Key cards, private e-mail accounts, audio and video surveillance and password-protected computer workstations make the workplace more efficient and safer. They also have dramatically changed the landscape of employee privacy. Monitoring technology allows employers to guard against a range of employee misconduct, from unproductive uses of the Internet to fraud and other sources of significant liability for both the employee and the employer. Management is no longer limited to direct observation governed by human limitations.
Technological advancements have allowed companies to “supervise” their employees on a much wider scale. Employers can now use technology to monitor employees and make sure that productivity stays high, while employer fraud, theft and other misconduct stays low. Yet, employers must also be mindful of applicable local, state and federal laws that may protect employees.
As an employer’s ability to monitor and record their employees’ workplace conduct increases, so does the risk that employees will complain. Some employees have even sued their employers, claiming violations of their “right to privacy.” Federal laws and the laws of most states do recognize some employee privacy interests. Therefore, an employer must consider employee privacy interests when it monitors employee conduct.
Employers should be aware of all applicable federal and Colorado laws (and understand that the law of privacy is in flux) when formulating policies to monitor employee conduct. Colorado employers should also be mindful that they may be subject to privacy laws of various other states, which may change over time (e.g., due to relocation of remote employees or expansion of business). For example, the semi-recent California Consumer Privacy Act (CCPA), effective January 1, 2020, and the California Privacy Rights Act (CPRA), effective January 1, 2023, with look back to data gathered on or after January 1, 2022, has requirements pertaining to employee data that may apply to out of state employers who do business in the state of California and:
As another example, effective May 7, 2022, the A.430/S.2628 amendment to the New York Civil Rights Law imposes notice requirements prior to certain monitoring of employees for any employers having a place of business within New York State.
An employer should have legal counsel review its privacy policies to ensure compliance with federal and all applicable state laws
An employer should also be mindful of the effect of monitoring policies on employee morale. A monitoring policy that is legal, but that employees view as unfair and unnecessary, may ultimately hurt productivity. An employee who thinks that his or her employer has unfairly invaded his or her privacy is more likely to seek a lawyer, pursue litigation or campaign for more protective laws.
In 1968, Congress enacted the federal Wiretap Act as part of the Omnibus Crime Control and Safe Streets Act of 1968 in an effort to protect wire and oral communications of individuals. As more advanced methods of communication became available, Congress amended the Wiretap Act to prohibit the intentional interception, accession, disclosure or use of electronic communications.
In general, the Wiretap Act forbids interception of wire oral or electronic communication through the use of an electronic, mechanical or other device and establishes a civil cause of action for any such violation. The Wiretap Act does not apply to video surveillance but does apply to oral communication intercepted in conjunction with such surveillance.
In 1986, Congress passed the Electronic Communications Privacy Act (ECPA), in reaction to increasing concern that threats to civil liberties were being made possible by emerging technologies. The ECPA essentially modified some of the provisions of the federal Wiretap Act and added a section, the Stored Communications Act (SCA). The ECPA is now the principal federal law governing the interception of oral, wire and electronic communications and the retrieval of stored electronic communications. Title I of the ECPA includes amendments to the Wiretap Act and governs the interception, access, use and disclosure of electronic communications. Title II of the ECPA is known as the SCA and governs the privacy of e-mails that are in storage.
The ECPA regulates when electronic communications can be intercepted, monitored or reviewed by third parties, making it a crime to intercept or procure electronic communications unless otherwise provided for under law or an exception to ECPA. The EPCA focuses on the transfer of data – the time during which the packets of data are traveling between one point and the other. This has created a “one the wire” versus “off the wire” distinction that is becoming more difficult as technology advances.
The ECPA amendments are not very clear, and courts have been critical of the ECPA’s statutory language. What was once a clear distinction between interception of communications in transit vs. collection of stored messages in the telephone context is now muddled with e-mail. The SCA forbids unauthorized “access” to an “electronic communication while it is in electronic storage.” Courts have grappled with the interaction between these two provisions, as well as the respective legal boundaries of the ECPA and the SCA. For example, courts have recently held that draft e-mails are not in “electronic storage” as defined by the SCA. There are a number of proposals for reforming the ECPA currently pending in front of Congress; however, none of the proposals have yet made it through both houses of Congress.
