Employers have various interests in monitoring employees’ electronic activity on company systems. With an increasing number of businesses allowing remote work throughout and following the Covid-19 pandemic, some companies have sought to implement technical means to keep an eye on their employees’ online activity.  For example, employers may want to monitor this activity as a means to manage productivity and performance.  Enter: “Bossware.”

What is bossware?

“Bossware” is an informal term for computer monitoring tools and software that can track employee activity on a device.  Bossware can be used to measure workplace productivity, idleness, patterns of usage, and digital interactions with third parties.  Employers may use this technology to monitor certain communications to ensure employees are not violating its policies, such as those surrounding anti-harassment, anti-discrimination, or confidentiality.  In the words of critics, it is a means to “spy” on employees.

Privacy and security implications

To be sure, many employers disclose that company devices, such as laptops, tablets, and smartphones, may be subject to review or surveillance. But balancing that disclosure against the cultural sense that “big brother is watching you” can be difficult.  In addition, emerging state privacy laws, such as 2023’s California Privacy Rights Act, require employers to provide notice not just about the information that may be collected about employees, but also the rights those employees have with respect to that information. As a company collects more information about its employees, that company will need to invest more time and energy in reviewing and processing data subject requests such as audits of information collection or even erasure. Employers considering employee monitoring technology should err on the side of transparency in privacy notices to disclose these practices and the extent to which any information is shared with third parties.

From a security perspective, the damage and disclosure efforts following a data breach are directly related to the volume and categories of information impacted.  Simply put, if an employer is collecting and storing vast amounts of data surrounding an employee’s online activity, that employer will need to adjust its security measures to account for the variety of data being processed.  In the event of a data breach, surveillance data may be subject to notice disclosure and your company’s monitoring practices may end up being scrutinized by interested state agencies. A key consideration for storing employee-monitored data is whether it is worth collecting at all.  When it comes to security, sometimes the best protection is not having the data in the first place.

Employment law implications

Despite well-intentioned reasoning, employers must balance any perceived need to monitor this activity with the risk posed by relevant federal and state laws.  For example, the Federal Wiretap Act can prohibit intercepting certain communications over the phone, through email, or on the internet. Through a limited exception, employers are permitted to monitor electronic communications on the employer’s communication systems, like the company’s email system. But employers must exercise caution before monitoring an employee’s communications through personal platforms, like Gmail or Twitter, even when accessed on company equipment. Unless the employee has consented to the employer’s interception of those communications, the employer may face risk for doing so.  Individual states may have more restrictive versions of the Federal Wiretap Act, and those statutes must be reviewed.

Employers must also consider potential invasion of privacy claims, which requires an analysis of the relevant state law. Typically, a clear and transparent notice of intended monitoring will limit the viability of those claims.  When carrying out its monitoring practices, an employer must do so on a fair and consistent basis in order to avoid the perception of targeting employees who belong to protected classes. Employers may also need to investigate complaints if monitoring reveals them. And if an employer learns of an employee’s protected characteristic (such as a non-obvious disability), it must not take any adverse action against the employee based on that characteristic.  This also means that the employer will no longer have a lack of knowledge defense if an employee later claims discrimination or retaliation based on that same characteristic.  Finally, employers must consider Section 7 of the National Labor Relations Act (“NLRA”), which prohibits employers from restricting employee discussion of matters that affect the terms and conditions of employment.  For example, monitoring may reveal a particularly negative discussion between employees about company practices or someone in management.  Disciplining employees for this type of discussion may violate the NLRA, and must be approached with caution.

Before going forward with any monitoring practices, employers should develop and implement a detailed policy advising the workforce of what to expect.  At a minimum, this policy should:

  • reserve the employer’s right to monitor all electronic correspondence and employee activity on its equipment and services, including personal correspondence and activity;
  • explain how the employer is monitoring employee activity (key strokes, periodic screenshots, etc.) and how long that information is retained;
  • advise employees that they should have no expectation of privacy in electronic communications or activity on company systems; and
  • include a statement that nothing in the policy is intended to restrict or limit an employee’s NLRA Section 7 rights.

Depending upon your governing jurisdiction, such as California, your company may also be required to disclose categories of personal information collected, third parties receiving that information, and available data subject rights such as the right to audit, limit processing, and deletion. Even if your company is not governed by an applicable privacy statute, these disclosures are simply a best practice and can be helpful in mitigating potential employment law risks.

Most importantly, the employer should obtain every employee’s written acknowledgment that the employee received the policy, reviewed it, understood it, and that the employee consents to the employer’s monitoring practices.

For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.