Expert Q&A: Remote Work Monitoring

Practical Law Article w-038-7901 (Approx. 15 pages)

Expert Q&A: Remote Work Monitoring

by Practical Law Labor & Employment

What Are Employers' Biggest Concerns as Remote and Hybrid Work Rise in Popularity?

For as long as there have been workplaces, employers have monitored the activity of their employees by observing them in a shared office, factory, or field. When so many employees suddenly began working remotely because in 2020 of COVID-19, the demand for such remote monitoring skyrocketed.

Recent advances in technology have enabled employers to monitor employees' activities, conduct, and performance when they are working away from the traditional physical workplace on a hybrid or remote basis. Currently, numerous tools enable employers to track their employees' location, actions, systems usage, and productivity.

Employers may deploy these surveillance tools for many valid reasons, including to:

Monitor productivity and manage poor performance.
Protect against the unauthorized disclosure and theft of confidential information and trade secrets.
Investigate employee compliance with workplace policies, including anti-harassment and workplace violence prohibitions.
Track and improve employee safety by collecting metrics such as location, driving behavior, speed, bending, and walking.
Comply with regulatory and compliance requirements.
Prevent employees from making improper online endorsements or disparagements of products.

While the use of technology for these purposes is legitimate, there are numerous legal concerns surrounding its use. A well-intentioned employer that deploys surveillance technology with insufficient care may incur legal liability and alienate good employees who resent their employer observing their communications and movements.

What Tools Can Employers Use to Monitor Remote Employees?

Employers have at their disposal a variety of tools, some of which many workers and privacy advocates understandably view as invasive. Employers may deploy technology such as:

Systems activity tracking (for example, screen captures, browser monitoring, cursor and keystroke tracking, and recording employee access to applications, documents, and data).
Geolocation of employees who are using employer-owned equipment, such as a mobile phone or vehicle.
Video and audio surveillance by accessing a device’s camera or microphone.
Text analytics applied to emails and messaging.
Applications that trace building access and intra-workplace movement, including smart seat cushions that measure time spent seated at a workstation.
Biometrics.
Monitoring employee social media postings.

This technology can be deployed in the traditional physical workplace as well as in remote and mobile settings. As discussed below, legal liability may arise when remote and mobile monitoring picks up private, off-duty communications and activities that have no bearing on employment. For example, an employer may:

Capture screenshots or keystrokes of off-duty, personal emails or internet usage on an employer-owned device.
Record off-duty conversations and activity in a worker’s home by activating the microphone or camera on a remote device.
Monitor geolocation of employees in possession of an employer-issued mobile device or vehicle, which may record where an employee goes off-duty and how they spend their private time.

What Are the Legal and Practical Risks for Employers When Monitoring Remote Employees?

A prudent employer must consider the many federal, state, and local law implications of deploying technology to monitor employees in the US. Employers with global workforces must consider applicable non-US law, such as the EU General Data Protection Regulation and the UK General Data Protection Regulation.

Some electronic workforce monitoring may infringe on individual rights to privacy under state laws. Improper monitoring also may violate federal and state laws governing electronic communications privacy and biometrics. Likewise, remote surveillance implicates wage and hour, traditional labor, and anti-discrimination laws. Even if the technology can be lawfully deployed, employers must consider whether its use is likely to cause workers to feel fearful and resentful, which harms morale and workplace culture. Ultimately, an employer must consider whether remote monitoring is necessary to achieve a legitimate business purpose and if it can be conducted carefully with prudent limits to avoid overcollection of personal employee data.

Employee Privacy Laws

The existence and scope of employees’ right to privacy (grounded in state common law, statutes, or constitutions) depends, in many cases, on whether the employee has a reasonable expectation of privacy. Specifically, employees can generally assert a right to privacy in the workplace when they have an actual expectation of privacy and the expectation is reasonable, factors that invariably involve a case-by-case assessment.

Many employers seek to eliminate their workers’ expectation of privacy by reminding them early and often that their activities are being monitored and that they must not expect any privacy in the workplace or when using employer-owned systems, networks, or devices.