Under the ECPA, an oral communication is anything “uttered by a person exhibiting an expectation that such communication is not subject to interception under such circumstances justifying such expectation.” If the parties communicate and behave in such a way that suggests that they intend their conversation to be private, it constitutes a protected “oral communication.” Therefore, conversations among employees, even in a public workspace, can sometimes be protected oral communications if spoken in private beyond the hearing range of others.
This category includes communications transmitted on any system that can function in interstate commerce, which covers telephone and possibly fax communications.
Electronic communications include many of the communications that are widely used in today’s workplace, such as cellular telephones, e-mail, voicemail, pagers and messages transmitted over the Internet.
Courts are less inclined to allow interception of employee communications where employers are attempting to monitor the content of personal phone calls. When monitoring communications, an employer should stop the interception as soon as it realizes the communication is of a personal nature. This does not limit an employer’s right to discipline an employee for excessive personal phone calls while at work.
Interception under the Wiretap Act is the “aural or other acquisition of the contents of any wire, electronic or oral communication through the use of any electronic, mechanical or other device.” Courts have interpreted interception in a variety of ways.
The Wiretap Act’s general prohibition on interception has three major exceptions:
This exception enables owners of a wire or electronic communications system (such as a server) to routinely review communications in order to manage and safeguard the system’s information.
This exception pertains to interceptions made in the normal course of the electronic communication provider’s business. In order for this exception to apply, the intercepting equipment must be “furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of business” and the interception must be used by the provider “in the ordinary course of its business.” Therefore, where employees use the telephone to conduct their business and the employer routinely uses monitoring equipment such as a telephone extension to check quality and customer service, the monitoring will probably fall within the business use exception.
The consent exception
If a party to the communication consents to being monitored, there can be no interception of the communication. The employer need not obtain express consent to avoid violation of the FCRA. By implementing a policy permitting employer monitoring of e-mail, voicemail and telephone calls and requiring employees to acknowledge their understanding of that policy, consent will be implied. However, and importantly, if an employee only consents to monitoring of his or her business-related calls, he or she will not be deemed to have consented to the monitoring of personal calls. An employee who uses a line that he or she knows to be monitored for business purposes may be found to have consented to the monitoring. Written consent by an employee is the strongest defense against an ECPA claim.
Employers may film an employee in public areas as part of an investigation of the employee’s claim for worker’s compensation. In addition, courts have rejected employees’ claims that filming activities at home constitute an invasion of privacy if the activities could be viewed by neighbors or passersby. Courts have found that because employees should expect claims of injury to be investigated, surveillance conducted in a reasonable and unobtrusive manner will not give rise to liability for invasion of privacy if the activities could be observed by a neighbor or passersby.
However, the use of video cameras to monitor employees at work – which is on the rise in many workplaces due to terrorism threats and increased levels of security – can threaten employee privacy rights in some cases. Video monitoring may violate privacy rights in at least three circumstances:
An employer can eliminate this expectation, however, if it has a legitimate business need to conduct video monitoring and notifies employees of the monitoring in advance.
Generally, employers may monitor employee activities to analyze performance or investigate misconduct, as illustrated by the following examples of conduct courts have found to be legal:
Such monitoring need not be restricted to the workplace. It should, however, be confined to public areas. For instance, monitoring an employee doing yard work while on workers’ compensation leave is allowable, but monitoring them after they have entered their home is not.
Listening to employees’ business-related telephone calls is one of the most common forms of workplace monitoring. Companies dependent on telephone communications often listen in on employees to evaluate the quality of their interaction with the public.
Stored communications can take many forms, but most commonly include computer files and e-mail messages that have been archived. The SCA prohibits unauthorized access, interception and disclosure of information stored in electronic form.
Employers rarely face challenges under the SCA as the act contains an exemption for conduct authorized by the person or entity providing a wire or electronic communications service. This allows employers that provide electronic communication services to access messages once they are stored in their computer or telephone systems without notifying employees of the access.
It is also important to note that exclusively internal e-mail systems provided by employers might be outside the scope of the SCA because such a service would not technically be provided to the public.
