How-to guide: How to develop an employee monitoring policy and program (USA)

Updated as of: 10 October 2025

Related contract templates:

Employee Handbook: Personnel Files Policy (Short Form with Acknowledgement) Employee Handbook: Personnel Files Policy (Long Form with Acknowledgement)

Introduction

This guide will assist in-house counsel, private practice lawyers and human resource professionals with developing an employee monitoring program and policy.

This guide covers:

  1. Overview of employee monitoring
  2. Legal considerations relating to employee monitoring
  3. Monitoring employee social media activity
  4. Developing an employee monitoring policy

This guide can be read in conjunction with How-to guide: How to determine and apply relevant US privacy laws to your organization and Checklists: Developing a Bring Your Own Device (BYOD) policy and Developing an Equal Employment Opportunity Commission (EEOC) compliant policy.

Section 1 – Overview of employee monitoring

Employee monitoring refers to the systems and processes an employer implements in order to monitor the activity of its employees during working hours. This may include monitoring an employee’s:

  • computer activity;
  • email and network usage;
  • time spent on tasks; and
  • location during the working day, including the location of vehicles through GPS tracking systems.

The reasons for carrying out employee monitoring vary, but usually include the following:

  • to improve productivity;
  • to improve workplace security;
  • to prevent unacceptable behavior in the workplace, such as bullying and harassment; and
  • to ensure the protection of trade secrets and sensitive organization data (eg, see Pfizer v Li, No. 21-cv-1980 (SD Cal)), in which an employer utilized sophisticated employee monitoring methods and tracking technology).

Some of the key considerations of any employee monitoring program are as follows:

  • ensuring transparency toward employees in relation to when, how and why their activities are being monitored;
  • ensuring that any monitoring is lawful;
  • establishing who will be monitored (eg, employees, contractors, interns and volunteers might all be subject to monitoring);
  • establishing non-discriminatory processes and procedures;
  • drafting and implementing a written employee monitoring policy that is distributed to and acknowledged by anyone subject to monitoring; and
  • establishing what data is being accessed and processed through monitoring and ensuring that the employer has obtained the relevant authorizations.

There are a number of potentially difficult issues for employers to consider in relation to employee monitoring, including those listed below:

  • employee monitoring can trigger laws in a number of different areas, including data privacy and discrimination (see section 2 below);
  • when using employee monitoring software, employers should consider whether the computers are owned by the employer, as well as how the employer will monitor the employee’s computer conduct (eg, websites visited, social media usage and productivity measurement). The employer will also need to consider the extent to which any employee activities that do not relate to work are being monitored, whether deliberately or inadvertently;
  • if using CCTV, employers should establish where they are legally permitted to locate the cameras;
  • monitoring of employees who are working remotely, in particular in overseas locations, is likely to be more difficult, as the employees are working away from employer-owned premises and overseas laws may apply; and
  • employers need to take steps to avoid invasive employee monitoring, by avoiding any unnecessary capturing of sensitive personal employee information such as information relating to medical conditions.

Section 2 – Legal considerations relating to employee monitoring

Before implementing any employee monitoring policy, employers must ensure they understand the relevant legal landscape. The primary goals of laws relating to employee monitoring are protecting the privacy of employees and preventing discriminatory practices. The relevant laws for employers to take into account when developing and administering an employee monitoring program are outlined below.

2.1 International law

Organizations engaging in international business should consider the applicability of Europe’s General Data Protection Regulation (GDPR). The GDPR is a European law that establishes protections for the privacy and security of an individual’s personal data, and which all European Economic Area (EEA) states are required to adopt domestically. It applies to the collection and processing of personal information:

  • for activities within the borders of EEA countries;
  • related to the offering of goods or services to EEA residents; or
  • which involves monitoring the activities of EEA residents.

The EEA covers most of Europe and includes Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Norway, Iceland, and Lichtenstein.

