Employers who monitor their employees' personal devices–including laptops, smartphones, and tablets–need to understand how to comply with applicable privacy laws.
This article explains what employee monitoring is, details some of the main global privacy laws that apply to employee monitoring, and includes guidelines for compliance.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What Is Employee Monitoring on Personal Devices?
- 2. What Are Some of the Global Privacy Laws That Apply to Employee Monitoring?
- 2.1. General Data Protection Regulation (GDPR)
- 2.2. California Consumer Protection Act (CCPA)/California Privacy Rights Act (CPRA)
- 2.3. Personal Information Protection and Electronic Documents Act (PIPEDA)
- 2.4. Australia Privacy Act of 1988
- 2.5. Lei Geral de Proteção de Dados Pessoais (LGPD)
- 3. What Happens If You Don't Comply With Global Privacy Laws?
- 4. How to Comply with Global Privacy Law Employee Monitoring Requirements
- 4.1. 1. Create a Data Map
- 4.2. 2. Conduct a Data Protection Impact Assessment (DPIA)
- 4.3. 3. Appoint a Data Protection Officer (DPO)
- 4.4. 4. Choose a Legal Basis for Processing Data
- 4.5. 5. Notify Employees
- 4.5.1. Create a Bring Your Own Device (BYOD) Policy
- 4.5.2. Develop a Privacy Policy
- 4.6. 6. Protect and Minimize Data
- 4.7. 7. Respect Employees' Privacy Rights
- 5. A Note on Labor Law Requirements
- 6. Summary
What Is Employee Monitoring on Personal Devices?
Employee monitoring on personal devices is the tracking of employee activities or data for work-related purposes on the employee's device. Examples of employee monitoring on personal devices include having employees download an app on their phone or laptop to track their time or productivity or tracking their location via their devices.
Employee monitoring activities can include:
- Tracking emails
- Monitoring browsing behavior
- Location tracking
- Recording keystrokes
- Screen recording
- Time or performance monitoring
While monitoring may be essential to protect your business's data, it's important to balance employee monitoring with your employee's privacy rights and ensure that monitoring activities are in compliance with applicable privacy and data protection laws.
What Are Some of the Global Privacy Laws That Apply to Employee Monitoring?
There are several state and global privacy laws that protect individuals' personal data–information that can be used (either directly or indirectly) to identify a person. Personal information can include names, ID numbers, usernames, IP addresses, locations, biometric information, and browsing behavior.
Employee monitoring activities typically involve employees' personal information, making them subject to privacy laws.
Many of these laws extend privacy rights to employees and require employers to limit how they monitor their employees and notify employees prior to monitoring.
Let's take a look at some of the main privacy laws that apply to employee monitoring on personal devices.
General Data Protection Regulation (GDPR)
The GDPR is the European Union's (EU) primary privacy law. It applies to organizations that collect or process (use) personal data belonging to individuals in the EU, as well as organizations located outside of the EU that offer goods or services to EU residents or monitor their behavior. The United Kingdom's (UK) GDPR and Data Protection Act provide similar protections for individuals located in the UK.
If the GDPR applies to you, you'll need to have a legal reason for processing EU employees' personal data, explain how and why you process their data, and respond to requests from data subjects (individuals to whom personal data belongs) concerning their privacy rights, among other requirements.
Chapter 3 of the GDPR lists the rights of data subjects, including the rights to access, rectify, and erase their personal data.
California Consumer Protection Act (CCPA)/California Privacy Rights Act (CPRA)
The CCPA/CPRA applies to for-profit businesses that do business in California, collect California consumers' (residents) personal information, and meet at least one of the law's thresholds.
As of January 1, 2023, the CCPA/CPRA covers employee data. CCPA/CPRA requirements include notifying California employees about how you intend to use their personal information and taking steps to honor their privacy rights.
Section 1798.140 of CPRA includes professional and employment-related information in its definition of personal information.