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) may also influence workplace privacy. The PATRIOT Act, which is mainly designed to combat terrorism, gives government agencies extensive search power, allowing them to conduct surveillance both traditionally and electronically to track and apprehend terrorists.
The PATRIOT Act has loosened some of the restrictions under the ECPA on the government’s ability to access electronic information and surveillance, making it easier for the government to obtain “wire communication” evidence such as voicemail, e-mail and other electronic communications captured and stored by employers. Certain provisions of the PATRIOT Act allow the government to conduct surveillance while delaying notice. If notifying the target would negatively impact the investigation, the government may delay notification. The government can also monitor someone’s office, computer or e-mail without notifying the individual until after the monitoring has been done. Further, instead of having to obtain a wiretap order, the government can access the content of stored voicemail messages using only a search warrant. The government may also use a search warrant to obtain the contents of unopened e-mail that have been stored for 180 days or less. Employers should be aware that their communications systems are now open to the government. Therefore, employers have a vested interest in making sure that no illegal communication or information is being transmitted or stored on their information systems.
Employers should also monitor regulations that impact federal privacy rights, such as the Health Insurance Portability and Accountability Act, which restricts access to personal health information. In the case of large multinational companies, other countries may have restrictions on access to personal information that can further complicate privacy compliance. For instance, the European Union’s General Data Protection Regulation (GDPR) requires companies to abide by its protocols for the protection of its member state citizens’ and residents’ personal information. Additionally, member states or non-member states, such as the United Kingdom, may adopt or expand upon the requirements of GDPR on a national or local level.
As a result of the COVID-19 pandemic, many employers have been torn between how to protect employee privacy interests and protecting others in their workforce from the spread of the virus. Information regarding the medical condition of an employee who tests positive for COVID-19 is treated as medical information that the employer must protect against disclosure except in limited circumstances as permitted by the American with Disabilities Act (ADA). At the same time, COVID-19 is a nationally notifiable disease, which when diagnosed, must be reported by healthcare providers to government health departments. The health departments are responsible for leading case investigations and contact tracing. In carrying out this role, they will ask the patient questions about work status, work environment and persons they have been in touch with. Employers are encouraged by the Centers for Disease Control and Prevention (CDC) to permit health department-initiated interviews, site visits and record reviews to identify close contacts who may have been exposed to the virus bearer. It is permissible for employers to provide identifying information to the health department under these circumstances. For additional information, please see Chapter 13: Disabilities and reasonable accommodations. Or visit:
Unquestionably, employers have a significant interest in monitoring the workplace to minimize employee theft, drug abuse and other wrongdoing. Especially in light of post-9/11 security concerns, employers also have an important interest in ensuring workplace safety. Employee searches are one way that employers can prevent wrongdoing and maintain a safe work environment, but employers must recognize that there are limits on intrusive, unwarranted workplace searches.
Searches at work may take a number of forms. Sometimes the employer needs to search company property – such as offices, desks, drawers or lockers – that has been provided for employee use. The employer may also want to search the property of an employee, like a purse, gym bag or briefcase. Finally, an employer might search an employee’s person, as with a pat-down search. These searches, some of which are more intrusive than others, can constitute an invasion of employee privacy rights.
Whether a search is justified depends on both the need for the search and the privacy interests of the employee. Non-investigatory searches, such as entering an employee’s office or opening a desk drawer to locate necessary business items, are generally allowed if the employer has a legitimate business reason and the search is limited to what is necessary. If possible, an employer should contact the employee before conducting this type of search. It would also be prudent to include a section in the employee handbook regarding parameters for searches. For instance, an employer may want to establish and communicate a policy that any items brought onto company property are subject to search.
Investigatory searches, such as a search for illegal drugs or a concealed weapon, should generally be limited to situations where the employer has a specific reason to believe an employee is engaged in wrongdoing. The more intrusive the search, the more likely it will amount to an invasion of privacy. A search of an open bag left in an employee’s cubicle is less intrusive (and therefore less likely to violate privacy rights) than a search of a locker sealed with an employee-provided lock or key. As discussed herein, an employer can limit an employee’s reasonable expectation of privacy by maintaining appropriate policies. Employers should notify employees, either in an employee handbook or by posting a policy, that lockers, desks and offices may be searched. Employers should also be discreet and, when possible, avoid contact with the employee’s person or using force.
