TL;DR: Meta's Model Capability Initiative -- mandatory for most US staff -- collected keystrokes and screen content to train AI models. An internal leak exposed medical records and private conversations company-wide. For small teams: employee AI monitoring for AI training requires explicit consent, a GDPR legal basis beyond legitimate interest, and in the EU, works council approval. Plain productivity monitoring is a different and lower-risk category. Mandatory AI training data collection is new, higher-risk territory.
What Happened at Meta
In April 2026, Meta launched the Model Capability Initiative (MCI), a mandatory program for most US employees. The program collected mouse movements, click locations, keystrokes, and screen content. The stated purpose: use employee inputs as training data to improve Meta's AI models.
Before the data ever leaked, more than 1,600 employees had signed an internal petition opposing the program. Their objections centered on security risks and regulatory concerns, specifically that collecting this volume of sensitive work activity created exposure that did not exist before.
They were right. On June 18, 2026, an internal data leak classified as SEV 2 (mid-to-high severity on Meta's internal incident scale) made private employee conversations, performance data, transcriptions, personal tax records, and medical records accessible across the company. Meta's security team contained the leak within four hours. Meta paused the MCI program for investigation.
Meta's statement: "We have carefully designed this program with privacy safeguards, and while we have no indication at this time that any data was improperly accessed by Meta employees, we're pausing it while we investigate."
The pause did not undo the fact that one of the world's largest technology companies, with dedicated privacy and security teams, had built a mandatory AI training data collection program and then leaked the resulting data company-wide within weeks of launch.
The Legal Distinction That Matters
Employee monitoring is not one legal question. It is several, and Meta's MCI crossed from the settled territory into the contested territory.
Productivity monitoring -- tracking time on task, recording screen activity for compliance reviews, logging keystrokes for security auditing -- is a well-understood area. In the US, employers have broad authority to monitor activity on company devices. Employees generally have limited privacy expectations on employer-owned systems. Courts have upheld this consistently. With proper notice, most US employers can run productivity monitoring programs without legal liability.
Using employee-generated data to train AI models is a different question. When an employer treats employee keystrokes, cursor movements, and screen content as raw material to improve a commercial AI product, employees have a reasonable argument that their work product is being converted into company intellectual property without consent or compensation. The employees at Meta who organized the petition made exactly this argument.
This distinction matters for your policy because the legal requirements diverge sharply at this boundary. One is a monitoring question. The other is a data use question, and it carries different obligations under labor law, employment contracts, and privacy regulation.
What the Law Requires
United States
The US has no general federal law requiring employer consent for workplace monitoring. But several frameworks apply:
National Labor Relations Act (NLRA): The NLRA protects employees who engage in concerted activity -- collective organizing around working conditions. The petition signed by 1,600+ Meta employees is textbook protected concerted activity. Employers cannot retaliate against employees who collectively oppose monitoring programs. If a mandatory monitoring program is implemented over documented employee objection, the NLRA exposure increases.
State notice requirements: California, Connecticut, Delaware, New York, and several other states require employers to notify employees before monitoring electronic communications or computer activity. The notice requirements vary by state. California's Labor Code has been updated to require disclosure of monitoring practices in employment agreements.
Illinois BIPA: If AI monitoring captures biometric identifiers -- facial geometry from screen activity, iris patterns from video analysis -- Illinois's Biometric Information Privacy Act requires separate written consent and a published retention policy. BIPA's private right of action means individual employees can sue.
Emerging state AI employment laws: Colorado's SB 26-189 and Illinois's artificial intelligence employment disclosure laws regulate how AI systems are used in employment decisions. Using employee-generated data to train AI models that then influence employment decisions creates a loop these laws were written to address.
European Union and UK
GDPR significantly restricts what employers can do with employee data, and monitoring programs face heightened scrutiny.
GDPR Article 6 legal basis: Legitimate interest, the most commonly cited basis for employer monitoring, is fragile for keystroke and screen content collection. The Article 29 Working Party (now EDPB) has consistently held that covert or mandatory surveillance fails the balancing test when less intrusive alternatives exist. An employer needs a stronger basis -- often explicit consent under Article 9 for special category data like health information -- or a specific legal obligation.
GDPR Article 88: Member states may introduce more specific rules for employee data processing. Germany, France, and the Netherlands have national legislation that goes further than baseline GDPR. Employers operating across EU jurisdictions need country-specific analysis.
Works council consultation: In Germany, the Netherlands, France, and most other EU member states, introducing a monitoring tool that collects employee computer activity requires consultation with the works council or employee representative body before implementation. This is not optional. Implementing a mandatory program without consultation creates legal exposure independent of any data leak.
UK GDPR: Post-Brexit, the UK maintains equivalent rules under UK GDPR and the Employment Practices Code issued by the ICO. The ICO has issued guidance specifically on monitoring that applies to AI-assisted surveillance tools.
What Your Employee AI Monitoring Policy Must Say
If your organization uses any AI tool that collects employee activity data -- even a standard productivity tool -- your acceptable use policy and employee privacy notice need to cover these points explicitly:
What you collect: Name the data types. "System activity logs" is not enough. Specify whether you collect keystrokes, cursor movements, screen content, application usage, communication metadata, or camera/audio from video calls.
Why you collect it: State the purpose. Compliance monitoring, security incident response, and performance management have different legal bases than AI model training. If data is used for AI training, say so explicitly.
Whether it feeds AI training: This is the Meta MCI question. Employees need to know if their work activity becomes training data, for your models or any third-party model. A generic data use clause does not cover this.
Opt-out or consent mechanism: For voluntary programs, document consent. For mandatory programs in GDPR jurisdictions, document the legal basis and any data protection impact assessment.
Retention and deletion: How long is monitoring data kept? What triggers deletion? For AI training data, does deletion from the training set require separate action?
Access controls: Who can access raw monitoring data? Is it automated analysis only, or can individual managers pull records?
Breach notification: If monitored data is involved in a security incident, what is your notification timeline? For EU employees, the GDPR 72-hour clock applies.
Works council notification (EU): If you have employees in the EU, document whether and when works councils were consulted before any monitoring program was implemented.
For a deeper look at the specific state laws governing employee monitoring tools, see AI employee monitoring laws 2026.
What "Mandatory" Means Legally
Can an employer make an AI monitoring program mandatory? In the US, generally yes -- if the program is disclosed in writing before it is implemented, applies to company-owned devices and company accounts, and does not target protected activity.
The limits are:
Union employees: If your workforce is covered by a collective bargaining agreement, introducing new monitoring technology is a mandatory subject of bargaining. You cannot implement it unilaterally. The union must be given the opportunity to bargain over the program before it goes live.
NLRA protection: Even without a union, employees who collectively organize to oppose a monitoring program are engaging in protected concerted activity. The Meta petition is a precise example. Firing or disciplining employees for signing that petition would be an unfair labor practice.
EU mandatory programs: In GDPR jurisdictions, "mandatory" creates a problem with consent as a legal basis. Consent must be freely given. If refusal means losing your job, regulators and courts have consistently held that consent is not free. Mandatory EU monitoring programs need a different legal basis -- typically legitimate interest or legal obligation -- and need to survive the proportionality test.
For your acceptable use policy framework, including how to handle employee monitoring clauses, see AI acceptable use policy template for small teams. For shadow AI risks that emerge when employees avoid monitored tools, see shadow AI policy for small teams.
