Skip to content Skip to footer

Table of contents

This Federal Human Resources Manual is offered to you for free. Find state specific laws and regulations below.

Privacy rights — Federal

Key cards, private email accounts, audio and video surveillance, password-protected computer workstations – they all make the workplace more efficient and safer and they also have changed the landscape of employee privacy dramatically within a generation. Monitoring technology allows employers to guard against a range of employee misconduct, from unproductive uses of the Internet to fraud and other sources of significant liability for both the employee and the employer. Management is no longer limited to direct observation governed by human limitations as technological advancements have allowed companies to “supervise” their employees on a much wider scale. Employers can now use technology to monitor employees and make sure that productivity stays high, while employer fraud, theft and other misconduct stays low. Yet employers must also be mindful of applicable local, state and federal laws that may protect employees.

As employers increase their ability to monitor and record their employees’ workplace conduct, so does the risk that employees will complain. Some employees have even sued their employers, claiming violations of their “right to privacy.” Federal law and the laws of most states do recognize some employee privacy interests. Thus, an employer must consider employee privacy interests when it monitors employee conduct.

Employers should be aware of all applicable state and federal laws – and understand that the law of privacy is constantly changing – when formulating policies to monitor employee conduct. An employer should also be mindful of the effect of monitoring policies on employee morale. A monitoring policy that is legal but that employees view as unfair and unnecessary may ultimately hurt productivity. An employee who thinks that his employer has unfairly invaded his privacy is more likely to seek a lawyer, pursue litigation or campaign for more protective laws.

Employee privacy rights have roots in four sources:

  1. Constitutional law
  1. statutory law
  1. common law
  1. contract.

Constitutional law

The idea of an individual’s right to privacy in the United States originates with the Constitution. Both the Bill of Rights and the Fourteenth Amendment address privacy rights. The Bill of Rights guards against unreasonable searches and seizures by the federal government and the Fourteenth Amendment applies these privacy protections to state and local governments. These provisions protect public sector employees, such as postal workers and state employees, from unjustified invasions of privacy by federal, state and local government employers.

The federal privacy rights described in the U.S. Constitution protect citizens against government action only; private employers are not restricted by the Constitution in monitoring workplace conduct. However, this does not mean that private employees are without privacy rights.

Some courts have broadened these privacy protections to cover the actions of private employers as well as state action.


Protecting electronic communications

Congress passed the Electronic Communications Privacy Act (ECPA) in reaction to increasing concern that new threats to civil liberties were being made possible by emerging technology. The ECPA essentially modified some of the provisions of the federal Wiretap Act and added a new section, the Stored Communications Act (SCA) . The ECPA is the controlling federal law dealing with surveillance and monitoring through telephone and other electronic means.

The ECPA amendments are not very clear and courts have been critical of the ECPA’s statutory language. The Wiretap Act forbids the unauthorized “interception, use and disclosure” of any “wire oral or electronic communication,” and the Stored Communications Act forbids unauthorized “access” to an “electronic communication while it is in electronic storage.” 

Courts have grappled with the interaction between these two provisions, as well as the respective legal boundaries of each Act.

A private right of action under the Wiretap Act allows recovery of actual and punitive damages, plus attorneys’ fees and costs. The Wiretap Act also provides for statutory damages, which usually are awarded in daily increments, computed at $100 dollars a day and capped at $10,000. Damages are awarded on a daily basis even though many different types of violations may happen within the course of the same day.

The Wiretap Act 

Oral communications

An oral communication is anything “uttered by a person exhibiting an expectation that such communication is not subject to interception under such circumstances justifying such expectation.” Conversations among employees, even in a public work space, can sometimes be protected “oral communications” if spoken in private beyond the hearing range of others.

Wire communications

This category includes communications using the human voice, transmitted on any system that can function in interstate commerce, which covers telephone communication and possibly fax communication.

Electronic communications

Electronic communications include many of the communications that are widely used in today’s workplace, such as email, voicemail and messages transmitted over the Internet.


Interception under the Wiretap Act is “acquisition of the contents of any wire, electronic or oral communication through the use of any electronic, mechanical or other device.” Courts have interpreted interception in a variety of ways. One court held that a defendant intercepted a communication when she retrieved and forwarded to her own personal mail box a voicemail message from the recipient’s mailbox before it had been received by the recipient.

In another case, a court held that viewing an email message on the plaintiff’s computer screen did not constitute “interception.”


The Wiretap Act’s general prohibition on interception has three major exceptions:

  1. The service-provider exception - This exception enables owners of a communications system (such as a server) to routinely review communications in order to manage and safeguard the system’s information.
  1. The business use exception - “Device” (as used in the definition of “interception,” previously) does not include any equipment that is “furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business.” The precise boundaries of the business use exception are not exactly clear, but as a general rule, employer monitoring does not qualify as business use unless the monitoring device was supplied by a provider of wire or electronic communication in the ordinary course of business.
  1. The consent exception - If one party to the communication consents, there can be no “interception” of the communication. Courts have not yet defined prior consent, but it is clear that written consent by an employee is the strongest defense against an ECPA claim.

