Privacy Rights in a Remote Work World: Can My Employer Monitor My Activity?
The rise in remote work has brought with it a rise in employee monitoring. Between 2019 and 2021, the percentage of employees working primarily from home tripled. As “productivity paranoia” crept in, employers steadily adopted employee surveillance technologies. This has raised questions about the legal and ethical implications of enhanced monitoring, in some cases prompting proposed legislation or the expanded use of laws already on the books.
Employee monitoring is nothing new. Employers have long used supervisors and timeclock programs, among other systems, to monitor employee activity. What is new, however, is the proliferation of sophisticated monitoring technologies—as well as the expanding number and variety of companies that are employing them.
While surveillance was once largely confined to lower-wage industries, white-collar employers are increasingly using surveillance technologies to track their employees’ activity and productivity. Since the COVID-19 pandemic started in March 2020, one in three medium-to-large companies has adopted some form of employee monitoring, with the total fraction of employers using surveillance technologies closer to two in three. Workers who are now subject to monitoring technologies include doctors, lawyers, academics, and even hospice chaplains. Employee monitoring technologies can track a range of information, including:
Internet use (e.g., which websites and apps an employee has visited and for how long);
How long a computer sits idle;
How many keystrokes an employee types per hour;
Emails that are sent or received from a work or personal email address (if the employee is logged into a personal account on a work computer);
Screenshots of a computer’s display; and
Webcam photos of the employee throughout the day.
These new technologies, coupled with the shift to remote work, have blurred the line between the professional and the personal, the public and the private. In the face of increased monitoring, this blog explores federal and state privacy regulations and protections for employees.
What are the legal limitations on employee monitoring?
There are two primary sources of restrictions on employee monitoring: (1) the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§ 2510 et seq.; and (2) common-law protections against invasions of privacy. The ECPA is the only federal law that regulates the monitoring of electronic communications in the workplace. It extends the Federal Wiretap Act’s prohibition on the unauthorized interception of communications, which was initially limited to oral and wire communications, to cover electronic communications like email. As relevant here, the ECPA contains two major exceptions. The first exception, known as the business purpose exception, allows employers to monitor employee communications if they can show that there is a legitimate business purpose for doing so. The second exception, known as the consent exception, permits employers to monitor employee communications so long as they have consent to do so. Notably, this exception is not limited to business communications, allowing employers to monitor employees’ personal communications if they have the requisite consent. Together, the business purpose and consent exceptions significantly limit the force of the ECPA, such that, standing alone, it permits most forms of employee monitoring.
In addition to the ECPA’s limited protections from surveillance, however, some states have adopted additional protections of employee privacy. Several state constitutions, including those of California, South Carolina, Florida, and Louisiana, guarantee citizens a right to privacy. While these provisions do not directly regulate employers’ activity, they may bolster employees’ claims to an expectation of privacy. Other states have enacted legislation that limits an employer’s ability to monitor employees’ social media accounts. Virginia, for example, prohibits employers from requiring employees to disclose their social media usernames or passwords. And a few states have enacted laws to bolster employees’ access to their data. For example, the California Privacy Rights Act (CPRA), which comes into full effect on January 1, 2023, and replaces the California Consumer Privacy Act (CCPA), will provide employees with the right to access, delete, or opt-out of the sale of their personal information, including data collected through employee monitoring programs. Employees will also have the right to know where, when, and how employers are using their data. The CPRA’s protections are limited, however. Employers will still be able to use surveillance technologies, and to make employment decisions based on the data these technologies gather.
Finally, several states require employers to provide notice to employees before monitoring or intercepting electronic communications. New York recently adopted a law, Senate Bill (SB) S2628, that requires all private-sector employers to provide notice of any electronic monitoring to employees (1) upon hiring, via written or electronic employee acknowledgment; and (2) in general, in a “conspicuous place” in the workplace viewable to all employees. The new law is aimed at the forms of monitoring that have proliferated since the shift to remote work, and covers surveillance technologies that target the activities or communications of individual employees. Delaware and Connecticut also have privacy laws that predate SB S2628. Delaware requires notice to employees upon hire that they will be monitored, but does not require notice within the workplace. Meanwhile, Connecticut requires notice of monitoring to be conspicuously displayed in the workplace but does not require written notice to employees upon hire. Accordingly, in many states, employee privacy protections exceed the minimum standard of the ECPA, though they still are not robust.