However, employers may still be at a heightened risk of going beyond what is considered appropriate by courts, government agencies, and the public when they engage in employee monitoring activities that stretch into off-site or after-work contexts, or that entail the processing of sensitive categories of personal information. Public sector employers also must ensure that their monitoring of employee communications and devices constitutes a reasonable search under the Fourth Amendment.

Communications Privacy Laws

Federal and state electronic communications privacy laws may apply to workplace monitoring. At the federal level, the Electronic Communications Privacy Act of 1986 (ECPA) regulates, among other things, the interception, use, and disclosure of electronic communications. The ECPA generally prohibits employers from intentionally intercepting and monitoring their employees' electronic communications unless an exception applies, such as:

Where a party to the communication consents to the interception. Many employers seek to rely on this exception by requiring workers to acknowledge and accept workplace monitoring practices during the employee onboarding process and when employees log into their workplace accounts.
When monitoring employee use of employer systems for a legitimate business purpose after notifying employees of the monitoring. The term legitimate business purpose is not found in the ECPA but derives from case law interpreting the ECPA and the Department of Justice's (DOJ's) relatively narrow interpretation of the term (DOJ: Criminal Resource Manual: 1047. Definition — "Electronic, Mechanical, or Other Device").

Additional communications privacy laws apply at the state level. While federal law permits the interception of communications if one party to a communication consents, some states (such as California, Florida, and Illinois) prohibit interception, monitoring, or recording unless all parties to the communication consent. In these states, relying on employee consent alone does not preclude liability for monitoring communications with outside parties.

Employers can seek to mitigate their risk by taking steps to establish that they obtained consent from all parties to a monitored communication. For example, some entities use notices on websites, email footers, call center scripts, and other channels to widely broadcast that outside parties consent to the monitoring of their communications with the organization and its personnel. Even so, outside parties may be able to argue that they did not consent, particularly when employers monitor employees' personal communications.

Several states require employers to provide notice of electronic monitoring to create transparency about the fact of monitoring and the means of surveillance, such as:

Connecticut (Conn. Gen. Stat. Ann § 31-48d (requiring employers engaging in electronic monitoring to provide prior written notice to employees about the types of monitoring that may occur and conspicuously post notice of electronic monitoring practices)).
Delaware (19 Del. C. § 705 (requiring employers to provide prior written notice regarding their monitoring of phone transmissions, email, and internet access or usage)).
New York (N.Y. Civil Rights Law § 52-c (requiring private sector employers to provide notice of electronic monitoring practices to all employees on hiring, with written or electronic employee acknowledgement, and more generally, by posting the notice in a conspicuous place viewable by all employees)).

Similar legislation has been introduced in Congress (S. 262, Stop Spying Bosses Act, 118th Congress (2023) (requiring employers to disclose surveillance and data collection, prohibiting the collection of sensitive worker data, and creating rules around the usage of automated decisions systems)). A bill pending in the New York City Council would significantly limit an employer’s ability to rely on electronic monitoring evidence to discharge or discipline employees (Intro. No. 837, New York City Council (2022)).

State Data Privacy Regulations

The US lacks a federal omnibus privacy statute (meaning a comprehensive privacy law that applies across all industries). Various states have enacted their own omnibus privacy laws (including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia), with more likely on the way. The omnibus privacy laws of California, Colorado, Connecticut, and Virginia are already in force as of the time of this writing, with the rest entering into force at various points over the next several years.

For the latest on enacted and proposed state privacy laws, see State Consumer Privacy Legislation Tracker.

All of the laws establish their own coverage criteria and have their own unique requirements. The laws also generally impose the bulk of their requirements on a controller of personal information (meaning the entity that determines the means and purposes of processing personal information), as opposed to processors (meaning the entities that only process personal information on behalf of controllers).

The following sections outline some considerations relating to state omnibus privacy laws for covered companies that engage in employee monitoring activities.