It's important to check the state laws that apply to you and your employees, as states such as Connecticut, Delaware, and New York also have notification requirements for employee monitoring.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA applies to private-sector organizations in Canada that collect, process, or disclose personal information for commercial purposes, including information that crosses provincial or national borders, federally regulated organizations that do business in Canada, and federal employee information.
Under PIPEDA, you can only monitor employees' personal devices if the personal information you collect, use, or disclose is processed for appropriate, reasonable, and clearly identified purposes, and you may need to get consent before processing. You should limit collection, use, and retention of personal data to that which is strictly necessary, and respect employees' rights to access and correct their personal data.
The collection of personal information must be limited to the stated purpose. For example, an employer can't access all info on personal devices, they must only access data related to the job as specified to employees before monitoring begins.
The Office of the Privacy Commissioner of Canada (OPC) is the enforcing authority of PIPEDA.
Its Privacy in the Workplace guidelines explain that employers should limit the collection of employee data to that which is necessary to fulfill their identified purpose, get "meaningful consent" before processing employees' personal information, and ensure employee monitoring is reasonable, proportionate, and minimally invasive.
Australia Privacy Act of 1988
The Australia Privacy Act applies to certain private sector organizations that do business in Australia, Australian government agencies, and organizations located outside of Australia that have an Australian link, such as those that do business in Australia and collect and store Australian individuals' personal information.
If the Australia Privacy Act applies to you, you should inform employees about your proposed monitoring activities, limit the collection and use of employee data to that which is necessary, and honor employees' rights to access and correct their data.
Schedule 1 of the Australia Privacy Act lists the Australia Privacy Principles applicable organizations must abide by, including Principle 5, which states that entities must notify individuals as soon as possible about their reasons for collecting personal information.
Lei Geral de Proteção de Dados Pessoais (LGPD)
The LGPD applies to individuals or entities that offer goods or services to or process personal data belonging to individuals in Brazil or conduct data processing activities within Brazil.
The LGPD requires applicable organizations to have a legal basis for processing personal data, inform individuals of their data collection and processing practices, and honor data subjects' rights, among other requirements.
Article 18 of the LGPD lists data subject rights, including the rights to access, correct, and delete their personal data.
What Happens If You Don't Comply With Global Privacy Laws?
Failure to comply with global privacy laws when monitoring employees' personal devices can result in fines and damage to your business's reputation.
Here are some examples of fines for violating global privacy laws:
- GDPR: If you violate the GDPR, you can face fines of up to the higher amount of €20 million or 4% of the organization's global annual revenue from the previous financial year.
- CPRA: CPRA violations can result in fines of up to $2,500 per violation, or up to $7,500 for each violation involving personal information belonging to an individual under 16 years of age.
- Australia Privacy Act: A serious or repeated privacy violation can result in penalties of up to $2,500,000 AUD for individuals and non-corporate entities. Companies can face penalties of up to $50,000,000 AUD or three times the profit the company made from the violation or 30% of the company's adjusted turnover from the "breach turnover period."
- LGPD: Businesses that violate the LGPD can receive a fine of up to 2% of their revenue from the previous year (excluding taxes), limited to a total of R $ 50,000,000.00 per infringement.
Section 1798.155 of CPRA details the penalties for noncompliance, including fines of up to $2,500 per violation or $7,500 for each intentional violation involving a California resident under 16 years of age.
As you can see, violating global privacy laws can seriously affect your bottom line. Amazon France Logistique, the arm of Amazon responsible for managing its French warehouses, found this out the hard way.
Amazon France Logistique had its French warehouse employees use handheld scanners to track their productivity. CNIL, the French Data Protection Authority, found that the scanners logged idle periods and retained data for 31 days and that Amazon France Logistique failed to provide a Privacy Policy to temporary employees and did not inform employees or visitors of its video surveillance system, violating the GDPR's principles of data minimization, lawful processing, data security, and transparency. On December 27, 2023, CNIL fined Amazon France Logistique €32 million for breaching the GDPR.