Personal phone calls

Courts are less inclined to allow interception of employee communications where employers are attempting to monitor the content of personal phone calls. In monitoring communications, an employer should stop the interception as soon as it realizes the communication is of a personal nature. Note that this does not limit an employer’s right to discipline an employee for excessive personal phone calls while at work.

The Stored Communications Act

The Stored Communications Act (SCA) prohibits unauthorized access, interception and disclosure of information stored in electronic form. Stored communications can take many forms, but they most commonly include computer files and email messages that have been archived.


One important exception to the SCA is when a provider of wire or electronic communications service is given access to an employer’s stored electronic communications, which would presumably enable the employer to monitor email that is archived on its communication system. What constitutes storage, however, is not well defined. Some courts have distinguished different types of storage, such as “intermediate storage,” “back-up protection storage,” and “post-transmission storage.” 

At least one federal court has found that text messages do not meet this exception. As such, in that case, an employer’s reading of text messages was a violation.

Another exception to the SCA allows access to stored electronic communications that have been made by or sent to a user if the user consents.


The “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001” may influence workplace privacy significantly. This Act, which is mainly designed to combat terrorism, gives agencies of the government more extensive search powers, allowing them to conduct surveillance both traditionally and electronically to track and apprehend terrorists.

Certain provisions of the Act – the so-called “sneak and peek” portions – allow the government to conduct surveillance without getting a court order or warrant. As long as the government can demonstrate reasonable cause for investigating without giving notification (basically, that notifying the target would negatively impact the investigation), the Act allows the government to delay notification. The government can monitor someone’s office, computer or email without notifying the individual until after the monitoring has been done. Employers now face the reality that their communications systems are completely open to the government and therefore have a critical interest in making sure that no illegal communication or information is being transmitted or stored on their information systems.

The Employee Polygraph Protection Act

The Employee Polygraph Protection Act (EPPA) prohibits most private employers from using lie detector tests prior to employment and during the course of employment. Specifically, employers may not do any of the following:

  • request, require, suggest or cause (directly or indirectly) any current or prospective employee to take a lie detector test
  • use, accept, refer to or inquire concerning the results of a lie detector test
  • discharge, discipline, discriminate against an employee or prospective employee for refusing to take a test, based upon the results of a test or for exercising his or her rights under the EPPA.

Not all private employers are prohibited from using lie detector tests. Employers whose primary business purpose consists of providing security services (armored car, alarm systems, security guards) or manufacturing, distributing or dispensing controlled substances may use lie detector tests.

Additionally, a private employer may request that an employee submit to a lie detector test if the test is to be used in connection with an ongoing investigation involving economic loss or injury to the business. In those instances where testing is permitted, an employer is required to follow certain detailed procedures before, during and after the administration of a lie detector test.

The EPPA does not apply to federal, state and local governments or any political subdivision of a State or local government. The law also does not apply to tests given by the federal government persons engaged in national security-related activities.   

Other sources of privacy rights

Employers should also monitor new regulations that impact federal privacy rights, such as the Health Insurance Portability and Accountability Act (HIPAA), which restricts access to personal health information. See Health insurance portability and privacy.

In addition, in the case of large multinational companies, other countries may have restrictions on access to personal information that can further complicate privacy compliance. For instance, the European Union’s data privacy directive requires companies to abide by its protocols for the protection of its member state citizens’ and residents’ personal information.

Lie detector tests

Polygraph tests, also known as lie detector, deceptograph, voice stress analyzer and psychological stress evaluation tests are investigative tools often considered by employers. Employers may use such tests only in very limited circumstances. The Employee Polygraph Protection Act (EPPA) severely restricts private sector employers from administering polygraph tests to current and prospective employees except under extremely limited circumstances.


The Employee Polygraph Protection Act (EPPA) applies to all private sector employers, including foreign corporations operating within the United States. The EPPA specifically does not apply to public sector employers except for certain employees of the federal legislative branch. An “employer” includes any person acting directly or indirectly in the interest of an employer in relation to a current or prospective employee.

Employees may not waive by contract or a release the rights and procedures provided by the EPPA unless the waiver is the result of a written settlement agreement based on a pending EPPA action or claim.

What is prohibited

The prohibition on employer-conducted polygraph tests extends to any person acting directly or indirectly in the interest of an employer in relation to an employee or prospective employee. The prohibition also applies to all employees of covered employers, regardless of citizenship status.

