Skip to content Skip to footer

Table of contents

This Colorado Human Resources Manual is offered to you for free. Find state specific laws and regulations below.

Privacy rights — Colorado

Key cards, private e-mail accounts, audio and video surveillance and password-protected computer workstations make the workplace more efficient and safer. They also have dramatically changed the landscape of employee privacy. Monitoring technology allows employers to guard against a range of employee misconduct, from unproductive uses of the Internet to fraud and other sources of significant liability for both the employee and the employer. Management is no longer limited to direct observation governed by human limitations.

Technological advancements have allowed companies to “supervise” their employees on a much wider scale. Employers can now use technology to monitor employees and make sure that productivity stays high, while employer fraud, theft and other misconduct stays low. Yet, employers must also be mindful of applicable local, state and federal laws that may protect employees.

As an employer’s ability to monitor and record their employees’ workplace conduct increases, so does the risk that employees will complain. Some employees have even sued their employers, claiming violations of their “right to privacy.” Federal laws and the laws of most states do recognize some employee privacy interests. Therefore, an employer must consider employee privacy interests when it monitors employee conduct.

Employers should be aware of all applicable federal and Colorado laws (and understand that the law of privacy is in flux) when formulating policies to monitor employee conduct. Colorado employers should also be mindful that they may be subject to privacy laws of various other states, which may change over time (e.g., due to relocation of remote employees or expansion of business). For example, the semi-recent California Consumer Privacy Act (CCPA), effective January 1, 2020, and the California Privacy Rights Act (CPRA), effective January 1, 2023, with look back to data gathered on or after January 1, 2022, has requirements pertaining to employee data that may apply to out of state employers who do business in the state of California and:

  • have gross annual revenues of more than $25 million;

  • annually purchase, receive for commercial purposes, sell or share for commercial purposes, alone or in combination, the personal information of 50,000 or more California consumers, households or devices (increased to 100,000 by the CPRA); or

  • derive 50% or more of annual revenues from selling consumers’ personal information.

As another example, effective May 7, 2022, the A.430/S.2628 amendment to the New York Civil Rights Law imposes notice requirements prior to certain monitoring of employees for any employers having a place of business within New York State.

An employer should have legal counsel review its privacy policies to ensure compliance with federal and all applicable state laws

An employer should also be mindful of the effect of monitoring policies on employee morale. A monitoring policy that is legal, but that employees view as unfair and unnecessary, may ultimately hurt productivity. An employee who thinks that his or her employer has unfairly invaded his or her privacy is more likely to seek a lawyer, pursue litigation or campaign for more protective laws.

Electronic communications

In 1968, Congress enacted the federal Wiretap Act as part of the Omnibus Crime Control and Safe Streets Act of 1968 in an effort to protect wire and oral communications of individuals. As more advanced methods of communication became available, Congress amended the Wiretap Act to prohibit the intentional interception, accession, disclosure or use of electronic communications.

In general, the Wiretap Act forbids interception of wire oral or electronic communication through the use of an electronic, mechanical or other device and establishes a civil cause of action for any such violation. The Wiretap Act does not apply to video surveillance but does apply to oral communication intercepted in conjunction with such surveillance.

In 1986, Congress passed the Electronic Communications Privacy Act (ECPA), in reaction to increasing concern that threats to civil liberties were being made possible by emerging technologies. The ECPA essentially modified some of the provisions of the federal Wiretap Act and added a section, the Stored Communications Act (SCA). The ECPA is now the principal federal law governing the interception of oral, wire and electronic communications and the retrieval of stored electronic communications. Title I of the ECPA includes amendments to the Wiretap Act and governs the interception, access, use and disclosure of electronic communications. Title II of the ECPA is known as the SCA and governs the privacy of e-mails that are in storage.

