The State of Employee Privacy and Surveillance in 2020

By Bernhard Mehl
August 13, 2020

An often controversial topic in U.S.workplaces, known to raise ethical questions regarding the state of public surveillance regulations, deals with the federal laws surrounding the use of online privacy and workplace surveillance. We are used to hearing about the abuse of these tools, such as issues that abuse personal rights, while their proper management, actually, has various benefits for both employee and employer.

At its core, most employers have the best interests of their staff and organization in mind when they implement these policies. Employees, while recognizing common goals, like the need for security and safety, have their own privacy as a priority in these topics. 

In discussing this, Nancy Flynn, the Executive Director of The ePolicy Institute states that

“To help control the risk of litigation, security breaches and other electronic disasters, employers should take advantage of monitoring and blocking technology to battle people problems—including the accidental and intentional misuse of computer systems and other electronic resources.”

This clash between the employer and employee perspective about how constant surveillance can impact productivity, is of expanding interest and warrants deeper conversations around employee monitoring. The good news is that by making a proper investment for tools that meet common interests, and managing transparently within your teams about why and what you are surveilling, you can support your organization from the mistakes that can come from a lack of knowledge in this space. 

Having an understanding of the types of workplace surveillance technologies that exist, everything from background tracking to identity management, knowing what can be monitored, especially as new technologies start to integrate advanced innovations such as cloud-based and artificial intelligence,  and what can have the most impact in this space, and understanding the research about this can best position you and your team for success. 

Types of Workplace Surveillance Technologies

CCTV

Cloud security camera systems are more popular than ever among employers seeking to tighten security in the workplace. Many innovative camera companies are investing heavily in facial recognition technology and integrations with sensors to provide more useful information than traditional cameras. Learn more about the best security camera brands here.

Biometrics

Currently, biometric technology refers mostly to facial recognition, fingerprints and voice recognition. However innovations in AI and IoT are making it possible to track other physical traits through surveillance for access control and identity verification purposes. For example, retina scans, DNA, typing rhythm and other more subtle physical markers are being used more often to monitor employees

Cloud-based Access Control

While access control alone is not generally used for employee surveillance, modern cloud-based platforms can easily integrate with cameras and identity management services to provide insights into how employees are utilizing a certain area as well as an easily managed security system. This is one of the less-intrusive methods managers can use to track movement throughout the office without violating individual privacy.

Social Media Monitoring Software (SMMs)

Perhaps the most controversial group of tools in the past several years, social media monitoring software is a network of bots and apps that track the performance of a particular brand or individual on social media, down to every mention, click and hashtag that the account has. Many companies have tried to use these tools to invade the private accounts of employees, and have even asked potential hires and employees for their login credentials to their private accounts. This has prompted backlash from the public and the social media companies themselves on the grounds that it violates first amendment rights to free speech as well as company policy.

Background Check Software

Background checks have been a common practice in hiring and employee monitoring policies for decades, however in recent years technology has made this sometimes tedious task much easier for employers to do quickly online. New recruiting software makes it possible for employers to automatically gather and analyze criminal histories, citizenship status and other elements with the help of AI and machine learning. 

Screen Capture/Browser Monitoring

Like the name implies, screen capture and browser monitoring tools allow employers to take snapshots of an employees computer screen or track what sites they are visiting while at work or whenever they are using a company device.

Occupancy Tracking

Occupancy tracking is a series of sensors that measure the amount of people and the amount of time they spend in a particular space. These inconspicuous sensors are often used to enhance security and provide valuable business insights for business operators. In commercial spaces this technology is fairly common, especially in high traffic public areas.

Real-Time Location Tracking

Many companies are applying real-time location tracking to monitor company assets and devices within a network. Using the “received signal strength” of a device, security software can track devices such as cell phones, laptops, or even wearables as they move throughout a building or geometric vicinity. This is particularly useful for large companies with large corporate campuses. For employers it can help protect expensive equipment and data. However for employees, it has raised concerns over the privacy of their personal devices which are often used for work.