In addition to impacting how employers can collect and process their employees’ personal data, the GDPR includes detailed requirements that apply in the event of a data breach of customer information. The GDPR therefore also presents a justification for monitoring employees based on seeking to avoid a data breach, in particular if the employees are working outside of a controlled office space.

Requirements of the EU GDPR also form part of the domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018.

For further information about the GDPR in the EU, see How-to guide: How to ensure compliance with the GDPR (EU) and in the UK, see How-to guide: How to ensure compliance with the GDPR (UK).

In addition to the GDPR, individual countries within and outside the EU may have their own data privacy laws and regulatory and advisory bodies. For example, Germany has its own national data protection laws. As another example, the ICO is the UK’s independent body for upholding information rights. Additionally, Canada, Japan, Brazil, and Australia all have information privacy laws that could impact employee monitoring.

Penalties for noncompliance can be significant. For example, in December 2023, the French Data Protection Authority (CNIL) fined Amazon €32 million for ‘excessive’ employee monitoring. CNIL: Employee monitoring: CNIL fined AMAZON FRANCE LOGISTIQUE €32 million.

With the ongoing trend of remote working, it is important to note that the GDPR and other data-related laws may apply in circumstances when an employee is working remotely overseas.

2.2 Federal law

2.2.1 Electronic Communications Privacy Act (ECPA)

The pioneer federal legislation relating to surveillance control was the Federal Wiretap Act of 1968 (18 USC sections 2510‐2523) (Wiretap Act), which prohibited the interception and disclosure of wire, oral, and electronic communications, as well as the manufacture, distribution and possession of interception devices. As technology continued to develop, the Wiretap Act was updated in 1986 by the Electronic Communications Privacy Act (ECPA). In order to adapt to developments in technology, the ECPA has been updated and amended through legislation such as the Stored Communications Act and The Patriot Act 2001

The ECPA, as amended, is designed to protect wire, oral, and electronic communications. Protection under the ECPA covers communications as they are made, communications in transit, and communications that are stored electronically. The ECPA applies broadly, and includes email, telephone conversations, and data stored electronically.

Federal workplace privacy and employee monitoring rules stem primarily from the ECPA. The ECPA allows organizations to monitor employees’ verbal and written communications provided the organization has a legitimate business reason for doing so. See, for example, Adams v City of Battle Creek, 250 F 3d 980 (6th Cir 2001)where employee monitoring was allowed provided it was:

  • for a legitimate business purpose;
  • routine; and
  • with notice.

The ECPA also permits additional monitoring if the employee gives consent. However, the lawfulness of monitoring becomes less clear when the employee accesses their personal emails, social media, and other accounts using the employer’s computer or other employer-owned device.

In Stengart v Loving Agency, Inc, 201 NJ 300, 990 A2d 650, (NJ 2010) it was held that an employer’s policy did not allow the employer to monitor an employee’s personal email account because the employer did not expressly notify the employee of this possibility. However, in Holmes v Petrovich Development Co, LLC, 191 Cal App 4th 1047 (2011), it was held that an employee’s email communications sent over the employer’s server were not protected because the employee had no reasonable expectation to privacy since:

  • the employer had previously notified the employee pursuant to a company policy that any communications transmitted through its network may be monitored; and
  • the employee acknowledged receipt of the policy.

On February 2, 2023, US Senator Casey introduced the Stop Spying Bosses Act, which mandated transparency for employers with over ten workers, including government entities, regarding workplace surveillance. Employers would have been required to disclose meticulously to workers and applicants what specific data is collected (eg, communication, activity, location), how it's utilized (performance evaluation, security), and its impact on performance assessments.

Crucially, the bill would have prohibited surveillance for specific purposes: monitoring labor organizing, collecting unrelated health data, tracking off-duty activities or in private areas, and using automated systems to predict non-job-related behavior. Employers would also have been required to reveal when surveillance data informs work-related decisions and allow workers to review this data. Transferring surveillance data to third parties would have necessitated adherence to defined requirements.