The ECPA regulates when electronic communications can be intercepted, monitored or reviewed by third parties, making it a crime to intercept or procure electronic communications unless otherwise provided for under law or an exception to ECPA. The EPCA focuses on the transfer of data – the time during which the packets of data are traveling between one point and the other. This has created a “one the wire” versus “off the wire” distinction that is becoming more difficult as technology advances.

The ECPA amendments are not very clear, and courts have been critical of the ECPA’s statutory language. What was once a clear distinction between interception of communications in transit vs. collection of stored messages in the telephone context is now muddled with e-mail. The SCA forbids unauthorized “access” to an “electronic communication while it is in electronic storage.” Courts have grappled with the interaction between these two provisions, as well as the respective legal boundaries of the ECPA and the SCA. For example, courts have recently held that draft e-mails are not in “electronic storage” as defined by the SCA. There are a number of proposals for reforming the ECPA currently pending in front of Congress; however, none of the proposals have yet made it through both houses of Congress.

Types of protected communications

Oral communications

Under the ECPA, an oral communication is anything “uttered by a person exhibiting an expectation that such communication is not subject to interception under such circumstances justifying such expectation.” If the parties communicate and behave in such a way that suggests that they intend their conversation to be private, it constitutes a protected “oral communication.” Therefore, conversations among employees, even in a public workspace, can sometimes be protected oral communications if spoken in private beyond the hearing range of others.

Wire communications

This category includes communications transmitted on any system that can function in interstate commerce, which covers telephone and possibly fax communications.

Electronic communications

Electronic communications include many of the communications that are widely used in today’s workplace, such as cellular telephones, e-mail, voicemail, pagers and messages transmitted over the Internet.

Personal phone calls

Courts are less inclined to allow interception of employee communications where employers are attempting to monitor the content of personal phone calls. When monitoring communications, an employer should stop the interception as soon as it realizes the communication is of a personal nature. This does not limit an employer’s right to discipline an employee for excessive personal phone calls while at work.


Interception under the Wiretap Act is the “aural or other acquisition of the contents of any wire, electronic or oral communication through the use of any electronic, mechanical or other device.” Courts have interpreted interception in a variety of ways.


The Wiretap Act’s general prohibition on interception has three major exceptions:

  1. The service-provider exception

This exception enables owners of a wire or electronic communications system (such as a server) to routinely review communications in order to manage and safeguard the system’s information.

  1. The business use exception

This exception pertains to interceptions made in the normal course of the electronic communication provider’s business. In order for this exception to apply, the intercepting equipment must be “furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of business” and the interception must be used by the provider “in the ordinary course of its business.” Therefore, where employees use the telephone to conduct their business and the employer routinely uses monitoring equipment such as a telephone extension to check quality and customer service, the monitoring will probably fall within the business use exception.

The consent exception

If a party to the communication consents to being monitored, there can be no interception of the communication. The employer need not obtain express consent to avoid violation of the FCRA. By implementing a policy permitting employer monitoring of e-mail, voicemail and telephone calls and requiring employees to acknowledge their understanding of that policy, consent will be implied. However, and importantly, if an employee only consents to monitoring of his or her business-related calls, he or she will not be deemed to have consented to the monitoring of personal calls. An employee who uses a line that he or she knows to be monitored for business purposes may be found to have consented to the monitoring. Written consent by an employee is the strongest defense against an ECPA claim.

Types of monitoring to consider

Video surveillance

Employers may film an employee in public areas as part of an investigation of the employee’s claim for worker’s compensation. In addition, courts have rejected employees’ claims that filming activities at home constitute an invasion of privacy if the activities could be viewed by neighbors or passersby. Courts have found that because employees should expect claims of injury to be investigated, surveillance conducted in a reasonable and unobtrusive manner will not give rise to liability for invasion of privacy if the activities could be observed by a neighbor or passersby.