Scope of Protections

The California Consumer Privacy Act (CCPA) is unique among the omnibus privacy statutes of the states listed above because it applies to personal information about state residents acting in any capacity, including an employment, work, professional, or consumer capacity (Cal. Civ. Code §§ 1798.100 to 1798.199.100). By contrast, the other five states' omnibus privacy laws essentially only protect state residents acting in a personal, individual, or household context. Even so, an employer that engages in broad monitoring of its employees can collect and process personal information about individuals acting in their personal or household capacity, such as where employees use employer devices for personal, non-work activities. Companies should therefore consider all applicable states' omnibus privacy laws.

Privacy Notices

All of the laws require controllers to issue privacy notices that include certain prescribed information about how they process individuals' personal information and the rights that those individuals have under the laws.

Sensitive Personal Information

All of the laws impose special requirements on the processing of sensitive personal information, which the laws define differently but which generally includes race or ethnicity, religion, health, sexual orientation, citizenship, and certain other data categories. Employers that broadly monitor workers will almost certainly collect some sensitive personal information from employees and possibly from outside parties.

The CCPA requires a business (which is the CCPA's term for controller) to give California residents the right to limit the use and disclosure of their sensitive personal information unless the covered business only uses the sensitive personal information for the authorized and exempt purposes identified in the CCPA. The authorized and exempt purposes do not expressly refer to employee monitoring. Therefore, companies must compare their reasons for monitoring employees against those allowed under or exempt from the CCPA to determine whether the right to limit the use and disclosure of sensitive personal information applies.

Colorado, Connecticut, Delaware, Indiana, Montana, Oregon, Tennessee, Texas, and Virginia require a controller to obtain a consumer’s freely given, specific, informed, and unambiguous consent before processing their sensitive personal information.

Iowa and Utah generally require controllers to notify individuals when collecting their sensitive personal information and give those individuals an opportunity to opt out of processing.

Impact Assessments

Some of the laws require companies to engage in impact assessments in certain circumstances, including before they process sensitive personal information. Even where an impact assessment is not strictly required, engaging in a data processing impact assessment can help identify and mitigate potential privacy risks and other harms, which generally benefits all parties concerned.

Limitations

Some of the laws include data minimization and purpose limitation requirements, which may restrict an employer's ability to engage in broad and indiscriminate employee monitoring. For example, the CCPA requires a business' personal information processing to be "reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected" (Cal. Civ. Code § 1798.100(c)).

Regulations under the CCPA outline a series of factors that a business must consider when assessing whether the business' processing can meet these criteria. Where these criteria are not met, the regulations require a business to obtain the data subject's specific, informed, unambiguous, and freely given consent before engaging in the processing.

Privacy Rights

All of the laws give state residents various privacy rights regarding the personal information that a controller collects from or about them, including the right to access, delete, and port the information. This right to access and port grants individuals easy, portable access (twice a year) to all pieces of personal data that a company holds. Although employers in states with omnibus laws other than California may be able to reject requests from employees to exercise privacy rights on the grounds that their personal information was processed in an employment context, the more personal information that an employer gathers through its employee monitoring tools, the more likely it is that these grounds will not apply in all cases.

Other states such as Massachusetts, New Jersey, and Pennsylvania are currently considering their own omnibus privacy laws, so employers should stay up to date on new legal developments that may impact their workplace monitoring activities and privacy compliance programs.

Biometric Laws

Biometric data typically refers to information about an individual’s physical characteristics (such as fingerprints, retina scans, voice prints, and facial geometry) that is used to identify them. Some companies collect and use biometric data as part of their workforce monitoring activities, such as scanning employee fingerprints for timekeeping purposes. Biometric data is generally perceived as a more sensitive category of personal information because it is biologically unique to an individual and cannot readily be changed by the data subject. The twelve state omnibus privacy laws discussed above all define sensitive personal information to include biometric data used to identify a person.

Several additional states have enacted specific biometric privacy laws, including Illinois, Texas, and Washington. The Illinois Biometric Information Privacy Act (BIPA) contains several onerous restrictions, establishes a private right of action with statutory damages of up to $5,000 for each intentional or reckless violation, and has been the basis of several class actions alleging unlawful employer workplace monitoring practices. In summary, BIPA requires private entities that process biometric information to:

Obtain an Illinois resident's informed and written consent before collecting or disclosing their biometric information.
Develop a publicly available written policy that establishes a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting it has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first.
Refrain from profiting from the biometric information.
Take measures to protect the information.