The Act did not have any actions taken on it after the day it was introduced, on which day it was read twice and referred to the Committee on Health, Education, Labor, and Pensions. The bill died on sine die adjournment of Congress and has not been reintroduced.

2.2.2 Other federal provisions

Other federal provisions relate to how employers can use the data or information collected by the employer as a result of monitoring, rather than specifically to the monitoring itself. For example, Title VII of the Civil Rights Act of 1964 (Title VII) prohibits employment discrimination based on race, color, religion, sex, or national origin. Titles I and V of the Americans with Disabilities Act (ADA) prohibit employers from discriminating against qualified individuals with disabilities in the employment relationship including hiring, compensation and termination. They also protect employees in relation to other terms, conditions, and privileges of employment. Both laws apply to employers that have 15 or more employees for each working day in each of 20 or more calendar weeks.

Equal Employment Opportunity Commission

The Equal Employment Opportunity Commission (EEOC) is a federal agency responsible for enforcing US federal employment discrimination laws, with a stated mission to ‘prevent and remedy unlawful employment discrimination and advance equal opportunity for all in the workplace.’

Employers must ensure that they do not use any data collected during monitoring in a way that is discriminatory and in contravention of Title VII or the ADA. Failure to do so could lead to receipt of an EEOC charge (see Checklist: Responding to an Equal Employment Opportunity Commission (EEOC) charge for further information).

National Labor Relations Board

The National Labor Relations Board (NLRB) is an independent federal agency created in 1935, charged with the power to safeguard employees’ rights to organize and to engage in seeking better working conditions. The NLRB receives complaints on workforce issues, and issues rulings on cases where settlement is not possible. While the NLRB has no independent power to enforce its orders it may seek enforcement through a US court of appeals. Advice Memorandums issued by the NLRB can be used as helpful guides by employers when developing employee monitoring processes, in particular in relation to the use of employer computer equipment, or an employee’s access to their private social media accounts during work hours. For example, see Northstar Insurance Advisors Case #14-CA-285828, Issued 07/19/2022, Released 11/30/2022, which considered an employer’s rule governing use of its email and communication systems.

The NLRB has held that it is an unlawful practice for employers to monitor employees in a manner that creates the impression that the employees’ protected union activities are under surveillance. See Stern Produce Company, Inc, 372 NLRB No 74 (Apr 11, 2023). That particular decision was, however, reversed by the US Court of Appeals for the District of Columbia Circuit, which held that on the facts of that particular case the employee had no reason to believe that they were being monitored for pro-union activity. Stern Produce Company, Inc. v NLRB, 97 F.4th 1 (D.C. Cir. 2024).

2.3 State law

In addition to the international and federal laws referenced above, employers should be aware that there may be relevant state laws to take into account. Some examples are provided below.

2.3.1 California

The California Privacy Rights and Enforcement Act of 2020 (CPRA) grants employees the same rights that consumers have under the California Consumer Privacy Act (CCPA). The compliance date for the CPRA was January 1, 2023, with Regulations that took effect April 1, 2023. The CPRA also has a look-back window to January 1, 2022, meaning any information collected subsequent to that date is subject to the CPRA rules. The CPRA applies to for-profit organizations that do business in the state of California and meet one or more of the following criteria:

  • $25 million in annual gross revenues as of January 1 for the preceding calendar year; or
  • sells, buys, or shares the personal information of 100,000 California households or consumers; or
  • derives 50% or more of its revenues from sharing (a newly defined term) or selling personal information.

Employees’ rights under the CPRA are now the same as for consumers and are as follows:

  • to access the personal information held by their employer;
  • to correct their personal information;
  • to delete their personal information;
  • to opt out of the sale or sharing of their personal data;
  • to maintain data portability (the right to obtain and reuse their own data);
  • to limit the use of their sensitive personal information; and
  • to exercise their privacy rights with no retaliation.

See California Consumer Privacy Act of 2018, sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135, and Statement from the Attorney General (2024).