However, the use of video cameras to monitor employees at work – which is on the rise in many workplaces due to terrorism threats and increased levels of security – can threaten employee privacy rights in some cases. Video monitoring may violate privacy rights in at least three circumstances:

  1. Video surveillance may violate certain common law or statutes that protect employees. Generally speaking, the use of video cameras may infringe on employees’ rights in situations where the employee has a reasonable expectation of privacy, such as:
  • bathrooms

  • locker rooms

  • other locations where employees can reasonably expect to be free from surveillance.

An employer can eliminate this expectation, however, if it has a legitimate business need to conduct video monitoring and notifies employees of the monitoring in advance.

  1. Video monitoring also has the potential to violate federal and state wiretap statutes. Silent video surveillance does not implicate the Wiretap Act but videotaping that includes an audio signal does constitute “interception” of an oral communication. An employer can avoid liability by conducting surveillance without audio recording or, as with other interceptions, by obtaining written consent from employees.
  2. Federal labor law may limit the use of video monitoring and other surveillance. The National Labor Relations Board (NLRB) has held that a company committed an unfair labor practice when it failed to bargain with its employees’ union regarding the use of surveillance cameras. According to the NLRB, a labor union has a statutory right to bargain with employers over the activation of video cameras, the placement of cameras and the discipline of employees who are observed engaging in misconduct.

Common law privacy claims

Generally, employers may monitor employee activities to analyze performance or investigate misconduct, as illustrated by the following examples of conduct courts have found to be legal:

  • checking the license plates of visitors’ cars parked on a public street near the home of a security guard who was under investigation

  • taking photographs of production employees for an efficiency study

  • photographing an employee returning stolen property

  • recording the errors employees made on computers to measure the performance of the equipment.

Such monitoring need not be restricted to the workplace. It should, however, be confined to public areas. For instance, monitoring an employee doing yard work while on workers’ compensation leave is allowable, but monitoring them after they have entered their home is not.


Listening to employees’ business-related telephone calls is one of the most common forms of workplace monitoring. Companies dependent on telephone communications often listen in on employees to evaluate the quality of their interaction with the public.

Electronic storage of information

Stored communications can take many forms, but most commonly include computer files and e-mail messages that have been archived. The SCA prohibits unauthorized access, interception and disclosure of information stored in electronic form.


Employers rarely face challenges under the SCA as the act contains an exemption for conduct authorized by the person or entity providing a wire or electronic communications service. This allows employers that provide electronic communication services to access messages once they are stored in their computer or telephone systems without notifying employees of the access.

It is also important to note that exclusively internal e-mail systems provided by employers might be outside the scope of the SCA because such a service would not technically be provided to the public.

Exceptions for national defense against terrorism

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) may also influence workplace privacy. The PATRIOT Act, which is mainly designed to combat terrorism, gives government agencies extensive search power, allowing them to conduct surveillance both traditionally and electronically to track and apprehend terrorists.

The PATRIOT Act has loosened some of the restrictions under the ECPA on the government’s ability to access electronic information and surveillance, making it easier for the government to obtain “wire communication” evidence such as voicemail, e-mail and other electronic communications captured and stored by employers. Certain provisions of the PATRIOT Act allow the government to conduct surveillance while delaying notice. If notifying the target would negatively impact the investigation, the government may delay notification. The government can also monitor someone’s office, computer or e-mail without notifying the individual until after the monitoring has been done. Further, instead of having to obtain a wiretap order, the government can access the content of stored voicemail messages using only a search warrant. The government may also use a search warrant to obtain the contents of unopened e-mail that have been stored for 180 days or less. Employers should be aware that their communications systems are now open to the government. Therefore, employers have a vested interest in making sure that no illegal communication or information is being transmitted or stored on their information systems.

Access to medical information

Employers should also monitor regulations that impact federal privacy rights, such as the Health Insurance Portability and Accountability Act, which restricts access to personal health information. In the case of large multinational companies, other countries may have restrictions on access to personal information that can further complicate privacy compliance. For instance, the European Union’s General Data Protection Regulation (GDPR) requires companies to abide by its protocols for the protection of its member state citizens’ and residents’ personal information. Additionally, member states or non-member states, such as the United Kingdom, may adopt or expand upon the requirements of GDPR on a national or local level.

