Privacy Rights in a Remote Work World: Can My Employer Monitor My Activity?

The rise in remote work has brought with it a rise in employee monitoring.  Between 2019 and 2021, the percentage of employees working primarily from home tripled.  As “productivity paranoia” crept in, employers steadily adopted employee surveillance technologies.  This has raised questions about the legal and ethical implications of enhanced monitoring, in some cases prompting proposed legislation or the expanded use of laws already on the books.

Employee monitoring is nothing new.  Employers have long used supervisors and timeclock programs, among other systems, to monitor employee activity.  What is new, however, is the proliferation of sophisticated monitoring technologies—as well as the expanding number and variety of companies that are employing them.

 While surveillance was once largely confined to lower-wage industries, white-collar employers are increasingly using surveillance technologies to track their employees’ activity and productivity.  Since the COVID-19 pandemic started in March 2020, one in three medium-to-large companies has adopted some form of employee monitoring, with the total fraction of employers using surveillance technologies closer to two in three.  Workers who are now subject to monitoring technologies include doctors, lawyers, academics, and even hospice chaplains.  Employee monitoring technologies can track a range of information, including:

  • Internet use (e.g., which websites and apps an employee has visited and for how long);

  • How long a computer sits idle;

  • How many keystrokes an employee types per hour;

  • Emails that are sent or received from a work or personal email address (if the employee is logged into a personal account on a work computer);

  • Screenshots of a computer’s display; and

  • Webcam photos of the employee throughout the day.

These new technologies, coupled with the shift to remote work, have blurred the line between the professional and the personal, the public and the private.  In the face of increased monitoring, this blog explores federal and state privacy regulations and protections for employees.

What are the legal limitations on employee monitoring?

 There are two primary sources of restrictions on employee monitoring: (1) the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§ 2510 et seq.; and (2) common-law protections against invasions of privacy.  The ECPA is the only federal law that regulates the monitoring of electronic communications in the workplace.  It extends the Federal Wiretap Act’s prohibition on the unauthorized interception of communications, which was initially limited to oral and wire communications, to cover electronic communications like email.  As relevant here, the ECPA contains two major exceptions.  The first exception, known as the business purpose exception, allows employers to monitor employee communications if they can show that there is a legitimate business purpose for doing so.  The second exception, known as the consent exception, permits employers to monitor employee communications so long as they have consent to do so.  Notably, this exception is not limited to business communications, allowing employers to monitor employees’ personal communications if they have the requisite consent.  Together, the business purpose and consent exceptions significantly limit the force of the ECPA, such that, standing alone, it permits most forms of employee monitoring.

In addition to the ECPA’s limited protections from surveillance, however, some states have adopted additional protections of employee privacy.  Several state constitutions, including those of California, South Carolina, Florida, and Louisiana, guarantee citizens a right to privacy.  While these provisions do not directly regulate employers’ activity, they may bolster employees’ claims to an expectation of privacy.  Other states have enacted legislation that limits an employer’s ability to monitor employees’ social media accounts.  Virginia, for example, prohibits employers from requiring employees to disclose their social media usernames or passwords.  And a few states have enacted laws to bolster employees’ access to their data.  For example, the California Privacy Rights Act (CPRA), which comes into full effect on January 1, 2023, and replaces the California Consumer Privacy Act (CCPA), will provide employees with the right to access, delete, or opt-out of the sale of their personal information, including data collected through employee monitoring programs.  Employees will also have the right to know where, when, and how employers are using their data.  The CPRA’s protections are limited, however.  Employers will still be able to use surveillance technologies, and to make employment decisions based on the data these technologies gather.

Finally, several states require employers to provide notice to employees before monitoring or intercepting electronic communications.  New York recently adopted a law,  Senate Bill (SB) S2628, that requires all private-sector employers to provide notice of any electronic monitoring to employees (1) upon hiring, via written or electronic employee acknowledgment; and (2) in general, in a “conspicuous place” in the workplace viewable to all employees.  The new law is aimed at the forms of monitoring that have proliferated since the shift to remote work, and covers surveillance technologies that target the activities or communications of individual employees.  Delaware and Connecticut also have privacy laws that predate SB S2628.  Delaware requires notice to employees upon hire that they will be monitored, but does not require notice within the workplace.  Meanwhile, Connecticut requires notice of monitoring to be conspicuously displayed in the workplace but does not require written notice to employees upon hire.  Accordingly, in many states, employee privacy protections exceed the minimum standard of the ECPA, though they still are not robust.