Employers and their agents may not:

  • directly or indirectly require, request, suggest or cause any employee or prospective employee to take or submit to any polygraph detector test
  • use, accept, refer to or inquire concerning the results of any polygraph test of any employee or prospective employee
  • discharge, discipline, discriminate against, deny employment or promotion to or threaten such actions against any employee or prospective employee who refuses, declines or fails to take or submit to any polygraph test
  • discharge, discipline, discriminate against, deny employment or promotion to or threaten such actions against any employee or prospective employee on the basis of the results of any polygraph test
  • discharge, discipline, discriminate against, deny employment or promotion to or threaten such actions against any employee or prospective employee because the individual made a complaint under or related to the EPPA, testified or is about to testify in any proceeding related to the EPPA or exercised rights provided by the EPPA.


Although the Employee Polygraph Protection Act (EPPA) essentially prohibits a private employer from conducting or causing to be conducted a polygraph test, several exemptions exist. Half of the exemptions apply only to the federal government; however, the other exemptions apply to private employers in certain limited situations.

Federal government exemptions

National defense

The federal government, in the performance of any counterintelligence function, may administer a polygraph test to any employee, contractor, expert or consultant working for or under contract to the Department of Defense and/or the Department of Energy in connection with the atomic energy defense activities.

National security

The federal government, in the performance of any intelligence or counterintelligence function, may administer a polygraph test to any applicant, employee, expert, consultant or individual employed by, assigned to, detailed to or under contract to the National Security Agency, the Defense Intelligence Agency, the National Imagery and Mapping Agency, the Central Intelligence Agency or any individual assigned to a space where sensitive cryptologic information is produced, processed or stored for any such agency. Likewise, the federal government may administer a polygraph test to any employee, expert or consultant under contract with any federal government department, agency or program whose duties involve access to information that has been classified at the level of top secret or designated as being within a special access program under certain Executive Orders.

Federal Bureau of Investigation contractors

The federal government, in the performance of any counterintelligence function, may administer a polygraph test to the employee of a contractor for the Federal Bureau of Investigation (FBI) when that employee is engaged in the performance of any work under contract with the FBI.

Private employers

Security services

When the primary business purpose of a private employer consists of providing armored car personnel, personnel engaged in the design, installation and maintenance of security alarm systems or other uniformed or plane-clothed security personnel, the private employer may administer polygraph tests to employees whose duties include protecting facilities, materials or operations having a significant impact on the health or safety of any State or political subdivision or the national security of the United States.

Examples include:

  • facilities engaged in the production, transmission or distribution of electric or nuclear power plants
  • public water supply facilities
  • shipments or storage of radioactive or other toxic waste materials
  • public transportation
  • currency
  • negotiable securities
  • precious commodities or instruments
  • proprietary information.

This special exemption for security services applies only to the employees actually employed to protect such facilities, materials, operations or assets and not to all employees of the employer.

Drug security, theft and diversion investigations

Any employer authorized to manufacture, distribute or dispense controlled substances may administer polygraph tests in limited circumstances to employees and prospective employees when the individual has or will have direct access to the controlled substances. For an existing employee, the employer may conduct polygraph test only in connection with an ongoing investigation of criminal or other misconduct.

Ongoing investigations

For the average private employer, only the “ongoing investigation” exemption likely applies. Unfortunately, this limited exemption seldom “fits” most situations due to the strict regulation on its use. For an employer to take advantage of the ongoing investigation exemption, the employer must ensure all of the following:

  • The polygraph test is administered in connection with an ongoing investigation involving economic loss or injury to the employer’s business, such as theft, embezzlement, misappropriation or an unlawful act of industrial espionage or sabotage.
  • The employee had access to the property that is the subject of the investigation.
  • The employer has a reasonable suspicion that the employee was involved in the incident or activity under investigation.
  • The employer must provide the employee with a written a statement detailing the specific incident or activity being investigated in a language understood by the examinee and given before the test.

The statement provided to the employee prior to testing must be signed by a person legally authorized to bind the employer and must be retained for at least three years from the date of testing. The statement must identify the specific economic loss or injury to the business of the employer and must indicate that the employee had access to the property that is the subject of the investigation. Furthermore, the statement must describe the basis of the employer’s reasonable suspicion that the employee was involved in the incident or activity under investigation. If the employer’s statement fails to meet these detailed requirements, the ongoing investigation exemption will not apply.

Restrictions on exemptions

Even on the rare occasion when a private employer discovers that an exemption may allow for a polygraph test, the Employee Polygraph Protection Act (EPPA) further restricts the use of any polygraph results. For all three exemptions applicable to private employers – the security services exemption, the drug security, theft and diversion investigation – and the ongoing investigation, the EPPA still prohibits an employer from using solely the results of a polygraph test in determining whether to discharge, discipline, deny employment or promotion or otherwise discriminate against the tested individual. In other words, an employer must be able to provide other supporting evidence – in addition to the results of the polygraph test – to lawfully discharge, discipline, terminate, refuse to hire or otherwise discriminate against a tested individual.