As a result of the COVID-19 pandemic, many employers have been torn between how to protect employee privacy interests and protecting others in their workforce from the spread of the virus. Information regarding the medical condition of an employee who tests positive for COVID-19 is treated as medical information that the employer must protect against disclosure except in limited circumstances as permitted by the American with Disabilities Act (ADA). At the same time, COVID-19 is a nationally notifiable disease, which when diagnosed, must be reported by healthcare providers to government health departments. The health departments are responsible for leading case investigations and contact tracing. In carrying out this role, they will ask the patient questions about work status, work environment and persons they have been in touch with. Employers are encouraged by the Centers for Disease Control and Prevention (CDC) to permit health department-initiated interviews, site visits and record reviews to identify close contacts who may have been exposed to the virus bearer. It is permissible for employers to provide identifying information to the health department under these circumstances. For additional information, please see Disabilities and reasonable accommodations. Or visit:

Workplace searches

Unquestionably, employers have a significant interest in monitoring the workplace to minimize employee theft, drug abuse and other wrongdoing. Especially in light of post-9/11 security concerns, employers also have an important interest in ensuring workplace safety. Employee searches are one way that employers can prevent wrongdoing and maintain a safe work environment, but employers must recognize that there are limits on intrusive, unwarranted workplace searches.

Searches at work may take a number of forms. Sometimes the employer needs to search company property – such as offices, desks, drawers or lockers – that has been provided for employee use. The employer may also want to search the property of an employee, like a purse, gym bag or briefcase. Finally, an employer might search an employee’s person, as with a pat-down search. These searches, some of which are more intrusive than others, can constitute an invasion of employee privacy rights.

Whether a search is justified depends on both the need for the search and the privacy interests of the employee. Non-investigatory searches, such as entering an employee’s office or opening a desk drawer to locate necessary business items, are generally allowed if the employer has a legitimate business reason and the search is limited to what is necessary. If possible, an employer should contact the employee before conducting this type of search. It would also be prudent to include a section in the employee handbook regarding parameters for searches. For instance, an employer may want to establish and communicate a policy that any items brought onto company property are subject to search.

Investigatory searches, such as a search for illegal drugs or a concealed weapon, should generally be limited to situations where the employer has a specific reason to believe an employee is engaged in wrongdoing. The more intrusive the search, the more likely it will amount to an invasion of privacy. A search of an open bag left in an employee’s cubicle is less intrusive (and therefore less likely to violate privacy rights) than a search of a locker sealed with an employee-provided lock or key. As discussed herein, an employer can limit an employee’s reasonable expectation of privacy by maintaining appropriate policies. Employers should notify employees, either in an employee handbook or by posting a policy, that lockers, desks and offices may be searched. Employers should also be discreet and, when possible, avoid contact with the employee’s person or using force.


Another way employers may monitor employees is by conducting investigations:

  • making inquiries to others about the employee

  • reviewing prior employment records, credit reports and school records (see also Background checks)

  • investigating workplace harassment or other wrongdoing.

There are many legal issues implicated in employer investigations, which are covered in Workplace investigations.


Employee testing is yet another way of monitoring workplace conduct. Testing may be as simple as a drug test or as complicated as a battery of questions for psychological evaluation. What makes testing different from other types of monitoring is that the information is supplied directly by the employee. Certain testing, such as physical examinations, may be prohibited by law. Testing for illegal drugs is not covered by the ADA. Psychological tests may have an adverse impact on minority applicants or employees and therefore raise an inference of discrimination (see Disabilities and reasonable accommodation). As a general rule, employers should work with counsel to develop testing policies that comply with all applicable employment laws.