How does employee monitoring intersect with other legal rights?

Other legal protections further limit employee monitoring.

First, in at least some jurisdictions, employees who access personal emails on their work computer, or conduct other business that would be protected under attorney-client privilege, maintain their right to privacy for those communications.  In Stengart v. Loving Care Agency, Inc., 408 N.J. Super. 54 (App. Div. 2009), the Superior Court of New Jersey, Appellate Division, considered a case in which an employee had accessed her personal email account on her employer’s computer and exchanged emails from that account with her attorney regarding a possible employment case against her employer.  The employer, who had installed an employee monitoring program, was able to access and read the employee’s emails.  The Court held that the employee still had a reasonable expectation of privacy and that sending and receiving emails on a company-issued laptop did not waive the attorney-client privilege.  The Court thus required the employer to turn over all emails between the employee and her attorney that were in its possession and directed the employer to delete all of these emails from its hard drives.  Moving forward, the Court instructed that, while “an employer may trespass to some degree into an employee’s privacy when buttressed by a legitimate business interest,” such a business interest held “little force . . . when offered as the basis for an intrusion into communications otherwise shielded by the attorney-client privilege.”  Stengart, 408 N.J. Super. at 74.

Second, employee monitoring can run afoul of protections related to union and other concerted activity.  The General Counsel for the National Labor Relations Board (NLRB) recently announced a plan to curtail workplace surveillance technologies.  Existing law prohibits employers from using surveillance technologies to monitor or record union activity, such as by recording employees engaged in picketing, or otherwise interfering with employees’ rights to engage in concerted activity.  The General Counsel’s plan outlines a new, formal framework for analyzing whether employee monitoring interferes with union or concerted activity.  Under this framework, an employer presumptively violates Section 7 or Section 8 of the National Labor Relations Act (NLRA) where their “surveillance and management practices, viewed as a whole, would tend to interfere with or prevent a reasonable employee from engaging in” protected activities.  Examples of technologies that are presumptively violative include key loggers, webcam photos, and audio recordings.

Do I have a claim against my employer?

While federal and state restrictions on employee monitoring are limited, you may have a legal claim against your employer if its monitoring is overly intrusive or it mishandles your personal data.  First, an invasion-of-privacy claim, for the tort of intrusion upon seclusion, could exist if your employer monitors your activity in a way that would be highly offensive to a reasonable person, such as by accessing your work laptop’s webcam or internal microphone and listening in on private affairs in your home.  Second, you may have a claim against your employer for violating its legal duty to protect your personal information if data it collects in the course of monitoring your work activity is compromised.  In Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018), employees at the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, UPMC) filed a class-action complaint alleging that UPMC breached its legal duty of reasonable care when it failed to protect employees’ data, which was stolen from UPMC computers.  The Pennsylvania Supreme Court found for the plaintiffs, holding that employers have an affirmative duty to protect the personal information of their employees.  Because the Pennsylvania Supreme Court’s holding was grounded in tort principles that are recognized by many states (i.e., duty of care and negligence), it may pave a path for future cases in other jurisdictions.  Third, if any medical information is accessed and improperly used by your employer, you may have a claim under the Americans with Disabilities Act, which requires that employers keep all employee medical information confidential and separate from all other personnel information.  See 42 U.S.C. § 12112(d)(3)(B)-(C), (4)(B)-(C).

Conclusion

Employees are monitored more consistently and in more ways than ever before. By and large, employee monitoring is legal.  Employers can monitor your keystrokes, emails, and internet activity, among other metrics.  While federal regulation of employee monitoring is limited, some states offer additional protections of employee privacy.  Most notably, employers are increasingly required to inform employees that their activity will be monitored.  Moreover, other legal rights, such as the right to engage in concerted activity and to have your medical information kept confidential, provide checks on employee surveillance.  As employee monitoring becomes more commonplace, restrictions on surveillance technologies and avenues for legal recourse may also grow.

Katz Banks Kumin LLP Copyright ©

New Jersey Employers Are Now Required to Provide Written Notice Before Using Tracking Devices in Employee-Operated Vehicles

Earlier this year, New Jersey Governor Phil Murphy signed into law Assembly Bill No. 3950, which requires employers in the State to provide written notice to an employee before using a tracking device on a vehicle used by the employee. The new law, which went into effect on April 18, 2022, recognizes that employers may have a legitimate business interest in being able to track their workforce’s whereabouts—particularly when traveling or working offsite—while also reconciling that with the protection of workers’ privacy rights. At the very least, the days of covertly tracking employee vehicles appear to be a thing of the past.