From a practical standpoint, employers may continue monitoring employees and employer-owned devices provided there are legitimate business reasons for doing so. However, the CPRA now provides employees with the rights listed above in relation to data collected by employee monitoring software, meaning that employers who collect employee data must develop systems that provide for the deletion of data upon the request of the employee. Further, employees have the right under the CPRA to know where, when, and why their employers are using their personally identifiable data.

2.3.2 New York

Effective as of May 7, 2022, New York employers must provide notice to employees if the employer is electronically monitoring phones, emails, or internet usage. The new state law ‘Employers Engaged in Electronic Monitoring’ applies to all private employers with a place of business in the state. The law states that the notice must be provided ‘upon hiring,’ therefore it appears that it must only be provided to new employees. Employers are also required to post a conspicuous notice regarding electronic monitoring where those who are being monitored can see it.

The New York State Office of the Attorney General has the authority to enforce the law and to fine employers $500 for a first offense, $1,000 for a second offense, and $3,000 for third and subsequent offenses. The law does not provide for any private right of action, meaning that large class action lawsuits are unlikely.

2.3.3 Florida

Pursuant to Florida Statutes section 934.03, ‘Interception and disclosure of wire, oral, or electronic communications prohibited’, it is illegal for a person to intercept or record a conversation without the consent of all parties to the conversation, provided there is a reasonable expectation of privacy. Federal law only requires one party’s consent to record a conversation.

Section 3 – Monitoring employee social media activity

One area of employee monitoring that can cause particular issues for employers relates to the monitoring of employees’ social media activity. This activity may take place outside of working hours but can impact upon the employer organization.

3.1 Legal issues

As described above, under relevant case law (eg, Adams v City of Battle Creek, 250 F 3d 980 (6th Cir 2001)) and the ECPA employers do have a right to monitor their employees, however, employers must keep in mind their employees’ rights under anti-discrimination laws, anti-retaliation laws, and whistle-blowing laws, which may be implicated by the content of social media posts as well as the use of social media posts as a basis for adverse employment action. See How-to guide: How to develop a whistleblower policy and reporting program and for discrimination laws, see Checklist: Developing an Equal Employment Opportunity Commission (EEOC) compliant policy.

First amendment rights may be implicated in government employment but are generally inapplicable when a private employer takes action based on social media monitoring, as federal and state constitutional rights are generally inapplicable to private actors. See Hall v Kosei St. Marys Corporation, Case No. 2-22-26, 2023-Ohio-221, which held that an employee could not succeed on a wrongful termination claim against a private employer based on alleged free speech rights. However, there may be state laws that provide some level of free speech to private employees.

3.2 Social media policy

A social media policy should be designed to protect the organization’s interests in the event that the organization is impacted by an employee’s use of their personal social media. Employers should seek to manage the risks outlined at 3.1 above by implementing a detailed social media policy, which includes procedural fairness, so that investigating and disciplining employees based on social media misuse does not give rise to claims against the employer. The policy should provide for any investigation to be undertaken by a third party if considered necessary by the employer and should include measures to ensure that any disciplinary actions are not discriminatory to any of the federally protected classes of persons under federal or state laws.

A social media policy should make clear to employees what types of posts would be considered a violation of the policy, including posts that:

  • may jeopardize the protection of trade secrets and other confidential information;
  • make negative comments about customers or clients;
  • harass, libel, threaten, or defame fellow professionals, employees, clients, or competitors; or
  • disclose non-public or confidential information that may harm the employer’s reputation.

3.3 State social media laws

State laws protecting the privacy rights of employees with respect to their social media accounts are becoming more common, with approximately 30 states having some form of protection. Generally, the states that have these protections prevent employers from requesting login information from employees (or job applicants) unless the need to access the social media account relates to some type of ongoing dispute or legal proceeding. Below are a few representative examples of states social media laws.