Next, let's take a look at how to comply with global privacy laws when monitoring employees' personal devices.
How to Comply with Global Privacy Law Employee Monitoring Requirements
The exact requirements concerning employee monitoring vary by privacy law. While it's important to understand exactly what employee data you collect and process and which laws apply, there are a few best practices you can implement to help you comply with many of the main global privacy laws.
Creating a data map, appointing an officer to be in charge of your privacy practices, and informing employees about your employee monitoring activities are just a few of the steps you can take to comply with applicable privacy laws.
1. Create a Data Map
A data map identifies the types of data you collect and process and how it is used, disclosed, transported, and stored.
A data map supports compliance with global privacy laws by determining the categories of data you use, enabling you to limit data use and retention and assess and address the risk of different data processing activities.
2. Conduct a Data Protection Impact Assessment (DPIA)
Another step you should take when monitoring employees' personal devices is conducting a DPIA.
Laws such as the GDPR and the LGPD require a data protection impact assessment in certain high-risk situations, such as when you are tracking data subjects' behavior or location. A DPIA can help you identify and mitigate potential risks to the data subject.
You'll need to conduct a DPIA before engaging in employee monitoring activities.
Your DPIA should contain the following information:
- A description of your employee monitoring activities
- Your reasons for monitoring employees, including your legitimate interests (if applicable)
- An assessment of the necessity of the employee monitoring and its proportionality compared to your purposes
- An assessment of the risks of employee monitoring to your employees' rights and freedoms
- How you intend to address risks and implement security measures to protect employees' personal data and comply with the law
Article 35 of the GDPR lists the information that a DPIA needs to contain, including a description of and the reasons for the data processing.
Similarly, Article 38 of the LGPD explains that when required, a DPIA needs to include information about the types of data collected and how it is collected and kept secure.
You can use the UK Information Commissioner Office's DPIA template to determine whether you need to conduct a DPIA.
3. Appoint a Data Protection Officer (DPO)
Several privacy laws–including the GDPR, the LGPD, and PIPEDA–may require you to have a DPO (or equivalent officer), depending on your data processing activities. A DPO is the person responsible for overseeing your business's privacy practices and ensuring compliance with applicable laws.
Article 37 of the GDPR explains that DPOs must be appointed if data processing is carried out by a public authority (other than courts), the data controller's (person who makes decisions about how and why to process data) or processor's core activities require regular, systematic monitoring of data subjects on a large scale, or the core activities consist of large-scale processing of special category data (data that requires extra protection, such as biometric or health data).
Even when it's not required by law, appointing someone to be in charge of compliance with privacy laws and to serve as a point of contact for data subjects and enforcing authorities is good business practice.
4. Choose a Legal Basis for Processing Data
Employee data is considered personal data under several privacy laws, including the GDPR, CCPA/CPRA, LGPD, and PIPEDA. Laws such as the GDPR and the LGPD typically require employers to have a lawful basis for processing personal data.
While many organizations use consent as their legal basis for processing data, (and some laws–such as PIPEDA–may require employers to get informed consent before processing employees' personal information) it doesn't align well with employee monitoring, as consent must be specific, informed, unambiguous, and freely given. The inherent power imbalance between employer and employee makes it tricky to establish that employee consent to monitoring is voluntary.
A better fit for a legal basis for employee monitoring is legitimate interests; however, your legitimate interests must be balanced against the employee's rights and freedoms.
Before you start processing data based on legitimate interest, you'll need to determine whether it is the best fit for your circumstances.
The first step in deciding whether legitimate interest is the right legal basis for you is conducting a three-part test, or legitimate interests assessment (LIA).
An LIA consists of:
- The purpose test. First, you need to identify your legitimate interest. You can do this by asking specific questions about why you want to process personal data, who benefits from the processing, and how important the benefits are. Keep in mind that privacy laws such as the GDPR may treat certain data processing purposes–including fraud prevention, network security, and indicating criminal acts or threats to public safety–as legitimate interests.