(740 Ill. Comp. Stat. Ann. 14/1 to 14/99; for more information, see Practice Note, BIPA Compliance and Litigation Overview.)

An example of a BIPA class action is O'Sullivan v. All-Star, Inc., where restaurant employees sued the franchise owner for allegedly requiring employees to clock in and out using a fingerprint scanner without giving all necessary notices to or obtaining consent from them as required by BIPA. The parties reached a $5.85 million settlement for a settlement class of nearly 10,000 individuals. (Class Action Compl., , ¶¶ 3, 5, 13, 31-42, 76-94 (Ill. Cir. Ct. Oct. 7, 2019).) The parties reached a $5.85 million settlement for a class of nearly 10,000 individuals. Another example is Williams v. Personalizationmall.com, LLC, which also involved allegations that the employer’s fingerprint timekeeping practices violated BIPA. The parties reached a $4.5 million settlement for over 18,000 class members. (Final Approval Order, No. 1:20-CV-00025, ¶¶ 11-12 (N.D. Ill. July 20, 2022).)

Texas' biometric privacy law also requires companies to provide notice and obtain consent before collecting employee fingerprints or other biometric information, but it does not contain a private right of action (Tex. Bus. & Com. Code Ann. § 503.001).

Washington's biometric privacy law only applies to the processing of biometric identifiers for a "commercial purpose," defined narrowly as a "purpose in furtherance of the sale or disclosure to a third party of a biometric identifier for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual's biometric identifier" (RCW § 19.375.010(4)).

Many other states are currently considering biometric privacy laws, so companies should monitor new legal developments that may impact their workplace surveillance activities and privacy compliance programs.

For more information on biometric privacy laws, see Practice Note, Biometrics in the Workplace

Wage and Hour Issues

The Fair Labor Standards Act (FLSA) and similar state wage and hour laws require employers to compensate their employees for all hours suffered or permitted to work (29 U.S.C. § 203(g); 29 C.F.R. §785.11). Some employers deploy remote monitoring to track nonexempt employee work activity, paying them for time worked and not paying them for time the employer believes was not spent working. Such employers may face wage and hour claims for unpaid wages if monitoring suggests an employee is not working, when in fact, the employee is engaged in compensable work.

For example, a seat cushion monitor or a camera may suggest that an employee is away from a workstation or idle, and an employer might deem that time as non-compensable. Individual employees, or those in a potentially large collective action, may argue that they are entitled to wages for that time if, in fact, they were engaged in work, such as taking a work call or meeting from another room or fetching a tool or resources to complete work tasks. Pregnant workers or employees with disabilities needing to take more frequent restroom or stretch breaks, for example, may also be particularly disadvantaged by such monitoring and may be entitled to a reasonable accommodation.

A recent FLSA case alleged that an employer's surveillance software failed to pay the plaintiff and similarly situated employees for all hours worked. The plaintiff's complaint alleged that a keystroke monitor and webcam tracked the plaintiff's activity and the employer failed to pay the plaintiff for ten-minute intervals when the data showed a lull in keyboard activity or that the plaintiff had stepped away. The plaintiff argued that wages were owed for time spent writing on a printed document and conducting a phone call or videoconference away from the webcam. (Compl., Kraemer v. Crossover Market, LLC, No. 1:21-CV-000398 (W.D. Tex. 2021) (dismissed with prejudice on Nov. 22, 2021).)

National Labor Relations Act

Workforce monitoring also implicates key labor law issues under the National Labor Relations Act (NLRA), which covers nonsupervisory employees, regardless of whether they are represented by a union. Section 7 of the NLRA guarantees employees "the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection," as well as the right "to refrain from any or all such activities."

National Labor Relations Board (NLRB) General Counsel Jennifer A. Abruzzo recently issued a Memorandum outlining potential NLRA violations that may arise from an employer's use of this technology (see NLRB: Office of the General Counsel, Memorandum GC 23-02 (Oct. 31, 2022)). She cautioned that "omnipresent surveillance" techniques for remotely managing employees may interfere with the exercise of NLRA Section 7 rights by "significantly impairing or negating employees' ability to engage in protected activity and keep that activity confidential from their employer." The Memorandum notes that this monitoring occurs inside the traditional workspace, in remote work, during off-duty time outside of work, and even before the employment relationship begins.