Identity Management

Identity management systems like Okta and OneLogin are not inherently meant to be used as surveillance tools, however they can be co-opted for that purpose by managers who are suspicious of their employees’ actions on internal company applications. Identity management software allows people to sign into several applications and web services with one set of credentials. 

Workplace Analytics Audit Logs

Audit logs are essentially a track record of an employee’s activity within an organization. For example, Microsoft has an entire ecosystem of apps and tools that companies use to manage their business and internal communications, from email and cloud storage, to CRM software and accounting logs. With audit logs, a manager can track every action that an employee makes within the ecosystem, no matter what computer they are using, and get detailed analytics on how productive they are at a given time.

Why Do Employers Monitor Workers?

  • Monitor productivity
  • Protect sensitive company data and proprietary information
  • Monitor compliance with company policies
  • Gather data for business decisions
  • Ensure the safety and security of the employees and of their belongings
  • Make sure that the office is a healthy space where to work in peace and socially distanced

Federal Workplace Privacy/Surveillance Laws

Currently there is no comprehensive federal law in the US regulating the extent to which employers can monitor employees in the workplace. And recent trends towards flexible working arrangements and work-from-home policies have made this issue even more murky for individual companies. Most privacy and workplace monitoring policies are governed by a wide range of state laws that often contradict each other, are too ambiguous or simply not advanced enough to keep up with technology. 

On the federal level, prosecutors have applied the 4th Amendment of the U.S. Constitution to many workplace privacy issues. The 4th amendment protects American citizens against unreasonable search and seizure of their person or belongings without a warrant issued by a judge stating probable cause. However, this language has a vague context in the workplace, where technology and online presence plays such an integral role in people’s work lives. Because the federal government has left this so open-ended, it has been up to the states to make individual privacy laws to govern the issue of workplace monitoring. 

What Can Be Monitored in the Workplace?

As per Privacy Rights Clearing House, here is a list of things that employers are generally permitted to monitor in the workplace:

  1. Computers and Workstations
  2. Email and Instant Messaging
  3. Telephones
  4. Mobile Devices
  5. Audio and Video Recording
  6. Location (GPS) Tracking (i.e. company cars)
  7. U.S. Postal Mail 
  8. Social Media (*note that this is under debate and up for legislation in many states. See below for details)
5f085d9f328c062457a0b7c0
template-1
container

Top 10 US Tech Hubs Where Employee Surveillance Has the Most Impact

The following cities are the biggest tech and business hubs in the U.S. Debates around employee monitoring in the workplace often start in these areas and have a large impact on how the state governments handle privacy violations in the absence of detailed federal regulations. We looked into the state laws governing the largest tech companies in the world and have collected them here for reference.

1. Boston, IL

What’s covered in the law? Online privacy

Relevant Local/State Surveillance Laws: 820 ILCS 55/10

2. Austin, TX

What’s covered in the law? Wiretapping, Oral and electronic communication, Video surveillance

Relevant Local/State Surveillance Laws: Section 16.02 of the Texas Penal Code; Section 21.15 of the Texas Penal Code

3.Dallas, TX

What’s covered in the law? See Austin

Relevant Local/State Surveillance Laws: See Austin

4. Atlanta, GA

What’s covered in the law? Video surveillance, Electronic communication, Biometrics, All forms of data

Relevant Local/State Surveillance Laws: Law of Georgia on Personal Data Protection

5. Raleigh, NC

What’s covered in the law? Wire, Oral and Electronic Communication, Health Records and Data

Relevant Local/State Surveillance Laws: Off-Duty Use of Lawful Products: N.c. Gen. Stat. § 95-28.2; Immunity from Civil Liability for Employers Disclosing Information: N.c. Gen. Stat. § 1-539.12; Discrimination Based on Aids or Hiv Status: N.c. Gen. Stat. §130a-148(i); Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited: N.c. Gen. Stat. § 15a-287