- The necessity test. Next, you'll need to determine whether your data processing is necessary to fulfill your purposes. This step is achieved by asking questions about whether the processing will help you fulfill your purpose, whether the processing is proportionate to the purpose, and whether you can fulfill your purpose without processing the data or by processing less data or using less intrusive data processing techniques.
- The balancing test. The final part of the LIA is factoring in the data subject's interests. This step is where you determine whether the data subject's rights and freedoms override your legitimate interests. You should examine the types of personal data you intend to process, the data subject's reasonable expectations, and the impact of the data processing on the individual and how you can mitigate potential negative impacts.
For example, let's say you want to track employee productivity via an app they download on their personal devices.
The purpose test can help you determine that your legitimate interest for monitoring employees' personal devices is improving employee performance and identifying areas where you can provide training to increase efficiency.
The necessity test might show that processing employees' personal data is necessary for your purposes, but should be limited to app statistics and not include other device data, such as private communications.
Finally, the balancing test might show that the risks to employees' privacy rights would require implementing measures such as informing employees before processing their data, limiting access to the collected data, and minimizing data.
Once you have finished your LIA and believe that you can justify your reasons for processing personal data and that they outweigh any risks posed to the data subject, you'll want to document the outcome. You should keep a record of the LIA and its result in case of an audit.
It's important to treat your LIA as a living document, and make regular updates reflecting any changes to your data processing or the individuals' personal data.
The UK Information Commissioner's Office maintains a sample LIA template that guides you through each section of the three-part test.
Article 6 of the GDPR covers the six legal bases you must choose from before engaging in data processing activities, including consent and legitimate interests.
5. Notify Employees
Privacy laws including the GDPR, CCPA/CPRA, the LGPD, and PIPEDA require organizations to inform data subjects about processing activities that involve their personal data.
Creating a Bring Your Own Device (BYOD) Policy and a Privacy Policy and ensuring employees have access to these documents before engaging in employee monitoring activities can help you comply with privacy law notification requirements.
Create a Bring Your Own Device (BYOD) Policy
A BYOD Policy is an internal document that describes what types of information are being tracked on employees' devices, how the data is processed and stored, how data is kept secure, and the rules employees must abide by.
Providing employees with a BYOD that covers how they can use their own devices for work-related activities and explains what kinds of monitoring you intend to do and for what purposes can help you fulfill privacy law notification requirements.
The Table of Contents for the Houses of Parliament Restoration and Renewal's BYOD Policy includes clauses about monitoring, compliance, and responsibilities, among others.
Develop a Privacy Policy
Your BYOD Policy can function in conjunction with your Privacy Policy to help you comply with privacy notice obligations.
A Privacy Policy is a legal document that outlines how you handle personal data and how individuals can exercise their privacy rights.
Privacy Policies are often required by data protection laws; the exact information they must contain depends on the individual law.
Article 13 of the GDPR requires data controllers to inform data subjects of their reasons for processing data, including their legal basis for processing.
Maintaining a Privacy Policy that includes the following clauses can help you comply with many privacy laws:
- The identity of the data controller
- The types of personal information you collect and process
- How you collect personal information
- Why you collect and process personal information
- Your legal basis for processing personal information
- Whether you disclose or sell personal information to third parties
- The types of data you share with third parties
- The categories of third parties you disclose personal information to
- Whether you transfer personal data across borders
- How you keep data secure
- How long you retain data
- A list of individuals' privacy rights and a description of how they can exercise those rights
- Whether you use cookies or engage in automated decision-making or profiling
- Whether you use data belonging to children
- How individuals will be notified about changes to your Privacy Policy
- Your contact information
- The contact information of your DPO
The British Museum's Privacy Policy includes sections about how it uses and shares personal data and how it keeps data secure, among other clauses.
6. Protect and Minimize Data
You should only use data that you absolutely need to fulfill your purposes and ensure that it is only used for your stated purposes.