General Counsel Abruzzo cautioned that many forms of monitoring and surveillance are already unlawful under existing NLRA precedent safeguarding open protected concerted activity and public union activity, such as handbilling and picketing, under NLRA Section 8(a)(1). An employer may also violate Section 8(a)(3) when using surveillance technology to screen applicants, discipline employees, or apply production quotas or efficiency standards to terminate union supporters. Where employees have union representation, an employer may violate Section 8(a)(5) by failing to bargain over the implementing of monitoring technology and use of the data it gathers.

In addition to applying NLRA precedent to workforce monitoring, General Counsel Abruzzo urged the NLRB to adopt a new legal framework to protect employees from "intrusive or abusive forms of electronic monitoring" that interfere with Section 7 rights by stopping union and protected concerted activity or preventing its initiation. General Counsel Abruzzo wrote:

"Close, constant surveillance and management through electronic means threaten employees' basic ability to exercise their rights. In the workplace, electronic surveillance and the breakneck pace of work set by automated systems may severely limit or completely prevent employees from engaging in protected conversations about unionization or terms and conditions of employment that are a necessary precursor to group action. If the surveillance extends to break times and nonwork areas, or if excessive workloads prevent workers from taking their breaks together or at all, they may be unable to engage in solicitation or distribution of union literature during nonworking time. And surveillance reaching even beyond the workplace — or the use of technology that makes employees reasonably fear such far-reaching surveillance — may prevent employees from exercising their Section 7 rights anywhere."

(NLRB: Office of the General Counsel, Memorandum GC 23-02 (Oct. 31, 2022).)

While General Counsel Abruzzo noted that some employers may have legitimate business reasons for using some forms of electronic monitoring, to the extent such activity may impact Section 7 rights, the NLRB balances employer interests and employee NLRA rights.

Discrimination Claims

Employers using technology to monitor remote employee activity also must mitigate the risk of discrimination claims under Title VII of the Civil Rights Act of 1964 (Title VII), the Americans with Disabilities Act (ADA), and similar state and local laws. For instance, by using monitoring, an employer may discover an employee's previously unknown protected characteristics, such as religion, sexual orientation, or disability, and the employer must not discriminate against the employee on the basis of that new information. Employers may also learn of workplace discrimination or harassment concerns from their surveillance, which gives rise to an obligation to investigate those concerns and protect individuals from retaliation.

Many jurisdictions also prohibit discrimination on the basis of lawful off-duty activities (see, for example, N.Y. Labor Law § 201-d (prohibiting employer adverse action against individuals because of off-duty, off-premises political activities, use of lawful products, or lawful recreational activity not involving the employer's property or resources)). Employers engaging in remote monitoring must therefore be certain only to impose adverse action on individuals for legitimate reasons and not because they discover, from remote surveillance, that person's politics, smoking, drinking, or other recreational activity the employer finds offensive.

Similarly, employers must evaluate their monitoring techniques and the populations that are scrutinized to determine whether those practices impose a disparate impact on protected groups. If technology results in adverse employment actions that disproportionately affect a protected group, the employer may need to spend enormous resources defending its practices as job-related and consistent with business necessity. Even if the practices ultimately are legally defensible, an employer may face considerable reputational harm from using this technology in that manner.

Negative Impact on Morale, Culture, and Retention

Employees are becoming increasingly aware and resentful of employer remote workforce monitoring, which is garnering attention in popular media. Workers decry this potentially invasive technology and describe it with derisive names, such as “tattleware,” “bossware,” and “stalkerware.”

Some employees even devise ingenious tricks for defeating monitoring technology and deceiving managers about their purported activity, a phenomenon known as productivity theater. Inventive employees trick their computers into staying awake and demonstrating activity while the employees are actually performing chores or traveling about town. They achieve this by pulling up internet wildlife videos, placing a PowerPoint permanently on presentation mode, pressing a heavy object onto a keyboard to make an endless string of characters on a page, or using makeshift gizmos that jiggle the mouse (available for under $30). These workers perceive an invasion of their privacy, which harms morale and workplace culture and may lead to misbehavior.