Rights of the examinee

In the event that a private employer may test an individual, the Employee Polygraph Protection Act (EPPA) provides specific rights to individual to be tested. The employer must provide written notice in a language understood by the examinee at least 48 hours before the test. The notice should describe how, when and where the test will occur and that the examinee has the right to consult a lawyer or employee representative. Employers must be able to prove the examinee received the required notice in the form of a written return receipt or other similar proof of service. This is discussed in more detail later in this topic.

Throughout all phases of the testing, the employer must allow the individual to terminate the test at any time and the examiner may not ask questions designed to degrade or intrude on the individual. Specifically, the examiner may not be asking any questions concerning religious beliefs or affiliations, beliefs or opinions regarding racial matters, political beliefs or affiliations, any matter relating to sexual behavior and beliefs or opinions regarding unions or labor organizations. An employer may not test an individual who provides sufficient written evidence from a physician that the individual suffers from a medical or psychological condition that might cause abnormal responses during the test.

The EPPA further restricts testing depending on the phase of the testing.

Pretest phase

During the pretest phase, an employer must provide the individual with reasonable written notice of the date, time and location of the test and inform the individual that he or she may consult an attorney or an employee representative before each phase of the test. The individual must receive written notice of the nature and characteristics of the test, the instruments involved, whether the testing area contains a two-way mirror, camera or other device through which the test can be observed, whether any other device will be used and that the employer or individual may make a recording of the test.

The employer also must provide a written statement for the individual to sign. This statement must include notice that the individual cannot be forced to take the test as a condition of employment and that any statement made during the test may constitute additional supporting evidence as to the basis for subjecting the employee to the test. This statement also must include a summary of the legal rights that are available to the individual if the exam is not conducted according to the EPPA. Finally, the statement must remind the individual that the employer may turn over to the appropriate governmental agency any admission of criminal conduct.

As a final condition on testing, the EPPA requires that prior to the test the individual be provided an opportunity to review all questions to be asked during the test and informed of the right to terminate the test at any time.

Actual test phase

During the actual testing, the individual may not be asked any question that was not presented in writing for review prior to the test.

Post-test phase

Before the employer may take any action based on the results of the test, the employer must further interview the individual on the basis of the results of the test, provide a written copy of any opinion and/or conclusions rendered as a result of the test and provide a copy of the questions asked during the test along with the individual’s responses.

Information that may be disclosed

The Employee Polygraph Protection Act (EPPA) provides for limited disclosure of information obtained during a polygraph test. The polygraph examiner may disclose information to the examinee, someone specifically designated in writing by the examinee, to the employer that requested the test and to any court, governmental agency, arbitrator or mediator in accordance with due process of law according to an order from a court of competent jurisdiction. The employer that ordered the polygraph examination may disclose information to the examinee, someone specifically designated in writing by the examinee and to a governmental agency if the disclosed information is an admission of criminal conduct.

Posting requirements

The Employee Polygraph Protection Act (EPPA) requires an employer to post in a conspicuous place a notice explaining the EPPA and the rights it provides to employees. Employers must post the notice with other required employment postings where it can readily be observed by employees and applicants for employment. Employers may obtain the required poster from the Wage and Hour Division of the Department of Labor (DOL) or the DOL website.

See Appendix B: Posting requirements.

Interactions with other laws and agreements

The Employee Polygraph Protection Act (EPPA) does not preempt any state or local law or collective bargaining agreement that prohibits lie detector tests or is more restrictive than the EPPA.

Public employers

The Employee Polygraph Protection Act (EPPA) does not apply to public employers. As a general rule, public employers may require employees to submit to a polygraph test and a public employer could discharge an employee who refused to be tested.

If a public employer conducts a polygraph test as part of a criminal investigation, the employer must take certain precautions to protect the employee’s constitutional rights. For instance, the employee has a right to counsel and, thus, may have an attorney present.

Likewise, a public employer could violate an employee’s due process rights if the employer takes adverse employment action based only on the results of the polygraph test. To avoid this violation, an employer should base its employment decisions on the basis of both the polygraph test and other evidence obtained. Furthermore, public employers should consider allowing an employee a fair hearing during which the employee could present a defense to the employer’s allegations.

Enforcement and penalties

The Secretary of Labor enforces the Employee Polygraph Protection Act (EPPA). The Secretary may impose civil penalties of up to $21,410 against an employer. The Secretary also may bring a court action against an employer. If a court determines that an employer violated the EPPA, the court can issue an injunction against the employer and also can award employment, reinstatement, promotion, lost wages and lost benefits to the affected individuals.

Likewise, individuals affected by an employer’s misuse of the EPPA may bring a private court action against the employer in either state or federal court. In the event a court determines an EPPA violation occurred, the affected individual could receive employment, reinstatement, promotion, lost wages and lost benefits. Furthermore, the court, in its discretion, may allow the prevailing party to recover reasonable costs, including attorney’s fees. An individual who believes that an employer has violated the EPPA must bring such a claim in court no more than three years after the date of the alleged violation.