Another way employers may monitor employees is by conducting investigations:
There are many legal issues implicated in employer investigations, which are covered in Chapter 22: Workplace investigations.
Employee testing is yet another way of monitoring workplace conduct. Testing may be as simple as a drug test or as complicated as a battery of questions for psychological evaluation. What makes testing different from other types of monitoring is that the information is supplied directly by the employee. Certain testing, such as physical examinations, may be prohibited by law. Testing for illegal drugs is not covered by the ADA. Psychological tests may have an adverse impact on minority applicants or employees and therefore raise an inference of discrimination (see Chapter 13: Disabilities and reasonable accommodation). As a general rule, employers should work with counsel to develop testing policies that comply with all applicable employment laws.
The courts continue to deal with the difficult tug-of-war between employers’ legitimate business interests and employees’ reasonable expectations of privacy. As technology develops new ways to monitor employees, employers will continue to need legal counsel to advise them of what sorts of monitoring may expose them to liability. What constitutes acceptable monitoring and investigation by employers, as well as what employee expectations are reasonable, continues to evolve. However, there are certain guidelines that employers can follow to avoid liability arising from monitoring their employees:
Employers can be held liable for making false or misleading public statements about their employees. The employer may be held liable if it discloses false or misleading information that is highly offensive or insulting and acts in an intentional or reckless disregard for the truth.
Traditionally, lawsuits alleging defamation against employers arise most often in the context of employee references. Employers should take great care in providing references by making sure that all employee references come from a central source and are truthful and accurate. Generally, mere personal opinions will most likely not give rise to liability.
A false light or defamation lawsuit may also be prompted by false, misleading or derogatory e-mails about an employee. Employers are well advised to discourage any communication (electronic or otherwise) that contains potentially false or derogatory comments about an employee, regardless of who is sending or receiving the communication. This includes the use of social media sites such as Facebook, Instagram, Twitter and LinkedIn. Employees should be cautioned that leaving comments for others that cast the employer or its employees in a negative light violates company policies and could result in termination. Employers must be cautious about total prohibitions of discussions related to the Employer on social media or otherwise. E-mails or postings related to the terms and conditions of an employee’s employment cannot be prohibited.
An employer may also face liability by appropriating an employee’s name or likeness to the employer’s advantage, such as when an employer uses an employee’s name or likeness to advertise the employer’s business or product. However, this is rare in the employment context. Nevertheless, employers should remain aware of the potential for liability in this context.
Polygraph tests, also known as lie detector, deceptograph, voice stress analyzer and psychological stress evaluation tests, are investigative tools occasionally considered by employers when conducting employment-related investigations. However, employers may use such tests only in very limited circumstances as state and federal law govern the use of polygraph tests in the workplace.
The Employee Polygraph Protection Act (EPPA) also severely restricts private-sector employers from administering polygraph tests to current and prospective employees except under extremely limited circumstances. The EPPA applies to most private employers and does not apply to public-sector employers, except for certain employees of the federal legislative branch.
Employees may not waive by contract or a release the rights and procedures provided by the EPPA unless the waiver is the result of a written settlement agreement based on a pending EPPA action or claim.
The prohibition on employer-conducted polygraph tests extends to any person acting directly or indirectly in the interest of an employer in relation to an employee or prospective employee. Employers and their agents may not:
The Secretary of Labor through the Administrator of the Wage and Hour Division enforces the EPPA and may impose civil penalties of up to $23,011 against an employer. The Secretary of Labor also may bring a court action against an employer. If a court determines that an employer violated the EPPA, the court can issue an injunction against the employer and also can award employment, reinstatement, promotion, lost wages and lost benefits to the affected individuals.
Likewise, individuals affected by an employer’s misuse of the EPPA may bring a private court action against the employer in either state or federal court. In the event a court determines an EPPA violation occurred, the affected individual could receive employment, reinstatement, promotion, lost wages and lost benefits. Furthermore, the court, in its discretion, may allow the prevailing party to recover reasonable costs, including attorneys’ fees. An individual who believes an employer has violated the EPPA must file such claim, in court, no more than three years after the date of the alleged violation.