The White House's Request for Information

The White House has also taken note of employers' increasing use of technology to monitor, manage, and evaluate their workers, including the potential benefits these systems provide and risks they pose. Earlier this year, the White House Office of Science and Technology Policy (OSTP) released a request for information seeking comments from the public to:

Learn more about the automated tools used by employers to surveil, monitor, evaluate, and manage workers.
Understand the design, deployment, prevalence, and impacts of these automated technologies.
Inform new policy responses and best practices.

(See Request for Information: Automated Worker Surveillance and Management, 88 Fed. Reg. 27932-02 (May 3, 2023) and The White House: Hearing from the American People: How Are Automated Tools Being Used to Surveil, Monitor, and Manage Workers? (May 1, 2023).)

What Are Employer Best Practices to Ensure Legal Compliance and Minimize These Risks?

A prudent employer that wants to carefully deploy remote workforce monitoring may reduce legal liability and potential harm to morale by following several best practices:

Evaluate the employer's goals and ensure that the data collected and processes used:
- serve legitimate and necessary business purposes;
- address specific and documented risks (such as theft of company data); and
- do not collect or retain more information than reasonably necessary to achieve those purposes and mitigate those risks.
Conduct a data protection impact assessment to document how the employer's monitoring activities comply with applicable laws and steps taken to mitigate privacy risks to individuals.
Be transparent with employees about what is monitored and how it is gathered to eliminate or diminish expectations of privacy. Even in states where it is not legally required, employers may distribute a written policy to all employees in an employee handbook or on the company intranet and consider offering employees an opportunity to provide input on the monitoring program and its use. The policy should explain:
- which employees are subject to monitoring;
- what devices are being monitored;
- what data the company is collecting;
- which employees are to be given access to the data;
- how the employer intends to safeguard any sensitive or private data; and
- how the company intends to use the data and what legitimate business purpose it serves.
Implement reasonable and appropriate privacy and security measures to ensure that data collected via the workplace monitoring activities is accessible only to internal personnel truly needing access to the data to advance the employer's legitimate and necessary business purposes. As a best practice, centralize the task of remote monitoring with a highly trained and professional technology team that can separate appropriate information about worker misconduct and low productivity from irrelevant personal employee information, such as health information, religion, and lawful off-duty activity that be may gathered inadvertently while monitoring. A specialized team can insulate decision-making managers from this sensitive personal employee information and reduce the risk of discrimination claims.
Delete data collected via workplace monitoring activities as soon as it is no longer required to serve any legitimate business or legal purpose.
Avoid monitoring workers when they are off-hours or on personal time wherever possible.
Measure impact rather than activity. Consider using the data from remote monitoring to incentivize workers to behave in a positive way that achieves the employer's goals. Rather than using monitoring data to discipline and punish, use the data to identify good performers and reward that behavior. Sharing this with the workforce may motivate others to do better.
Use remote monitoring data to protect workers. For example, the same data that indicates an employee is unproductive can identify overburdened employees needing a reprieve.
Obtain consent from individuals to process their data where required or advisable under applicable laws, such as the ECPA.
Comply with applicable state laws, including, for example:
- requiring disclosures and consent for collection of biometric information, such as under the Illinois BIPA; and
- implementing privacy notices and compliance measures required by the CCPA and other state laws.
Pay nonexempt employees for all hours worked. Understand that compensable time may occur even when the monitoring technology suggests employees are idle.
Appreciate that employees have NLRA Section 7 rights to engage in concerted activities confidentially from their employer. Refrain from surveillance that has the purpose or effect of revealing their confidential protected activity or interfering with its exercise.
Keep up with future legislation in this space, particularly on the state and local levels.

For more on employer best practices for remote workforce monitoring, see Remote Employees: Best Practices. For a model employer policy on working remotely, with explanatory notes and drafting tips, see Standard Document, Remote Work Policy.

Expert Q&A: Remote Work Monitoring | Practical Law