3.3.1 California

California law ‘Employer Use of Social Media’ protects employees and applicants from being required to share their social media and methods of access (such as passwords) with employers. Specifically, employers are prohibited from:

  • requesting or requiring that an employee or job applicant share their social media usernames or passwords; and
  • requesting or requiring that an employee or applicant access their social media in their employer’s presence.

3.3.2 Nevada

Nevada law ‘Unlawful acts of employer relating to social media account of employee or prospective employee’ prohibits employers from requiring, requesting, suggesting, or causing an employee or applicant to share their social media usernames, passwords, or other methods of access.

3.3.3 New Mexico

New Mexico law ‘Request for access to social networking account prohibited’ prohibits employers from requiring or requesting that a job applicant share their social media passwords or other methods of access.

3.3.4. Oregon

Oregon law prohibits employers from requiring or requesting an employee or applicant to disclose their personal social media usernames or passwords.

3.4 Legal causes for termination or other discipline

In general, an at-will employee may be terminated for any reason the employer deems appropriate, as long as the reason is not unlawful or discriminatory in character (this general position is subject to exceptions at state level). For further information see Checklist: Terminating the employment of an at-will employee. 

Before dismissing an employee due to their social media activity, employers should consider whether this presents any legal risk. For example, an employee posting alleged employer violations of safety and health on social media might be a breach of the employer’s social media policy, but employers should be mindful that the alleged employer activity might mean that the employee is subject to whistleblower protections. Any disciplinary action detailed in the social media policy should be based on the frequency and severity of offenses.

NLRB General Counsel Memo, Memo GC 23-02, issued October 31, 2022, provided additional guidance on social media monitoring policies; however, that memo was rescinded on February 14, 2025. See Memo GC 25-05.

Section 4 – Developing an employee monitoring policy

Employers who are seeking to implement a program and policy relating to employee monitoring should take into account the following factors.

4.1 Include appropriate decision-makers in developing and maintaining monitoring policy

The employee monitoring team should include human resources, legal, managers, and supervisors. In addition, apprise upper management (and the board of directors) on a regular basis of the status of the employee monitoring program.

4.2 Prepare and maintain a written employee monitoring policy

The employee monitoring policy should:

  • be documented and clearly defined in the employee handbook;
  • describe in detail what will be monitored and describe the methods to be used;
  • require formal acknowledgment by employees, typically through a signed document;
  • inform employees that only legally protected areas (eg, employee restrooms or changing areas) will be afforded any privacy on company property;
  • make certain that workers understand that only relevant data (eg, relating to performance and security) will be gathered either through monitoring electronic devices or through other means; and
  • prohibit anyone in the company from disclosing personal data to third parties, except as would occur in the ordinary course of business (eg, payroll services).

4.3 Methods of employee monitoring

To protect against legal claims employers should use established employee monitoring software, rather than monitoring software developed in-house.

It is important that employees receive ongoing notifications and reminders of the monitoring that may occur at work and the policies that apply to it, through, for example, workplace posters, company intranet notifications, or recurring email alerts.

Additional resources

Related Lexology Pro content

How-to guides:

Overview of US employment law
How to draft an employment contract
How to draft the key provisions of an employee handbook
How to protect trade secrets in the employment relationship
How to develop a whistleblower policy and reporting program
How to prepare for an Occupational Safety and Health Administration (OSHA) inspection
How to comply with the unemployment insurance program
How to determine and apply relevant US privacy laws to your organization
How to develop, implement, and maintain a US information and data security compliance program
How to ensure compliance with the GDPR (EU)
How to ensure compliance with the GDPR (UK)
How to investigate workplace harassment complaints
How to make reasonable accommodations for employees with disabilities

Checklists:

Determining the difference between an employee and an independent contractor
Terminating the employment of an at-will employee
Developing a Bring Your Own Device (BYOD) policy
Employee drug testing
Terminating the employment of an at-will employee
Drafting a non-compete agreement
Developing an Equal Employment Opportunity Commission (EEOC) compliant policy
Responding to an Equal Employment Opportunity Commission (EEOC) charge

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.

Filed under

Topics