TL;DR: Employers in 11+ US states must notify workers before monitoring them with AI tools. Federal law adds protections for union organizing discussions, disability-related data, and biometric collection. GDPR requires a legal basis, necessity, and proportionality for any monitoring of EU employees. Before deploying any monitoring tool, review state notice requirements, confirm what data is collected, set retention limits, and document your legal basis.
AI-powered employee monitoring has expanded far beyond the traditional keystroke logger. Today's tools capture screenshots every 30 seconds, score productivity from mouse movement patterns, run sentiment analysis on Slack messages, assess engagement from video meeting behavior, and generate algorithmic performance predictions that feed into promotion and termination decisions.
The legal environment has not kept pace cleanly, but it has moved. More than a dozen US states now have notice requirements. Federal law has gaps and constraints that create real liability. The EU has built a layered framework covering data protection, works council rights, and automated decision-making. Employers who deploy monitoring tools without understanding these rules face civil penalties, class action exposure, and regulatory enforcement.
This guide covers the full current picture: what tools are in common use, what federal law does and does not restrict, what state laws require, what GDPR demands, and how to build a monitoring policy that holds up.
What monitoring tools employers are actually using
Understanding what these tools do is the first step to understanding compliance exposure. Common categories include:
Keystroke logging and screenshot capture: tools like Teramind, ActivTrak, and Hubstaff record what employees type and take periodic screenshots. Some capture every 30 seconds; some are continuous.
Productivity scoring: these tools translate activity data into a numerical score using active minutes, application usage time, and mouse movement. The scores frequently inform performance reviews even when they are poorly validated as predictors of output quality.
Communication analysis: tools that parse Slack messages, email, and video call transcripts for sentiment, policy violations, or disengagement signals. This category carries the most legal exposure because content monitoring touches protected activity and disability-revealing communications.
Location and time tracking: GPS tracking of company vehicles or devices, and remote-worker login pattern monitoring. Several states treat location tracking as a distinct category requiring specific consent.
AI performance prediction: tools that aggregate behavioral signals to predict flight risk or promotion potential, sold as "people analytics" platforms. Under GDPR and emerging US state laws, these predictions can constitute automated decision-making that triggers specific rights.
Federal baseline: ECPA, NLRA, and ADA
No single federal employee monitoring law exists in the US. Instead, three federal frameworks create a floor that state laws then build on.
The Electronic Communications Privacy Act (ECPA) and its Stored Communications Act provisions generally permit employers to monitor communications on employer-owned equipment and networks, as long as there is either employee consent or a business purpose exception. In practice, most employers satisfy ECPA by including monitoring notice in their acceptable use policies. ECPA does not require advance notice; it mainly prohibits interception of communications without consent or a business exception. It does not cover monitoring of personal devices or personal accounts, even when accessed on company systems.
NLRA protections create significant constraints that many employers overlook. Section 7 of the National Labor Relations Act protects employees' rights to organize, form unions, and engage in collective action, including discussions about working conditions. The NLRB has consistently held that covert monitoring of employee discussions about wages, working conditions, or union organizing violates Section 7. This applies regardless of the technology used. An AI tool that flags Slack messages containing the words "union" or "wage" for management review could constitute unlawful surveillance of protected activity. The NLRB has signaled increased scrutiny of AI monitoring tools in recent guidance.
ADA limitations apply when monitoring tools collect health-related data or are used to make inferences about disability status. Under the ADA, employers may not conduct medical examinations or make disability-related inquiries outside of specific circumstances. An AI tool that analyzes vocal patterns for stress indicators, or that tracks keystroke patterns in a way that could reveal neurological conditions, may constitute an impermissible medical inquiry. Employers should audit what data their monitoring tools actually collect and what inferences those tools draw.
State laws requiring notice
State law is where the current action is. The following states have enacted specific requirements.
Connecticut was among the first. Connecticut's electronic monitoring statute (Conn. Gen. Stat. Section 31-48d) requires employers to give prior written notice of electronic monitoring before monitoring begins. The notice must describe the type of monitoring and the methods used. Violations carry civil penalties of up to $500 per violation for a first offense, $1,000 for a second, and $3,000 for subsequent violations.
Delaware has a similar notice requirement under its Computer Crime and Electronic Monitoring law. Employers must provide prior written notice describing monitoring that may include telephone conversations, email, internet access, and other computer activity.
New York has one of the broadest notice requirements. The New York Civil Rights Law (Section 52-c) requires employers to provide written notice of electronic monitoring at the time of hiring, and whenever monitoring practices change. The notice must describe what is being monitored and must be acknowledged by the employee. New York's law covers all electronic monitoring, including AI-powered monitoring tools.
California relies on a combination of statutes. The California Labor Code does not have a general electronic monitoring notice statute, but employers must comply with the California Consumer Privacy Act's notice requirements for employee data collection (as of 2023, employers must provide CCPA-compliant notices to employees). The California Invasion of Privacy Act (CIPA) restricts recording of confidential communications without consent. Location tracking of company vehicles in California is generally permissible with notice; location tracking of personal vehicles requires specific justification.
Other states with notice or consent requirements include Florida (for certain interceptions), Illinois (biometric-specific requirements under BIPA that extend to biometric monitoring in workplace settings), and Washington (My Health MY Data Act, which covers health data derived from monitoring). The number of states with requirements is growing, and several state legislatures have bills pending.