How does employee monitoring intersect with other legal rights?
Other legal protections further limit employee monitoring.
First, in at least some jurisdictions, employees who access personal emails on their work computer, or conduct other business that would be protected under attorney-client privilege, maintain their right to privacy for those communications. In Stengart v. Loving Care Agency, Inc., 408 N.J. Super. 54 (App. Div. 2009), the Superior Court of New Jersey, Appellate Division, considered a case in which an employee had accessed her personal email account on her employer’s computer and exchanged emails from that account with her attorney regarding a possible employment case against her employer. The employer, who had installed an employee monitoring program, was able to access and read the employee’s emails. The Court held that the employee still had a reasonable expectation of privacy and that sending and receiving emails on a company-issued laptop did not waive the attorney-client privilege. The Court thus required the employer to turn over all emails between the employee and her attorney that were in its possession and directed the employer to delete all of these emails from its hard drives. Moving forward, the Court instructed that, while “an employer may trespass to some degree into an employee’s privacy when buttressed by a legitimate business interest,” such a business interest held “little force . . . when offered as the basis for an intrusion into communications otherwise shielded by the attorney-client privilege.” Stengart, 408 N.J. Super. at 74.
Second, employee monitoring can run afoul of protections related to union and other concerted activity. The General Counsel for the National Labor Relations Board (NLRB) recently announced a plan to curtail workplace surveillance technologies. Existing law prohibits employers from using surveillance technologies to monitor or record union activity, such as by recording employees engaged in picketing, or otherwise interfering with employees’ rights to engage in concerted activity. The General Counsel’s plan outlines a new, formal framework for analyzing whether employee monitoring interferes with union or concerted activity. Under this framework, an employer presumptively violates Section 7 or Section 8 of the National Labor Relations Act (NLRA) where their “surveillance and management practices, viewed as a whole, would tend to interfere with or prevent a reasonable employee from engaging in” protected activities. Examples of technologies that are presumptively violative include key loggers, webcam photos, and audio recordings.
Do I have a claim against my employer?
While federal and state restrictions on employee monitoring are limited, you may have a legal claim against your employer if its monitoring is overly intrusive or it mishandles your personal data. First, an invasion-of-privacy claim, for the tort of intrusion upon seclusion, could exist if your employer monitors your activity in a way that would be highly offensive to a reasonable person, such as by accessing your work laptop’s webcam or internal microphone and listening in on private affairs in your home. Second, you may have a claim against your employer for violating its legal duty to protect your personal information if data it collects in the course of monitoring your work activity is compromised. In Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018), employees at the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, UPMC) filed a class-action complaint alleging that UPMC breached its legal duty of reasonable care when it failed to protect employees’ data, which was stolen from UPMC computers. The Pennsylvania Supreme Court found for the plaintiffs, holding that employers have an affirmative duty to protect the personal information of their employees. Because the Pennsylvania Supreme Court’s holding was grounded in tort principles that are recognized by many states (i.e., duty of care and negligence), it may pave a path for future cases in other jurisdictions. Third, if any medical information is accessed and improperly used by your employer, you may have a claim under the Americans with Disabilities Act, which requires that employers keep all employee medical information confidential and separate from all other personnel information. See 42 U.S.C. § 12112(d)(3)(B)-(C), (4)(B)-(C).
Employees are monitored more consistently and in more ways than ever before. By and large, employee monitoring is legal. Employers can monitor your keystrokes, emails, and internet activity, among other metrics. While federal regulation of employee monitoring is limited, some states offer additional protections of employee privacy. Most notably, employers are increasingly required to inform employees that their activity will be monitored. Moreover, other legal rights, such as the right to engage in concerted activity and to have your medical information kept confidential, provide checks on employee surveillance. As employee monitoring becomes more commonplace, restrictions on surveillance technologies and avenues for legal recourse may also grow.