Where to go for more information

The website for the federal Department of Labor provides easily accessible information regarding the EPPA. The website for the compliance assistance page and other helpful links is:

Common law

There are four distinct legal claims that address invasions of privacy:

  1. intrusion upon an employee’s private affairs
  1. public disclosure of embarrassing facts about the employee
  1. publicity that places the employee in a false light in the public eye
  1. appropriation of the employee’s name or likeness for the employer’s advantage.

Intrusion upon an employee’s private affairs

This common law theory shields employees from certain deliberate invasions of employees’ workplace privacy. Generally, employers may be liable when both:

  1. the manner of intrusion would be highly offensive to a reasonable person
  1. the employee had a reasonable expectation of privacy.

In an employment situation, intrusion upon seclusion can occur in situations such as alcohol and drug testing, gathering medical and other personal information, conducting surveillance, unauthorized eavesdropping or wiretapping or obtaining certain confidential information to determine eligibility for employment. However, reasonable investigation or surveillance in connection with a lawsuit or surveillance in a certain areas, even including non-private areas of a restroom, to protect against crime, does not give rise to an intrusion claim. In addition, using a speakerphone to monitor employees’ calls at work is not an unlawful intrusion if employees are told that telephones are for business use only and will be monitored.

Public disclosure of embarrassing facts about the employee

Employees are also protected from public disclosures about their private lives. The relevant factors for employer liability are similar to those of intrusion upon an employee’s private affairs:

  • the disclosure must be public
  • it must be highly offensive to a reasonable person
  • the subject matter must not be of legitimate concern to the public.

Unlawful public disclosure in the employment context happens when an employer is searching for background information about an employee or applicant or when it publishes personal information about an employee’s or applicant’s health or personal information that goes beyond the range of individuals who have a need to know the information. Notably, the truth of the information disclosed is not a defense (in contrast to defamation claims, discussed below).

There is no legal claim for the employee for public disclosure where the employee also informs others of the embarrassing facts or where the employer discloses facts that are a matter of public record, such as criminal records.

Publicity that places the employee in a false light in the public eye

Employers can be held liable under these similar common law theories for making false or misleading public statements about their employees. To be liable, the employer must disclose false or misleading information that is highly offensive or defamatory and act in intentional or in reckless disregard for the truth.

Traditionally, lawsuits alleging false light and defamation against employers arise most often in the context of employee references. In many states, any employer that provides an honest, fair and unbiased employee reference is presumed to be acting in good faith and is granted a qualified immunity from the disclosure and the consequences of the disclosure. Thus, employers can provide prospective employers with honest employee references without the risk of a defamation claim. However, the good faith presumption is rebuttable. Employers should take great care in providing references by making sure that all employee references come from a central source and are truthful and accurate. Generally, mere personal opinions will most likely not give rise to liability.

A false light or defamation lawsuit may also be prompted by false, misleading or derogatory emails about an employee. Employers are well advised to discourage any communication (electronic or otherwise) that contains potentially false or derogatory comments about an employee, regardless of who is sending or receiving the communication.

Appropriation of the employee’s name or likeness for the employer’s advantage

An employer may also face liability by appropriating an employee’s name or likeness to the employer’s advantage, but this tort is rare in the employment context. Nevertheless, employers should remain aware of the potential for liability in this context. Generally, mere personal opinions will most likely not give rise to a valid legal claim.

Contractual rights

Employee manuals, collective bargaining agreements and employment agreements can be the source of privacy rights; employers should make clear that such agreements are not intended to create rights.



The use of video cameras to monitor employees at work – which is on the rise in many workplaces due to terrorism threats and increased levels of security – can have the unintended effect of impacting employee privacy rights. Video monitoring may violate privacy rights in at least three circumstances:

  1. Video surveillance may violate state common law or statutes that protect employees. Generally speaking, the use of video cameras may infringe on employees’ rights in situations where the employee has a reasonable expectation of privacy – bathrooms, locker rooms or other locations where employees can reasonably expect to be free from surveillance. An employer can eliminate this expectation, however, if it has a legitimate business need to conduct video monitoring and notifies employees of the monitoring.
  1. Video monitoring has the potential to violate federal and state wiretap statutes. Silent video surveillance does not implicate the Wiretap Act, but videotaping that includes an audio signal does constitute “interception” of an oral communication. An employer can avoid liability by conducting surveillance without audio recording or, as with other interceptions, obtaining written consent from employees.
  1. Federal labor law may limit the use of video monitoring and other surveillance. The National Labor Relations Board (NLRB) has held that a company committed an unfair labor practice when it failed to bargain with its employees’ union regarding the use of surveillance cameras. According to the NLRB, a labor union has a statutory right to bargain with employers over the activation of video cameras, the placement of cameras and the discipline of employees who are observed engaging in misconduct.