Guidelines to follow

The courts continue to deal with the difficult tug-of-war between employers’ legitimate business interests and employees’ reasonable expectations of privacy. As technology develops new ways to monitor employees, employers will continue to need legal counsel to advise them of what sorts of monitoring may expose them to liability. What constitutes acceptable monitoring and investigation by employers, as well as what employee expectations are reasonable, continues to evolve. However, there are certain guidelines that employers can follow to avoid liability arising from monitoring their employees:

  • Determine how the relevant state and federal laws impact monitoring policies. The law in this area is evolving and practices that are acceptable today may present more risk in the future, so keep an eye on legislation that is currently being considered. Because many employee monitoring systems are costly to design and implement, employers should consider future legal developments when planning to incorporate monitoring policies.

  • Inform employees in writing of the ways in which you plan to monitor them. By giving employees notice, an employer can diminish any reasonable privacy expectations they might have. Written notice is also critical for establishing that the employee consented to the monitoring, which places employers in a strong legal position to defend alleged privacy violations. Consider consulting an attorney for assistance in drafting and obtaining signed consents that will best shield employers from liability.

  • Create a well-written policy regarding information technology practices and provide it to employees. Employees generally want to know what the policies are regarding e-mail, telephone use and other forms of office communication, so it is critical to formulate a reasonable and well-thought-out policy for technology use. Employers should make it clear to employees that work communications, including voicemail and e-mail, can and will be monitored and explain that the employer is the sole owner of any electronic communications.

  • Clearly define the ways employees will be monitored, including the types of monitoring that will be used and the kinds of technology and then educate employees on what the rules are regarding use of the employers’ communication technology. Adequate instruction will help employees understand the rules and also prevent claims that employees were not aware of policies regarding technology resources.

  • Give employees notice that e-mail messages may be monitored even though it may seem to them that they are private. Many employees may mistakenly believe that, because they may be deleted and password-protected, their e-mails cannot be viewed by the employer. Stress that data stored in or transmitted via computers, e-mail accounts, phones and mobile devices that are owned by the employer are subject to search and abuses of communications systems will not be tolerated and intellectual property will be vigilantly guarded.

  • Forbid defamatory, offensive and abusive communications. Make efforts to prevent communications that could amount to defamation, slander, verbal abuse, harassment or trade disparagement of employees, customers, clients, vendors, competitors or any person or entity. Communications that are harassing or threatening, including derogatory comments based on race, national origin, marital status, sex, sexual orientation, age, disability, pregnancy, religious or political beliefs or any other characteristic protected under local, state or federal law should be forbidden.

    • Note: Employers must be cautious about total prohibitions against non-work-related communications. Union-related e-mails or postings cannot be prohibited if employers allow employees to make other non-work-related communications on the same systems.

  • Justify employee monitoring from the start with legitimate business interests. An employer should be able to list the reasons for monitoring and the business interests served by the monitoring, such as preventing unacceptable levels of personal technology use and maintaining productivity, while ensuring that employees abide by local, state and federal laws. If surveillance is done for a specific investigatory purpose, then be able to prove the specific reason for suspecting the individual employee or employees.

  • Be vigilant in enforcing a policy of keeping business lines open for business purposes only and not for personal calls. However, if an employer does monitor calls, stop listening once a call is identified as personal.

  • Inform callers that their phone calls may be monitored. Employers can inform callers through a recording at the beginning of the call.

  • Tailor monitoring so that sensitive information will be disclosed only to individuals who have a legitimate need to know the information. Use the information for lawful business purposes only and limit dissemination of the information to individuals with a legitimate need to know, such as upper-level management or law enforcement officers.

  • On a regular basis, review policies regarding employee privacy and access to communications and information as well as the relevant law governing such issues. Because this area of the law is rapidly evolving, it is important to keep up with developments that may impact existing privacy policies.