What you cannot do regardless of state law
Even in states with no specific monitoring notice statute, the following categories carry high legal risk.
Monitoring communications to detect or deter union organizing or protected concerted activity violates the NLRA. This includes training AI tools to flag discussions about wages, working conditions, or union activity. The NLRB's General Counsel has issued memoranda specifically addressing AI-powered surveillance.
Collecting biometric data (facial geometry, fingerprints, voiceprints) without written consent and a published retention schedule violates Illinois BIPA and analogous laws in Texas and Washington. Class action exposure under BIPA is severe: courts have imposed hundreds of millions of dollars in settlements.
Processing health information through monitoring tools may violate HIPAA if the employer is a covered entity or business associate, and the ADA regardless of covered entity status. Monitoring tools that analyze voice or behavior to infer mental health status, stress, or disability warrant particular scrutiny.
Discriminatory monitoring that targets employees of a particular protected class, or that produces disparate impact in ways that serve no legitimate business purpose, violates Title VII and analogous state laws.
GDPR: the EU framework
For employers with EU-based employees, GDPR creates a separate and more demanding layer of requirements.
Article 88 is the starting point. It allows EU member states to set specific rules for the processing of employee data in the context of employment, covering recruitment, performance management, and workplace safety. Germany and France have both implemented substantial protections. German works councils have the right to be consulted before any monitoring system is deployed, and they can block deployment of tools they deem disproportionate. French law requires prior consultation with employee representative bodies.
Legal basis under Article 6 is mandatory. Employers typically rely on legitimate interest (Article 6(1)(f)) for workplace monitoring. This requires a three-part test: the processing must serve a legitimate interest, be necessary to achieve that interest, and the interest must not be overridden by the employee's privacy rights. Courts in Germany and the Netherlands have struck down monitoring systems that failed the balancing test, particularly when less intrusive alternatives were available.
Necessity and proportionality are genuine substantive requirements under GDPR, not mere formalities. Blanket screenshot capture every 30 seconds of all employees has been held to fail the proportionality test in several EU member states. Targeted monitoring of employees under a documented performance improvement plan has fared better.
Article 22 rights apply when monitoring data feeds into automated decisions with legal or significant effects. If productivity scores directly determine bonuses, or if algorithmic flight-risk predictions trigger management interventions, employees have the right to human review, to contest the decision, and to an explanation of the logic involved.
Data Protection Impact Assessments (DPIAs) under Article 35 are mandatory before deploying large-scale monitoring of employees. The DPIA must assess the necessity and proportionality of the processing, the risks to employee rights, and the measures to address those risks. Supervisory authorities in several EU countries have published specific guidance on DPIAs for employee monitoring.
Building a compliant monitoring policy
A monitoring policy is not optional in most US states and is mandatory under GDPR. Here is what it must contain.
Scope statement: what systems, devices, applications, and activities are subject to monitoring. Be specific. "All company-owned devices and accounts" is the minimum; better practice is to name the specific tools in use.
What data is collected: whether screenshots, keystrokes, communications content, location, biometric data, behavioral scores, or predictive analysis outputs are collected. Do not rely on vendor marketing; read the data processing agreement and the tool's technical documentation.
Purpose limitation: explain why the data is collected and what it is used for. Under GDPR, data collected for a stated purpose cannot be repurposed without a new legal basis.
Retention schedule: how long monitoring data is retained and when it is deleted. Many employers default to indefinite retention, which is indefensible under GDPR and increasingly under US state laws.
Access controls: who can access monitoring data. Limit access to managers with a legitimate need, security personnel, and HR in documented circumstances. Log access to monitoring data.
Employee rights: how employees can request access to their data, correct errors, or raise concerns about monitoring. In GDPR jurisdictions, include the full menu of data subject rights.
Notice: in states requiring written notice, include the notice in onboarding documentation and obtain a signed acknowledgment.
Pre-deployment checklist for any new monitoring tool
Use this checklist before deploying any new AI monitoring tool:
- Identify all data the tool collects at a technical level, not just what the vendor describes in marketing materials.
- Confirm whether the tool collects biometric data. If yes, trigger your biometric data compliance workflow (consent, retention policy, BIPA/CUBI/analogous state law review).
- Check state notice requirements for every state where employees will be monitored. If the tool is deployed in New York, Connecticut, or Delaware, written advance notice is required.
- Assess whether the tool monitors communication content. If yes, conduct an NLRA review to confirm the tool cannot be used to surveil protected concerted activity.
- Review what automated decisions or scores the tool generates and whether those scores will inform employment decisions. If yes, document the human review process.
- For EU employees: conduct a DPIA, document the legitimate interest balancing test, confirm works council consultation requirements in the relevant member states, and review Article 22 compliance.
- Negotiate a data processing agreement with the vendor covering data retention, sub-processor disclosure, breach notification, and deletion on contract termination.
- Update your monitoring policy, obtain required acknowledgments, and train managers on what is and is not permitted.
Related reading
- AI governance for HR teams: complete guide 2026
- AI acceptable use policy template for small teams
- GDPR Article 22 and automated decisions: employer guide 2026
- NYC Local Law 144: AI bias audit employer guide 2026
- FCRA AI hiring disclosure requirements 2026
- AI tool register template
- AI governance guide for small teams
