered company property. That’s why it is legal for companies to monitor private messages and emails as well.
However, as this can be seen as a huge breach of employee privacy, it’s recommended that your company is very transparent about what you’re tracking and obtain your employee’s consent.
Is an employee’s consent always required?
However, as this isn’t standard across the United States, it’s important to consult with your local and state laws as well.
GDPR rules over monitoring private messages and email content
The GDPR doesn’t directly address email monitoring.
However, it has a few privacy protections that must be adhered to.
Email monitoring is permitted as long as the following applies:
- The employee is aware of and has agreed to the monitoring.
- Any personal data obtained or related to your employee email accounts can only be shared with their consent..
- Employers should have a retention period for emails and delete them after the period is up.
5. Monitoring Company Phone Conversations & Voicemail
Monitoring company phone conversations and voicemail isn’t just about listening in to a conversation. It might also involve recording these conversations.
Similar to monitoring emails, this is done to safeguard the company against potential data breaches. As you know who your employees are talking to and what they’re sharing, you can control where your data goes.
US laws over monitoring company phone conversations & voicemail
You can only monitor calls and voicemails for legitimate business reasons. For example, recording how your employees interact with leads is a good way to see how well they’re performing.
What about personal calls?
When employees don’t use separate phones for private and business purposes, things can get complicated. Remember, if it’s a company-owned phone, you do have the right to monitor what it’s used for.
However, the ECPA has an important exception to this.
When the employer realizes the call is personal, they must stop monitoring the call.
Does the law ever demand consent for recording phone calls?
Federal law and many state law enforce “prior-consent exception.”
This means that prior consent is required for any conversation to be recorded.
While federal law requires the consent of one person in the conversation, other states, like Maryland, may require everyone involved in a conversion to give prior consent.
For example, if you’re recording a group call with six members, each of them has to give you prior consent or else it’s illegal.
GDPR rule over monitoring company phone conversations & voicemail
The GDPR categorizes conversations and voicemail as personal information which means consent cannot be assumed.
The participant must give specific, unambiguous consent to be recorded — like giving oral acceptance to be recorded during a call.
6. Video Surveillance
Video surveillance is another common form of employee monitoring.
While it’s usually done for security reasons – it can also be for health purposes. For example, if you operate a factory, monitoring your employees via video will help you step in when something goes wrong and endangers your workers.
US laws over video surveillance
Federal law allows video surveillance as long as it’s for legitimate business reasons. This could be to prevent theft or maintain general security.
What about security cameras in private spaces?
Though laws between states vary, the monitoring of private spaces is usually prohibited. This is especially true when the act is considered physically invasive, such as using hidden video cameras in locker rooms or restrooms.
GDPR rule over video and audio monitoring
Identifiable faces are considered personal data, and most video surveillance tapes usually capture people who have not consented to being filmed.
Under the GDPR, this can be problematic as they need to be notified of:
- The fact that they’re being monitored
- The purpose of monitoring
- How long the footage will be stored
- Who has access to the footage
7. Monitoring Personal Devices
As more and more people are using their personal devices for work, the laws over device monitoring have become a little more confusing.
After all, this is your device – not the company’s.
So do they still get to monitor you?
US laws over monitoring personal devices
Monitoring of personal devices is allowed, as long as the employer has already defined clear-cut policies over it.
What kind of policy allows monitoring of personal devices?
This is usually in the form of a Bring-Your-Own-Device (BYOD) policy.
The BYOD can appear in an agreement, employment contract, or onboarding document.
What does agreeing to a Bring-Your-Own-Device policy mean?
With a well-defined BYOD policy, employers can obtain an employee’s consent to gather data on their device.
However, as the device will be used for personal and business use, BYODs usually can’t enforce extremely intrusive monitoring methods.
GDPR rule over monitoring personal devices
As the GDPR heavily focuses on protecting employees from an invasion of privacy, it’s very strict about personal device monitoring. In most cases, monitoring keystrokes, screen activity and call activity on personal devices should be avoided.
For a more detailed look at this, click here.
3 Tips On Implementing Employee Monitoring Successfully
Now that you know what’s legal and what isn’t, you might be wondering:
“How do I implement employee monitoring the right way?”
While all this can seem overwhelming, there are a few simple tips you can follow to streamline this process:
A. Always look at country, state and local laws
As employee and workplace monitoring can vary with countries, states and even counties – be sure to consult all the possible laws before monitoring your employees.
Ideally, consult with law firms to ensure you’re complying with what’s legal. This is especially important when certain employment laws change and you need to update your policies.
B. Be Transparent About Everything
While it’s not mandatory to inform your employees of certain monitoring measures, it’s always a good idea to be transparent about them.
Inform your employees about:
- What you’re tracking
- Why you’re tracking it
- When you’ll be tracking it
This way, they’ll have a better idea of the reasoning behind your measures and will be more receptive to it.
C. Use Employee-Friendly Tools
Another good way of implementing employee monitoring is by using transparent monitoring software.
Avoid using tools that covertly monitor your employees like keyloggers that run in the background. Not only will this lead to decreased employee trust – it can set you up for legal issues.
Instead use transparent tools like Time Doctor that allow your employees to control when they’re monitored. This way, you get their consent by default and won’t face the issues associated with covert monitoring.
Summing It Up
While the various employee monitoring laws can seem overwhelming at first, they all follow a basic principle:
Always have a good reason to monitor your employees and respect their personal privacy.
Once you follow all the tips we mentioned here and consult with your country, state and local laws – we’re sure you’ll have no difficulty implementing an effective monitoring policy at your company.
Liam Martin is the co-founder of Time Doctor—one of the world’s leading time tracking software for remote teams. He is also the co-organizer of Running Remote, the world’s largest remote work conference.