Although the EPPA essentially prohibits a private employer from conducting – or causing to be conducted – a polygraph test, several exemptions exist. Half of the exemptions apply only to the federal government and serve mostly to reinforce the general exception for public employers. However, the other exemptions apply to private employers in certain limited situations.
The federal government, in the performance of any counterintelligence function, may administer a polygraph test to any employee, contractor, expert or consultant working for or under contract to the Department of Defense and/or the Department of Energy in connection with the atomic energy defense activities.
The federal government, in the performance of any intelligence or counterintelligence function, may administer a polygraph test to any applicant, employee, expert, consultant or individual employed by, assigned to, detailed to or under contract to the National Security Agency, the Defense Intelligence Agency, the National Geospatial-Intelligence Agency, the Central Intelligence Agency or any individual assigned to a space where sensitive cryptologic information is produced, processed or stored for any such agency. Likewise, the federal government may administer a polygraph test to any employee, expert or consultant under contract with any federal government department, agency or program whose duties involve access to information that has been classified at the level of top secret or designated as being within a special access program under certain Executive Orders.
The federal government, in the performance of any counterintelligence function, may administer a polygraph test to the employee of a contractor for the Federal Bureau of Investigation (FBI) when that employee is engaged in the performance of any work under contract with the FBI.
When the primary business purpose of a private employer consists of providing armored car personnel, personnel engaged in the design, installation or maintenance of security alarm systems or other uniformed or plainclothes security personnel, the private employer may administer polygraph tests to employees whose duties include protecting facilities, materials or operations having a significant impact on the health or safety of any state or political subdivision or the national security of the United States. Examples include:
This special exemption for security services applies only to the employees actually employed to protect such facilities, materials, operations or assets and not to all employees of the employer.
Any employer authorized to manufacture, distribute or dispense controlled substances may administer polygraph tests in limited circumstances to employees and prospective employees when the individual has or will have, direct access to the controlled substances. For an existing employee, the employer may conduct polygraph test only in connection with an ongoing investigation of criminal or other misconduct.
For the average private employer, only the “ongoing investigation” exemption likely applies. Unfortunately, this limited exemption seldom fits most situations due to the strict regulation of its use. For an employer to take advantage of the ongoing investigation exemption the employer must ensure the following:
The statement provided to the employee prior to testing must be signed by a person legally authorized to bind the employer and must be retained for at least three years from the date of testing. The statement must identify the specific economic loss or injury to the business of the employer and must indicate that the employee had access to the property that is the subject of the investigation. Furthermore, the statement must describe the basis of the employer’s reasonable suspicion that the employee was involved in the incident or activity under investigation. If the employer’s statement fails to meet these detailed requirements, the ongoing investigation exemption will not apply.
Even on the rare occasion when a private employer discovers that an exemption may allow for a polygraph test, the EPPA further restricts the use of any polygraph results. The three exemptions applicable to private employers are:
The EPPA still prohibits an employer from using solely the results of a polygraph test in determining whether to discharge, discipline, deny employment or promotion or otherwise discriminate against the tested individual. In other words, an employer must be able to provide other supporting evidence (in addition to the results of the polygraph test) to lawfully discharge, discipline, terminate, refuse to hire or otherwise discriminate against a tested individual.
In the event that a private employer may test an individual, the EPPA provides specific rights to the individual being tested.
Throughout all phases of the testing, the employer must allow the individual to terminate the test at any time and the examiner may not ask questions designed to degrade or intrude on the individual. Specifically, the examiner may not ask any questions concerning:
An employer may not test an individual who provides sufficient written evidence from a physician that the individual suffers from a medical or psychological condition that might cause abnormal responses during the test.
The EPPA further restricts testing depending on the phase of the testing.
During the pretest phase, an employer must provide the individual with reasonable written notice of the date, time and location of the test and inform the individual that he or she may consult an attorney or an employee representative before each phase of the test. The individual must receive written notice of the nature and characteristics of the test, the instruments involved, whether the testing area contains a two-way mirror, camera or other device through which the test can be observed, whether any other device will be used and whether or not the employer or individual may make a recording of the test.
