Employee Data Privacy: What Employers Need to Know

The employment relationship generates an enormous amount of personal data. Employee names, addresses, Social Security numbers, bank account information for payroll, health insurance enrollment and claims, performance evaluations, disciplinary records, communications on company systems, GPS location data for remote workers, biometric data for timekeeping, and background check information are just some of the categories of personal information that employers collect, store, and process in the ordinary course of managing a workforce. Protecting this data — and complying with the legal obligations that govern it — has become a significant compliance challenge for employers of all sizes.

Federal Law and Employee Data

At the federal level, there is no comprehensive employee privacy statute that governs all aspects of employee data collection and use. Instead, a collection of more specific federal laws apply to particular categories of employee data or particular practices. The Fair Credit Reporting Act governs the use of consumer reports — including background checks, credit reports, and employment verification from consumer reporting agencies — in employment decisions. FCRA requires employers to obtain written authorization before obtaining a consumer report on a job applicant or employee, to provide a pre-adverse action notice and a copy of the report before taking adverse action based on it, and to provide an adverse action notice if the employee is denied a position or terminated based on the report.

The Americans with Disabilities Act imposes specific restrictions on the collection of employee medical information. Employers generally cannot require medical examinations or ask disability-related questions before a conditional job offer has been made. After a conditional offer, medical examinations and inquiries are permitted if they are required of all entering employees in the same job category. Once employment has begun, medical examinations and disability-related inquiries are permitted only if they are job-related and consistent with business necessity. All medical information obtained through these processes must be collected on separate forms and maintained in separate medical files, and access must be strictly limited.

The Genetic Information Nondiscrimination Act prohibits employers from collecting genetic information about employees or applicants and from using it in employment decisions. This prohibition has become increasingly relevant as employers explore wellness programs and health screening initiatives that might inadvertently result in the collection of genetic information.

State Employee Privacy Laws

The most significant developments in employee data privacy in recent years have come at the state level. Several states have specifically addressed employee data in their comprehensive privacy laws, and a number of states have enacted standalone laws governing particular practices.

California’s CCPA and CPRA originally exempted employee personal information from many of the law’s requirements, but that exemption expired in January 2023. California employees now have many of the same rights as California consumers: the right to know what personal information the employer collects, the right to delete certain information, the right to correct inaccurate information, and the right to opt out of the sale or sharing of their personal information. Employers of California-based employees must now include employee data in their privacy program and must provide employees with a CCPA-compliant privacy notice at the time of collection. Several other states, including Virginia, Colorado, and Connecticut, have taken similar approaches to extending consumer privacy rights to employees in their own privacy laws.

Illinois’s Biometric Information Privacy Act is directly relevant to many employers because it governs the collection and use of biometric data, including fingerprints and facial geometry, which are commonly used in timekeeping and access control systems. BIPA requires written consent before collecting biometric data from employees, a written retention policy, and strict limitations on disclosure. BIPA’s private right of action with statutory damages of $1,000 to $5,000 per violation has generated enormous class action litigation against employers who failed to obtain proper consent before implementing biometric timekeeping systems. Employers implementing any biometric-based system must ensure BIPA compliance in Illinois and should evaluate analogous laws in other states including Texas, Washington, and New York.

Employee Monitoring: Legal Limits on Workplace Surveillance

Employer monitoring of employee communications, computer activity, and physical location has expanded significantly with the growth of remote work and the availability of sophisticated monitoring technology. Employers have significant latitude to monitor employee activity on company-owned systems and devices, provided they implement appropriate notice policies. The Electronic Communications Privacy Act generally permits employers to monitor employee communications on company networks when employees have been notified that their communications may be monitored and when employees do not have a reasonable expectation of privacy in those communications.

Employee notice is critical. Employers should have a written technology use policy that clearly states that company-owned devices, systems, and networks are subject to monitoring, that employees have no expectation of privacy in their use of company resources, and that monitoring may occur without advance notice. This policy should be acknowledged in writing by all employees.

State law adds an additional layer of complexity. Several states impose additional requirements or restrictions on employee monitoring. Connecticut and New York require employers to provide written notice to employees before monitoring their electronic communications and telephone calls. California prohibits wiretapping and recording of telephone conversations without all-party consent, which affects how employers may monitor phone calls. Delaware requires employers to provide notice of electronic monitoring at the time of hire and whenever monitoring practices change. GPS tracking of employees — whether through company vehicles or through apps on company-issued devices — is generally permissible during work hours with appropriate notice but is more legally complex when the tracking extends to time outside of working hours.

Remote Work and Employee Privacy

The expansion of remote work has significantly increased the prevalence of employee monitoring tools, including software that captures screenshots, logs keystrokes, monitors application usage, and tracks productivity metrics. These tools have generated significant legal and ethical controversy. From a legal standpoint, their use is generally permissible on company-owned devices with proper notice, but using them to monitor personal devices or personal activities raises serious legal and privacy concerns.

Employers should be thoughtful about the proportionality of remote monitoring. Collecting the minimum data necessary to manage performance and security is both a legal best practice — consistent with data minimization principles under applicable privacy laws — and a sound workforce management approach. Disproportionate monitoring can damage employee morale, create legal exposure, and, in states with robust employee privacy protections, generate regulatory scrutiny.

Data Security for Employee Information

Employee personal information is a significant target for cybercriminals because it typically includes Social Security numbers, bank account information, and health data — all highly valuable for identity theft and financial fraud. Employer data breaches involving employee personal information trigger the same breach notification obligations as breaches involving customer data. All 50 states have data breach notification laws that require notifying affected individuals when their personal information is compromised in a security incident.

Protecting employee data with appropriate technical and administrative safeguards is both a legal obligation and a basic duty of care to the people who work for you. Access to employee records should be limited to those with a legitimate need, employee records should be stored in systems with appropriate security controls, and payroll and HR vendors who process employee data should have appropriate data processing agreements in place.

Building an Employee Privacy Program

Small and medium-sized businesses do not need elaborate privacy programs to comply with employee privacy obligations, but they do need some basic infrastructure. At minimum, every employer should have a privacy notice for employees that describes what personal information is collected, why, how long it is retained, and what rights employees have. The business should have a technology use policy that addresses monitoring and employees’ expectations of privacy on company systems. The business should have data security policies covering employee records, with appropriate controls on who can access sensitive information. And the business should have processes in place to respond to employee requests under applicable state privacy laws, including requests to access, correct, or delete their personal information.

As state employee privacy laws continue to evolve and as monitoring technology becomes more sophisticated, the compliance landscape for employers will continue to develop. Staying current with applicable state law — particularly in states with active employment and privacy legislation like California, New York, Illinois, and Colorado — is an ongoing responsibility for any business with employees in those states.