You'll need to take steps to keep data secure when monitoring employees on their personal devices, such as using encryption, requiring multi-factor authentication, and limiting collection and retention of data to that which is necessary to fulfill your purposes.
Article 5 of the GDPR says that personal data must be limited to your stated purposes and kept only as long as necessary to fulfill those purposes.
If the monitoring of personal devices relies on what is known as sensitive or special category data (such as biometric data for a work system login) you will need to ensure that you have strong security measures in place to protect the data and a valid reason for processing the data.
7. Respect Employees' Privacy Rights
Individuals' privacy rights vary by law, but can include the following:
- The right to know what data is being collected about them and how it is processed
- The right to access their personal data
- The right to correct their personal data
- The right to delete their personal data
- The right to limit how their personal information is processed
- The right to object to or opt out of data processing activities, including the sale or sharing of their data
- The right to data portability
- The right to withdraw consent
- The right to appeal actions taken in response to their privacy requests
- The right to be free of discrimination for exercising their privacy rights
- The right to lodge a complaint about how their data is processed
Section 3 (A) of CPRA lists consumers' rights under the law, including the rights to know how their data is being used and control how their personal information is processed. These rights apply to all residents of California, including employees.
Starbucks' Privacy Request Form enables individuals in the US to exercise their rights to know what personal information is collected about them and request to correct or delete their data.
A Note on Labor Law Requirements
In addition to privacy law, employers who monitor employees' personal devices need to understand how to comply with applicable labor laws.
Here are some examples of labor laws that can apply to monitoring employees' personal devices:
- The Electronic Communications Privacy Act (ECPA). The Wiretap Act and the Stored Communications Act (SCA) are sections of this federal law that prohibit employers from monitoring live or stored communications without a legal basis.
- The Fair Labor Standards Act (FLSA). This U.S. law requires employers to accurately track hours worked, among other requirements.
- The Americans with Disabilities Act (ADA). This U.S. law requires employers to provide accommodations to and not discriminate against employees with disabilities, which means that any employee monitoring policies and procedures need to be accessible and fair to all employees.
- Works Council Directives. These EU directives require employers who intend to take actions that could affect working conditions (such as monitoring employees' personal devices) to notify employees and their representatives before doing so.
- Works Constitution Act. This German law requires employers to get the works council's consent before monitoring employees' personal devices.
Section 87 (6) of the Works Constitution Act states that the works council has a say in the introduction and use of technical equipment used to monitor employees.
Tensions between privacy and labor laws may arise in certain circumstances. For instance, privacy law data minimization requirements could potentially clash with labor law hours tracked requirements. This can make it tricky for large companies with employees in multiple jurisdictions to create blanket policies that comply with all applicable laws.
It's important to understand the privacy and labor laws that apply to you and protect your employees and to take steps to comply with all applicable laws. Creating region-specific employee monitoring policies, minimizing data, and clearly communicating your data processing activities to employees and their representatives can help you comply with both privacy and labor laws.
Summary
Employee monitoring on personal devices is when an employer tracks an employee's behavior via their laptop, smartphone, or similar device. Examples of employee monitoring on personal devices include keystroke logging and location tracking.
State and global privacy laws that apply to employee monitoring include:
- The EU's GDPR
- California's CCPA/CPRA and other state privacy laws
- Canada's PIPEDA
- The Australia Privacy Act
- Brazil's LGPD
- South Africa's POPIA
Following these tips can help you comply with state and global privacy laws when monitoring employees' personal devices:
- Create a data map
- Conduct a DPIA
- Appoint a DPO
- Determine a legal basis (or bases) for monitoring employees' personal devices
- Notify employees about your monitoring activities
- Get consent before monitoring employees (if required)
- Protect and minimize employee data
- Establish a BYOD
- Maintain a Privacy Policy
- Honor employees' privacy rights
In addition to privacy laws, you should have an understanding of which labor laws apply to you and protect your employees, potential conflicts between applicable privacy and labor laws, and how to comply with both.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.