6. Washington, D.C.

What’s covered in the law? Written, Oral and Electronic Communication, Video Surveillance

Relevant Local/State Surveillance Laws: RCW 9.73.020: Opening Sealed Letter; RCW 9.73.030: Intercepting, Recording, or Divulging Private Communication—consent Required—exceptions; RCW 9.73.270: Collecting, Using Electronic Data or Metadata—cell Site Simulator Devices—requirements.; RCW 9.73.110: Intercepting, Recording, or Disclosing Private Communications—not Unlawful for Building Owner—conditions

7. Seattle, WA

What’s covered in the law? Written, Oral and Electronic Communication, Video Surveillance

Relevant Local/State Surveillance Laws: RCW 9.73.020: Opening Sealed Letter; RCW 9.73.030: Intercepting, Recording, or Divulging Private Communication—consent Required—exceptions; RCW 9.73.270: Collecting, Using Electronic Data or Metadata—cell Site Simulator Devices—requirements.; RCW 9.73.110: Intercepting, Recording, or Disclosing Private Communications—not Unlawful for Building Owner—conditions

8. Baltimore, MA

What’s covered in the law? Online privacy

Relevant Local/State Surveillance Laws: Section 52c: Personnel Records, Review by Employee, Corrections, Penalty

9. San Francisco, CA

What’s covered in the law? Online privacy, Employee information, Privacy on the Job Search, Background Checks, Privacy at the Job

Relevant Local/State Surveillance Laws: Workplace Privacy

10. San Jose, CA

What’s covered in the law? See San Francisco

Relevant Local/State Surveillance Laws: See San Francisco

State Social Media Privacy Laws

Increasing numbers of workers use social media both on and off the job. And while social media increasingly affects the employment process as a whole, employees are being fired for social posts more often each year. In the past decade many employers across the US have asked for access to their employees’ and job applicants’ personal social media accounts. This has sparked controversy and debate over how far companies can go to protect themselves from liability for an employee’s words or actions. 

Employee Perspective 

Some employees and job applicants have expressed concerns about requests from employers or educational institutions for access to usernames or passwords for personal social media accounts. They consider such requests to be an invasion of employees’ privacy, akin to reading a diary or requiring a visit to their home.

Employer Perspective 

Some employers, however, say that access to personal social media accounts of employees is needed to protect the employer’s proprietary information or trade secrets, to comply with certain federal financial regulations or to prevent the employer from being exposed to legal liabilities. 

Workplace Surveillance Stats 

In 2007, the American Management Association conducted a survey of over 300 businesses to explore how they monitor and track employee activity during work hours. Here are some insights: 

  • 39% of employers research candidates on social media
  • 43% of those employers found something that caused them not to hire a candidate. The most popular reasons:
  • Inappropriate photos or information
  • Grievances aired against former employers
  • 19% of employers researching social media found information that caused them to want to hire a candidate. 
  • Communication skills
  • Professional image

Stats About Internet Abuses in The Workplace

25% of corporate Internet traffic is categorized as unrelated to work

64% of employees use the web for personal reasons during work hours

70% of Internet porn traffic occurs during work hours

48% of the worst security breaches at large companies are perpetrated by employees

Arkansas

Citation for Employers: Ark. Code § 11-2-124

California

Citation for Employers: Calif. Lab. Code § 980

Colorado

Citation for Employers: C.R.S. 8-2-127

Connecticut

Citation for Employers: Conn.Gen.Stat. § 31-40x (2015 S.B. 425, Act 16)

Delaware

Citation for Employers: 19 Del. Code § 709A

Illinois

Citation for Employers: 820 ILCS 55/10

Louisiana

Citation for Employers: La. Rev. Stat. § 51:1951 to §§ 1953 and 1955

Maine

Citation for Employers: 26 M.R.S. § 616 to 619 

Maryland

Citation for Employers: Md. Code, Labor and Emp. Law § 3-712

Michigan

Citation for Employers: MCL § 37.271-37.278

Montana

Citation for Employers: Mont. Code Ann. § 39-2-307

Nebraska

Citation for Employers: Neb. Rev. Stat. 48-3501 et seq.