Workplace searches

Unquestionably, employers have a significant interest in monitoring the workplace to minimize employee theft, drug abuse and other wrongdoing. Especially in light of post-9/11 security concerns, employers also have an important interest in ensuring workplace safety. Employee searches are one way that employers can prevent wrongdoing and maintain a safe work environment, but employers must recognize that there are limits on intrusive, unwarranted workplace searches.

Searches at work may take a number of forms. Sometimes the employer needs to search company property – such as offices, desks, drawers or lockers – that has been provided for employee use. The employer may also want to search the property of an employee, like a purse, gym bag or briefcase. Finally, an employer might also search an employee’s person, as with a pat-down search. These searches, some of which are more intrusive than others, can constitute an invasion of employee privacy rights.

Whether a search is justified depends on both the need for the search and the privacy interests of the employee. Non-investigatory searches, such as entering an employee’s office or opening a desk drawer to locate necessary business items, are generally allowed if the employer has a legitimate business reason and the search is limited to what is necessary. If possible, an employer should contact the employee before conducting this type of search.

Investigatory searches, such as a search for illegal drugs or a concealed weapon, should generally be limited to situations where the employer has a specific reason to believe an employee is engaged in wrongdoing. The more intrusive the search, the more likely it will amount to an invasion of privacy. For instance, a search of an open bag left in an employee’s cubicle is less intrusive (and therefore less likely to violate privacy rights) than a search of a locker sealed with an employee-provided lock or key.

An employer can limit an employee’s reasonable expectation of privacy by maintaining appropriate policies. Employers should notify employees, either in an employee handbook or by posting a policy, that lockers, desks and offices may be searched. Employers should also be discreet and, when possible, avoid contact with the employee’s person or using force. Solutions that do not involve searches – such as inventory control systems and systems for tracking Internet use – can eliminate the need for many searches.


Another way employers may monitor employees is by conducting investigations:  making inquiries to others about the employee; reviewing prior employment records, credit reports and school records; and investigating workplace harassment or other wrongdoing. There are many legal issues implicated in employer investigations, which are covered in Chapter 22: Workplace investigations.


Employee testing is yet another way of monitoring workplace conduct. Testing may be as simple as a drug test or as complicated as a battery of questions for psychological evaluation. What makes testing different from other types of monitoring is that the information is supplied directly by the employee. Certain testing, such as physical examinations, may be prohibited by statutes such as the Americans with Disabilities Act (ADA).

Use of the Internet


The ability to post videos on YouTube and other websites creates enormous risks for employers. Their trade secrets may be compromised or their reputations maligned by employees who are engaging in prank behavior. Take the case of Domino’s Pizza, which found itself maligned by two employees who posted a video showing one of them preparing sandwiches for delivery while putting cheese up his nose and performing other unhygienic acts. After more than one million views on YouTube, the video was removed, but not before Domino’s suffered major damage to its reputation. Although there is no way to prevent such conduct from occurring, it might in some cases be prevented by adopting and publicizing a policy making clear that such conduct is prohibited. Before adopting such a policy, however, employers need to be mindful that an overbroad rule may result in an unfair labor practice finding by the NLRB.


Sometimes employees can create nightmares for their companies by trying to be helpful, such as by endorsing the company’s products on Internet blog sites. This can run afoul of laws prohibiting certain unfair and deceptive practices in commerce. The U.S. Federal Trade Commission (FTC) issued rules pertaining to the use of endorsements and testimonials in advertising that highlight the need to disclose any connection between the seller of the product or service and the person endorsing it.

To limit potential liability, an advertiser should ensure that the advertising service provides guidance and training to its bloggers concerning the need to ensure that statements they make are truthful and substantiated. The advertiser should also monitor bloggers who are being paid to promote its products and take steps necessary to halt the continued publication of deceptive representations when they are discovered.

Employers need to pay attention to what their employees do and say so far as it relates to the products and services that the employer offers to the general public. Companies should develop a policy on whether employees should refrain from communicating with the general public over the Internet about their products and services. At a minimum, such policies should identify the types of statements that are inappropriate to post and the kinds of disclosures that should be made regarding the employee’s relationship with the company.

The FTC’s guides concerning the use of endorsements and testimonials in advertising are available at:

Discriminatory and harassing comments

The ease of cyberspace communication makes it possible to transmit offensive material to large groups of people instantaneously. Courts analyze harassing photographs, cartoons, comments and other materials on the Internet under the same standards that they apply to other forms of behavior that create a hostile work environment. See Discrimination. When an employer has notice that such conduct is occurring in the workplace, there is an obligation to investigate and take corrective action.