The law defines “tracking device” as any “electronic or mechanical device which is designed or intended to be used for the sole purpose of tracking the movement of a vehicle, person, or device,” with a specific carveout for devices used solely for the purpose of documenting employee expense reimbursement.

Significantly, the written notice requirement applies to the use of tracking devices in any vehicles used by an employee. It does not matter whether it is an employee’s personal vehicle (whether owned or leased) or company-owned or provided. Written notice must be provided regardless.

Failure to comply with the law’s notice requirements can carry substantial penalties. An employer who knowingly makes use of a tracking device in a vehicle used by an employee without providing written notice to the employee shall be subject to a civil penalty up to $1,000.00 for the first violation, and then up to $2,500.00 for each subsequent violation. These fines can add up quickly, especially for service businesses with large vehicle fleets, among others. Additionally, it is possible that failure to comply with the law’s notice requirements may implicate employee privacy rights that could lead to further civil exposure.

Private employers within the State must ensure they have appropriate policies and procedures in place to comply with the new law’s requirements and insulate their businesses from potential liability for violations. While it does not specify what the required “written notice” must look like or how it must be conveyed to employees, at minimum employers should update their employee handbooks as well as provide a stand-alone, written notice to employees, with signed confirmation and acknowledgement of receipt. Additionally, rule and regulations regarding GPS tracking of employee vehicles may vary from state to state, so employers with a multi-state presence or service area need to be aware of the different laws that may apply to them depending on where their employees are working.

Employers who have not yet updated their forms and procedures should immediately contact counsel and take steps to ensure that they are in compliance. Similarly, it may be prudent for employers who drafted their own policies to have experienced employment counsel perform a policy or handbook review and provide advice and guidance regarding employer responsibilities and obligations, including but not limited to ensuring compliance with New Jersey’s new vehicle tracking device law.

COPYRIGHT © 2022, STARK & STARK
Article By Cory Rand with Stark & Stark.
For more articles about New Jersey Legislation, visit the NLR New Jersey law section.

Employees Miffed by Your Monitoring of Company Devices? Give Notice Now to Hopefully Avoid Annoyance Later

We’ve talked about social media policies several times over the years, but it’s been a while since we’ve discussed monitoring your employees’ work phones, emails, and internet usage. As you most likely know, you can and probably should monitor employees’ work phones, emails, and internet usage. You never know when someone outside the business will require you to produce emails (hello, subpoenas or litigation). But, how do you protect your business upfront from employees who are miffed by your monitoring? One of the best ways is to provide notice to your employees that you are watching.

In fact, effective May 7, 2022, the state of New York will require all employers to provide notice to employees that their work phones, email, and internet use is monitored. The new law requires the following for new hires:

  • Written notice (hard copy or electronic) to all who are subject to electronic monitoring
  • Written acknowledgment (hard copy or electronic) of the notice

As for current employees, no written acknowledgement is required but employers must post notice about electronic monitoring. Failure to meet these requirements could result in civil penalties up to $500 for the first offense, $1,000 for the second, and $3,000 for any subsequent offense.

Even if you are not operating in New York or another state that requires notice, we suggest you take the time now to review your onboarding materials and policies and, if you don’t already have one, implement a policy related to monitoring work phones, emails, and internet usage. Providing your employees with your expectations about their electronic usage and notice that you are monitoring their use of company devices could save you from headaches in the future. Here are a few tips:

  • Review and revise any existing policies related to work phones, emails, and internet usage to include your expectations and let them know you are monitoring and will discipline employees for misuse
  • Identify what devices may be monitored (tip: it’s best to limit monitoring to company devices but we understand gray areas may arise and advise you to speak with counsel about those issues)
  • Include the policy and acknowledgement of receipt in the onboarding materials (which will keep you compliant in New York)
  • If you have annual training for employees, consider including a brief section that covers and reminds employees about the policy
  • Also, if you discuss prohibitions in your policy, remember to make clear that there is no prohibition on employees’ rights to engage in discussion of terms and conditions of employment (as that could be protected, concerted activity under the National Labor Relations Act)

This article was written by Cortlin Bond and Anne R. Yeungert of Bradley Arant Boult Cummings law firm. For more articles about employee monitoring, please see here.