Employee protections

Employers can be held liable for making false or misleading public statements about their employees. The employer may be held liable if it discloses false or misleading information that is highly offensive or insulting and acts in an intentional or reckless disregard for the truth.

Traditionally, lawsuits alleging defamation against employers arise most often in the context of employee references. Employers should take great care in providing references by making sure that all employee references come from a central source and are truthful and accurate. Generally, mere personal opinions will most likely not give rise to liability.

A false light or defamation lawsuit may also be prompted by false, misleading or derogatory e-mails about an employee. Employers are well advised to discourage any communication (electronic or otherwise) that contains potentially false or derogatory comments about an employee, regardless of who is sending or receiving the communication. This includes the use of social media sites such as Facebook, Instagram, Twitter and LinkedIn. Employees should be cautioned that leaving comments for others that cast the employer or its employees in a negative light violates company policies and could result in termination. Employers must be cautious about total prohibitions of discussions related to the Employer on social media or otherwise. E-mails or postings related to the terms and conditions of an employee’s employment cannot be prohibited.

Using an employee’s name or likeness

An employer may also face liability by appropriating an employee’s name or likeness to the employer’s advantage, such as when an employer uses an employee’s name or likeness to advertise the employer’s business or product. However, this is rare in the employment context. Nevertheless, employers should remain aware of the potential for liability in this context.

Lie detector tests

Polygraph tests, also known as lie detector, deceptograph, voice stress analyzer and psychological stress evaluation tests, are investigative tools occasionally considered by employers when conducting employment-related investigations. However, employers may use such tests only in very limited circumstances as state and federal law govern the use of polygraph tests in the workplace.

Employee Polygraph Protection Act

The Employee Polygraph Protection Act (EPPA) also severely restricts private-sector employers from administering polygraph tests to current and prospective employees except under extremely limited circumstances. The EPPA applies to most private employers and does not apply to public-sector employers, except for certain employees of the federal legislative branch.

Employees may not waive by contract or a release the rights and procedures provided by the EPPA unless the waiver is the result of a written settlement agreement based on a pending EPPA action or claim.

Prohibited actions

The prohibition on employer-conducted polygraph tests extends to any person acting directly or indirectly in the interest of an employer in relation to an employee or prospective employee. Employers and their agents may not:

  • directly or indirectly require, request, suggest or cause any employee or prospective employee to take or submit to any polygraph detector test

  • use, accept, refer to or inquire concerning the results of any polygraph test of any employee or prospective employee

  • discharge, discipline, discriminate against, deny employment or promotion to or threaten such actions against any employee or prospective employee who refuses, declines or fails to take or submit to any polygraph test

  • discharge, discipline, discriminate against, deny employment or promotion to or threaten such actions against any employee or prospective employee on the basis of the results of any polygraph test

  • discharge, discipline, discriminate against, deny employment or promotion to or threaten such actions against any employee or prospective employee because the individual made a complaint under or related to the EPPA, testified or is about to testify in any proceeding related to the EPPA or exercised rights provided by the EPPA.


The Secretary of Labor through the Administrator of the Wage and Hour Division enforces the EPPA and may impose civil penalties of up to $23,011 against an employer. The Secretary of Labor also may bring a court action against an employer. If a court determines that an employer violated the EPPA, the court can issue an injunction against the employer and also can award employment, reinstatement, promotion, lost wages and lost benefits to the affected individuals.

Likewise, individuals affected by an employer’s misuse of the EPPA may bring a private court action against the employer in either state or federal court. In the event a court determines an EPPA violation occurred, the affected individual could receive employment, reinstatement, promotion, lost wages and lost benefits. Furthermore, the court, in its discretion, may allow the prevailing party to recover reasonable costs, including attorneys’ fees. An individual who believes an employer has violated the EPPA must file such claim, in court, no more than three years after the date of the alleged violation.