Nevada

Citation for Employers: NRS § 613.135

New Hampshire

Citation for Employers: N.H. Rev. Stat. § 275:74

New Jersey

Citation for Employers: N.J. Stat. § 34:6B-6

New Mexico

Citation for Employers: N.M. Stat. § 50-4-34 (covers job applicants only)

Oklahoma

Citation for Employers: 40 Okla. Stat. § 173.2

Oregon

Citation for Employers: O.R.S. § 659A.330

Rhode Island

Citation for Employers: R.I. Gen. Laws § 28-56-1 to -6

Tennessee

Citation for Employers: Tenn. Code §§ 50-1-1001 to -1004

Utah

Citation for Employers: Utah Code § 34-48-201 et seq.

Vermont

Citation for Employers: 21 V.S.A. § 495l

Virginia

Citation for Employers: Va. Code § 40.1-28.7:5

Washington

Citation for Employers: RCW §§ 49.44.200 and 49.44.205

West Virginia

Citation for Employers: W.V. Code § 21-5H-1

Wisconsin

Citation for Employers: Wis. Stat. § 995.55

Guam

Citation for Employers: 22 GCA § 3501

How Privacy policies are Communicated in the Workplace 

Workplace privacy policies are usually communicated through employee handbooks, by memos, in union contracts, employment contracts and non-disclosure agreements which can be distributed to employees at any time. 

Research Insights:

  • In the workplace, almost any consumer privacy law can be waived. Even if companies give employees a choice about whether or not they want to participate, it’s not hard to force employees to agree. 
  • There are an increasing number of cases of employers asking prospective hires and employees for access to their social media. This has sparked backlash from workers, tech giants and privacy advocates alike.
  • Twenty-five states have passed social media protections for individuals, meaning employers in those states cannot ask a worker for access or passwords to their social media accounts. Similar laws are pending or are up for debate in other states.
  • While there are few privacy protection laws in the U.S., there is the Electronic Communications Privacy Act and Stored Communications Act, as well as state laws about wiretaps, which cover how companies can monitor information. Companies that want to use new monitoring technology need to keep those laws in mind.
  • According to a recent survey by Accenture, even though 62% of executives said their companies are using new technologies to collect data on people — from the quality of work to safety and well-being — fewer than a third said they feel confident they are using the data responsibly.
  • There are no explicit laws or legislation in the United States on the federal level that prohibit employers from monitoring their employees via video surveillance. There are, however, some exceptions. Some workers, who may be engaged in classified or otherwise protected activities in the service of completing their jobs, may be prohibited from surveillance. This is rarer, and circumstantial.
  • California’s data privacy law, the California Consumer Privacy Act, effective in January 2020 , is comprehensive and impactful enough on businesses globally to be comparable to GDPR, the EU’s main regulation for data privacy. This is one of the first state laws to ensure people’s right to online privacy and it covers almost any identifying information a company has on a particular individual. It also applies to California employees, although there is a grace period of 1 year for employers to notify workers what personal information they are using and where. 

Conclusion

Needless to say, a lot can be done to both legislatively, and on a local business level, to draw attention to better techniques for using monitoring products, as well as to create awareness about how products should be used for policy making decisions. 

At the end of the day, both the employee and the employer, have safety and security in mind, and both seek to be respected personally for their basic fundamental rights. A key takeaway to explore is how our privacy policies are communicated in the workplace, and how we can do the best for our fellow employees with our transparency around surveillance options.

Bernhard Mehl

Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.