The ability to forward email communications makes it much more likely that potentially defamatory communications will be published beyond those who are privileged to receive them. In one case that received a great deal of publicity, New York Life Insurance Company was sued by a former employee. An email from a corporate vice president reported that she had been terminated for use of her corporate credit card “in a way in which the company was defrauded.” Because the email was forwarded to several managers and non-managers who were not privileged to receive this information, a court held that the employee had proved a prima facie case of defamation.

Cellphones and personal electronic devices in the workplace

Many employers are adopting specific policies to cover use of mobile electronic devices, primarily cellphones, in the workplace and in other locations while performing duties for the employer. This policy applies to not only the use of cellular phones for phone calls, but also for leaving messages, sending text messages, surfing the Internet or downloading and allows for reading of and responding to work-related messages and information whether the device is company supplied or personally owned.

Company-owned and -supplied devices

For company-supplied devices or for corporate accounts in which some portion of the service and access fees are paid, a policy should be in place regarding using the device while operating a vehicle. Having a prohibition from use should also include both calls and texts as well as Internet surfing and email.

Cellphones in the workplace

A company should have a policy about using a cellular phone for business purposes during work hours. To ensure effectiveness during meetings, the company should consider a provision requiring employees keep their phones at their desks. If circumstances require, the cellphone should be allowed in the meeting on vibrate.

Employer-created cellphone usage policies

  • Address state laws about texting while driving.
  • Be reasonable with policies. If an employee is required to work long hours, allowing minimal cellphone usage may help morale.
  • Address camera phones, which are an ever-present issue in technology today. Intellectual property, trade secrets, personal customer information or other confidential data can be captured and used easily with a camera phone. Camera, video and audio recording capabilities also make ripe the possibility of misuse toward other employees and can lead to claims of harassment.
  • All other uses of cellphone for business purposes such as texting, surfing the Internet, checking and sending email, voicemail or other purposes should be addressed if it is related to employment.
  • Make sure the policy created is enforced and that employees understand the consequences of failing to abide by its terms.
  • All employees should sign a copy of the policy, after education and time to review.
  • Give notice of privacy rights and considerations.

Use of electronic devices while driving

Nearly half of all states have enacted distracted driving laws, prohibiting drivers from holding or physically supporting a phone while driving. These laws also often ban reaching for a mobile device by getting out of a seated driving position or by not correctly wearing a seatbelt. Hands-free devices generally are allowed, including "earpieces, headphone devices or a device worn on a wrist to conduct a voice-based communication." Dashboard mounts usually are also allowed. Employers may wish to prohibit any business use of an electronic device while driving.

Because employers may be liable for injuries caused by accidents when their employees are driving and talking and/or texting on cellphones for work purposes, employers should adopt a distracted-driving policy even aside from applicable laws. A distracted-driving policy should clearly state that it is against company rules to text, email or use a hand-held phone or communication device while operating a company vehicle, driving a personal vehicle for business use or using a company-issued communication device. The distracted-driving policy must be clearly communicated to employees, taken seriously and enforced.

Expectation of privacy 

Whether the device belongs to the employer or is a personal device, the employer should clearly state the privacy expectations and the extent to which the employer wishes to reserve the right to review employer-owned information or information about the employer.

Texting and instant messaging

Many employers have adopted specific policies to cover use of electronic devices, primarily cellphones, in the workplace and in other locations while performing duties for the employer. Because of the increase in use of mobile electronic devices, a comprehensive electronic usage policy should be developed.

Texting and messaging in the workplace can pose serious safety and privacy concerns. Many view texting and instant messaging as an informal, social activity; unfortunately, some are not discriminating in topic and the most ready topic while one is at work is often work itself or co-workers. Additionally, a growing source of liability exists as business-related texting continues to increase. Employers must adopt policies to define the acceptable limits of text and messaging in the work place.

Useful guidelines in implementing and maintaining electronic usage/texting policies:

  • Employers should implement and clearly communicate an electronic resources policy intended to shape employees’ privacy expectations.
  • The policy must be very clear about what, if any, expectations the employee has to privacy.
  • Policy reminders should be considered to provide employees with on-going notice of the employer’s policy and any updates to the policy.
  • The policy should address not only communications transmitted through the company’s own electronic resources but also communications related in any way to the employer’s business that are transmitted using an employee’s personal accounts or devices through a third-party service provider, regardless of whether the employer or the employee is the subscriber on the service contract.
  • Managers and supervisors should be trained to make statements consistent with the company’s policy (for instance, They should not disclose, “We never actually review personal text messages.”).
  • The policy should emphasize that it may be modified only in writing via established procedure and otherwise individuals shall not have the authority to modify the policy.
  • The policy should be reviewed and updated regularly to address new technologies and new developments in the law.
  • Searches, reviews and monitoring should be done only for legitimate, business purposes.
  • Searches, reviews and monitoring should be done in a reasonable manner aimed at collecting information that is relevant to the search’s legitimate, business purpose.