The employer also must provide a written statement for the individual to sign. This statement must include a notice that the individual cannot be forced to take the test as a condition of employment and that any statement made during the test may constitute additional supporting evidence for taking an adverse employment action against the employee. This statement also must include a summary of the limitations imposed under this section and the legal rights that are available to the individual if the exam is not conducted according to the EPPA. In addition, the statement must remind the individual of the employer’s rights under the EPPA, including that the employer may turn over, to the appropriate governmental agency, any admission of criminal conduct.
As a final condition on testing, the EPPA requires that, prior to the test, the individual be provided an opportunity to review all questions to be asked during the test and be informed of the right to terminate the test at any time.
During the actual testing, the individual may not be asked any question that was not presented in writing for review prior to the test.
Before the employer may take any action based on the results of the test, the employer must:
The EPPA provides for limited disclosure of information obtained during a polygraph test. The polygraph examiner may disclose information to the examinee, someone specifically designated in writing by the examinee, the employer that requested the test or any court, governmental agency, arbitrator or mediator in accordance with due process of law according to an order from a court of competent jurisdiction. The employer that ordered the polygraph examination may similarly disclose information to the examinee, someone specifically designated in writing by the examinee, any court, governmental agency, arbitrator or mediator in accordance with due process of law according to an order from a court of competent jurisdiction or a governmental agency if the disclosed information is an admission of criminal conduct.
The EPPA requires an employer to post, in a conspicuous place, a notice of the EPPA and the rights it provides to employees. Employers must post the notice with other required employment postings. Employers may obtain the required poster from the Wage and Hour Division of the Department of Labor or from the Department of Labor website:
The EPPA does not apply to public employers. As a general rule, public employers may require employees to submit to a polygraph test and a public employer could discharge an employee who refused to be tested.
If a public employer conducts a polygraph test as part of a criminal investigation, the employer must take certain precautions to protect the employee’s constitutional rights, such as how an employee has a right to counsel and may have an attorney present.
Likewise, a public employer could violate an employee’s due process rights if the employer takes adverse employment action based only on the results of the polygraph test. To avoid this violation, an employer should base its employment decisions on the basis of both the polygraph test and other evidence obtained. Furthermore, public employers should consider allowing an employee a fair hearing during
Policies and Forms
Privacy rights — Colorado
About the Firm
About the Contributors
Features of the HR Library
About the Author
Snapshot – An HR audit — Colorado
Compliance thresholds — Colorado
Recruiting and hiring — Colorado
Background checks — Colorado
Immigration — Colorado
Temporary, leased and franchise employees — Colorado
Independent contractors — Colorado
Restrictive covenants and trade secrets — Colorado
Policies and procedures manuals — Colorado
Wages and hours — Colorado
Child labor — Colorado
Discrimination — Colorado
Disabilities and reasonable accommodation — Colorado
Workplace harassment — Colorado
Benefits — Colorado
Health insurance reform — Colorado
Family and medical leave — Colorado
Military leave — Colorado
Other types of leave — Colorado
Performance evaluations — Colorado
Personnel files — Colorado
Workplace investigations — Colorado
Discipline — Colorado
Termination — Colorado
Plant closings and mass layoffs — Colorado
Health insurance continuation coverage — Colorado
Unemployment insurance — Colorado
Whistleblower protections — Colorado
Privacy rights — Colorado
Health insurance portability and privacy — Colorado
Technology and the Internet — Colorado
Social media — Colorado
Safety and health — Colorado
Workplace violence — Colorado
Workers' compensation — Colorado
Telecommuting — Colorado
Celebrating in the workplace — Colorado
Politics in the workplace — Colorado
Federal contractors and affirmative action — Colorado
Public Employers — Colorado
Unions — Colorado
Marijuana — Colorado
Diversity, equity and inclusion in the workplace — Colorado
Disaster planning — Colorado
Pandemic Preparedness — Colorado
Appendix A: Recordkeeping requirements
Appendix B: Posting requirements