Although the EPPA essentially prohibits a private employer from conducting – or causing to be conducted – a polygraph test, several exemptions exist. Half of the exemptions apply only to the federal government and serve mostly to reinforce the general exception for public employers. However, the other exemptions apply to private employers in certain limited situations.

Federal government exemptions
National defense

The federal government, in the performance of any counterintelligence function, may administer a polygraph test to any employee, contractor, expert or consultant working for or under contract to the Department of Defense and/or the Department of Energy in connection with the atomic energy defense activities.


The federal government, in the performance of any intelligence or counterintelligence function, may administer a polygraph test to any applicant, employee, expert, consultant or individual employed by, assigned to, detailed to or under contract to the National Security Agency, the Defense Intelligence Agency, the National Geospatial-Intelligence Agency, the Central Intelligence Agency or any individual assigned to a space where sensitive cryptologic information is produced, processed or stored for any such agency. Likewise, the federal government may administer a polygraph test to any employee, expert or consultant under contract with any federal government department, agency or program whose duties involve access to information that has been classified at the level of top secret or designated as being within a special access program under certain Executive Orders.

FBI contractors

The federal government, in the performance of any counterintelligence function, may administer a polygraph test to the employee of a contractor for the Federal Bureau of Investigation (FBI) when that employee is engaged in the performance of any work under contract with the FBI.

Private employers
Security services

When the primary business purpose of a private employer consists of providing armored car personnel, personnel engaged in the design, installation or maintenance of security alarm systems or other uniformed or plainclothes security personnel, the private employer may administer polygraph tests to employees whose duties include protecting facilities, materials or operations having a significant impact on the health or safety of any state or political subdivision or the national security of the United States. Examples include:

  • facilities engaged in the production, transmission or distribution of electric or nuclear power plants

  • public water supply facilities

  • shipments or storage of radioactive or other toxic waste materials

  • public transportation

  • currency

  • negotiable securities

  • precious commodities or instruments

  • proprietary information.

This special exemption for security services applies only to the employees actually employed to protect such facilities, materials, operations or assets and not to all employees of the employer.

Drug security, theft and diversion investigations

Any employer authorized to manufacture, distribute or dispense controlled substances may administer polygraph tests in limited circumstances to employees and prospective employees when the individual has or will have, direct access to the controlled substances. For an existing employee, the employer may conduct polygraph test only in connection with an ongoing investigation of criminal or other misconduct.

Ongoing investigations

For the average private employer, only the “ongoing investigation” exemption likely applies. Unfortunately, this limited exemption seldom fits most situations due to the strict regulation of its use. For an employer to take advantage of the ongoing investigation exemption the employer must ensure the following:

  • The polygraph test is administered in connection with an ongoing investigation involving economic loss or injury to the employer’s business, such as theft, embezzlement, misappropriation or an unlawful act of industrial espionage or sabotage.

  • The employee had access to the property that is the subject of the investigation.

  • The employer has a reasonable suspicion that the employee was involved in the incident or activity under investigation.

  • The employer must write-out a statement detailing the specific incident or activity being investigated and provide it to the examinee before the test.

The statement provided to the employee prior to testing must be signed by a person legally authorized to bind the employer and must be retained for at least three years from the date of testing. The statement must identify the specific economic loss or injury to the business of the employer and must indicate that the employee had access to the property that is the subject of the investigation. Furthermore, the statement must describe the basis of the employer’s reasonable suspicion that the employee was involved in the incident or activity under investigation. If the employer’s statement fails to meet these detailed requirements, the ongoing investigation exemption will not apply.

Restrictions on exemptions

Even on the rare occasion when a private employer discovers that an exemption may allow for a polygraph test, the EPPA further restricts the use of any polygraph results. The three exemptions applicable to private employers are:

  1. the security services exemption
  2. drug security, theft and diversion investigation exemption
  3. the ongoing investigation exemption.