“Textual harassment”

“Textual harassment” has moved into the workplace with the rise of usage of mobile electronic devices. Employment lawsuits sometimes start as the result of text messages or the messages appear later as evidence of harassing conduct. Employees often think that texts are harmless and cannot be traced. However, text messages leave behind an electronic record that is increasingly retrievable and being used to bolster litigation of claims. As stated previously, employers should put employees on notice that they should have no expectation of privacy in their electronic communications. A well-crafted and broadly distributed policy that puts employees on notice of how and when the employer will access these communications can go a long way toward strengthening the employer’s position in litigation. Employees should be advised that harassing comments made through any type of electronic media are prohibited and not tolerated and that such conduct may lead to termination.

Communications with top management

If employees communicate with management via text message, a policy should be in place regarding those communications. The policy should require that any communications regarding compensation or hours worked, medical or disability leaves or absences and attendance should be made in a writing other than a text message (via letter or email) so that there is a clear record for files. If business issues are discussed via such messages, they should be retained to document the business discussion.

Guidelines employers should follow

The courts continue to deal with the difficult tug-of-war between employers’ legitimate business interests and employees’ reasonable expectations of privacy. As technology develops new ways to monitor employees, employers will continue to need legal counsel to advise them of what sorts of monitoring may expose them to liability. What constitutes acceptable monitoring and investigation by employers, as well as what employee expectations are reasonable, continue to evolve. However, there are certain guidelines that employers can follow to avoid liability arising from monitoring their employees:

  • Determine how the relevant state and federal laws impact monitoring policies. The law in this area is evolving and practices that are acceptable today may incur more risk in the future, so keep an eye on legislation that is currently being considered. Because many employee monitoring systems are costly to design and implement, consider future legal developments when planning to incorporate monitoring policies.
  • Inform employees in writing of the ways in which they will be monitored. By giving employees notice, the employer diminishes any reasonable privacy expectations the employees might have. Written notice is also critical for establishing that the employee consented to the monitoring, which places the employer in a strong legal position to defend alleged privacy violations. Consider consulting an attorney for assistance in drafting and obtaining signed consents that will best shield the employer from liability.
  • Create a well-written policy regarding information technology practices and provide it to employees. Employees generally want to know what the policies are regarding email and telephone use and other forms of office communication, so it is critical to formulate a reasonable and well-thought-out policy for technology use. Make clear to employees that work communications, including voicemail and email, can and will be monitored and explain that the employer is the sole owner of electronic communications.
  • Clearly define the ways employees will be monitored, including the types of monitoring that will be used and the kinds of technology at the employer’s disposal and then educate employees on what the rules are regarding use of the employers’ communication technology. Adequate instruction will help employees understand the rules and also prevent claims that employees were not aware of policies regarding technology resources.
  • Give employees notice that email messages may be monitored even though it may seem to them that they are private. Many employees may mistakenly believe that because their emails may be deleted and password-protected, they cannot be viewed by the employer. Stress that abuses of communications systems will not be tolerated and intellectual property will be vigilantly guarded.
  • Forbid defamatory, offensive and abusive communications. Make efforts to prevent communications that could amount to defamation, slander, verbal abuse, harassment or trade disparagement of employees, customers, clients, vendors, competitors or any person or entity. Communications that are harassing or threatening, including derogatory comments based on race, color, national origin, sex, age, disability, pregnancy, religious or political beliefs or any other characteristic protected under local, state or federal law should be forbidden.

Note: Employers must be cautious about total prohibitions against non-work-related communications. Union-related emails or postings cannot be prohibited if employers allow employees to make other non-work-related communications on the same systems.

  • Justify employee monitoring from the start with legitimate business interests. Employers should be able to list the reasons for monitoring and the business interests served by the monitoring, such as preventing unacceptable levels of personal technology use, maintaining productivity and high levels of employee service and ensuring that employees abide by local, state and federal laws. If surveillance is done for a specific investigatory purpose, then the employer should be able to prove that they had a specific reason for suspecting the individual employee or employees.
  • Be vigilant in enforcing a policy of keeping business lines open for business purposes only and not for personal calls. However, if calls are monitored, stop listening once a call is identified as personal.
  • Inform callers that their phone calls may be monitored. Employers can inform callers through a recording at the beginning of the call. Some states require a periodic beep to remind the person that their call is being recorded.
  • Tailor the company’s monitoring so that sensitive information will be disclosed only to individuals who have a legitimate need to know the information. Use the information for lawful business purposes only and limit dissemination of the information to individuals with a legitimate need to know, such as upper level management or law enforcement officers.
  • On a regular basis, review company policies regarding employee privacy and access to communications and information, as well as the relevant law governing such issues. Because this area of the law is rapidly evolving, it is important to keep up with developments that may impact existing privacy policies.