The EPPA still prohibits an employer from using solely the results of a polygraph test in determining whether to discharge, discipline, deny employment or promotion or otherwise discriminate against the tested individual. In other words, an employer must be able to provide other supporting evidence (in addition to the results of the polygraph test) to lawfully discharge, discipline, terminate, refuse to hire or otherwise discriminate against a tested individual.

Examinee rights

In the event that a private employer may test an individual, the EPPA provides specific rights to the individual being tested.

Throughout all phases of the testing, the employer must allow the individual to terminate the test at any time and the examiner may not ask questions designed to degrade or intrude on the individual. Specifically, the examiner may not ask any questions concerning:

  • religious beliefs or affiliations beliefs

  • racial matters

  • political beliefs or affiliations

  • any matter relating to sexual behavior

  • any matter regarding unions or labor organizations.

An employer may not test an individual who provides sufficient written evidence from a physician that the individual suffers from a medical or psychological condition that might cause abnormal responses during the test.

The EPPA further restricts testing depending on the phase of the testing.

Pretest phase rights

During the pretest phase, an employer must provide the individual with reasonable written notice of the date, time and location of the test and inform the individual that he or she may consult an attorney or an employee representative before each phase of the test. The individual must receive written notice of the nature and characteristics of the test, the instruments involved, whether the testing area contains a two-way mirror, camera or other device through which the test can be observed, whether any other device will be used and whether or not the employer or individual may make a recording of the test.

The employer also must provide a written statement for the individual to sign. This statement must include a notice that the individual cannot be forced to take the test as a condition of employment and that any statement made during the test may constitute additional supporting evidence for taking an adverse employment action against the employee. This statement also must include a summary of the limitations imposed under this section and the legal rights that are available to the individual if the exam is not conducted according to the EPPA. In addition, the statement must remind the individual of the employer’s rights under the EPPA, including that the employer may turn over, to the appropriate governmental agency, any admission of criminal conduct.

As a final condition on testing, the EPPA requires that, prior to the test, the individual be provided an opportunity to review all questions to be asked during the test and be informed of the right to terminate the test at any time.

Actual test phase rights

During the actual testing, the individual may not be asked any question that was not presented in writing for review prior to the test.

Post-test phase rights

Before the employer may take any action based on the results of the test, the employer must:

  • further interview the individual on the basis of the results of the test

  • provide a written copy of any opinion and/or conclusions rendered as a result of the test

  • provide a copy of the questions asked during the test along with the individual’s responses.

The information gained from a polygraph

The EPPA provides for limited disclosure of information obtained during a polygraph test. The polygraph examiner may disclose information to the examinee, someone specifically designated in writing by the examinee, the employer that requested the test or any court, governmental agency, arbitrator or mediator in accordance with due process of law according to an order from a court of competent jurisdiction. The employer that ordered the polygraph examination may similarly disclose information to the examinee, someone specifically designated in writing by the examinee, any court, governmental agency, arbitrator or mediator in accordance with due process of law according to an order from a court of competent jurisdiction or a governmental agency if the disclosed information is an admission of criminal conduct.

Employee notice requirements

The EPPA requires an employer to post, in a conspicuous place, a notice of the EPPA and the rights it provides to employees. Employers must post the notice with other required employment postings. Employers may obtain the required poster from the Wage and Hour Division of the Department of Labor or from the Department of Labor website:

Public employers and polygraph tests

The EPPA does not apply to public employers. As a general rule, public employers may require employees to submit to a polygraph test and a public employer could discharge an employee who refused to be tested.

If a public employer conducts a polygraph test as part of a criminal investigation, the employer must take certain precautions to protect the employee’s constitutional rights, such as how an employee has a right to counsel and may have an attorney present.

Likewise, a public employer could violate an employee’s due process rights if the employer takes adverse employment action based only on the results of the polygraph test. To avoid this violation, an employer should base its employment decisions on the basis of both the polygraph test and other evidence obtained. Furthermore, public employers should consider allowing an employee a fair hearing during