Skip to content Skip to footer

Table of contents

This Minnesota Human Resources Manual is offered to you for free. Find state specific laws and regulations below.

Privacy rights — Minnesota

We are living in the era of big data, where cyber threats pose new risks to individuals, companies and governments. In the process, our very notion of privacy has changed. Key cards, private email accounts, audio and video surveillance and password-protected computer workstations make the workplace more efficient and safe. However, they also have changed the landscape of employee privacy dramatically within a generation. Monitoring technology allows employers to guard against a range of employee misconduct, from unproductive uses of the Internet to fraud and other sources of significant liability for both the employee and the employer. Management is no longer limited to direct observation governed by human limitations, as technological advancements have allowed companies to supervise their employees on a much wider scale. Employers can now use technology to monitor employees and make sure that productivity stays high, while employer fraud, theft and other misconduct stays low. According to recent surveys, between 80 to 90% of all employers conduct some form of electronic monitoring of their workplaces. Therefore, employers must also be mindful of applicable local, state and federal laws that are designed to protect employees and their privacy.

As employers increase their ability to monitor and record their employees’ workplace conduct, the risk that employees will complain also increases. Some employees have even sued their employers, claiming violations of their “right to privacy.” Both federal law and Minnesota courts recognized that employees do not lose their privacy entirely upon arriving at work. Therefore, an employer must consider employee privacy interests when it monitors employee conduct. 

Employers should be aware of all applicable Minnesota and federal laws – and understand that the law of privacy is constantly changing – when formulating policies to monitor employee conduct. For example, the law is rapidly changing in a number of states regarding the ability of an employer to request access from applicants or employees to their personal email or social networking accounts.

An employer should also be mindful of the effect that monitoring policies have on employee morale. A monitoring policy that is legal, but that employees view as unfair and unnecessary, may ultimately hurt productivity. An employee who thinks that an employer has unfairly invaded privacy interests is more likely to seek a lawyer, pursue litigation, or campaign for union representation.

Employee monitoring and privacy

Congress passed the Electronic Communications Privacy Act (ECPA) in reaction to increasing concern that new threats to civil liberties were being made possible by emerging technology.

The ECPA is the controlling federal law dealing with surveillance and monitoring through telephone and other electronic means. The ECPA updated the federal Wiretap Act of 1968, which addressed the interception of conversations using “hard” telephone lines, but did not apply to interception of computer and other digital and electronic communications. To address this, the ECPA added a new section, the Stored Communications Act (SCA), which forbids unauthorized “access” to an “electronic communication while it is in electronic storage.” The ECPA extends to electronic and other digital communications. In other words, it covers email, telephonic conversations and data stored electronically.

The Wiretap Act

The Wiretap Act makes it unlawful for any person to intercept, use, disclose, or procure any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.

A private right of action under the Wiretap Act allows recovery of actual and punitive damages, plus attorneys’ fees and costs. The Wiretap Act also provides for statutory damages, which are usually awarded in daily increments, computed at $100 a day and capped at $10,000. Damages are awarded on a daily basis even though many different types of violations may happen within the course of the same day.

Oral communications

An oral communication is anything “uttered by a person exhibiting an expectation that such communication is not subject to interception under such circumstances justifying such expectation.” Conversations among employees, even in a public workspace, can sometimes be protected “oral communications” if spoken in private beyond the hearing range of others.

Wire communications

This category includes communications transmitted on any system that can function in interstate or foreign commerce, which covers telephone communication and possibly fax communication.

Electronic communications

Electronic communications include many of the communications that are widely used in today’s workplace, such as email, voicemail, electronic chat messages, and other messages transmitted over the Internet.


Intercept under the Wiretap Act is the “acquisition of the content of any wire, electronic, or oral communications through the use of any electronic, mechanical, or other device.” Courts have interpreted interception in a variety of ways. One court held that a defendant intercepted a communication when she retrieved and forwarded to her own personal mail box a voicemail message from the recipient’s mailbox before it had been received by the recipient. In another case, a court held that viewing an email message on the plaintiff’s computer screen did not constitute “interception.”


The Wiretap Act’s general prohibition on interception has three major

  1. The service-provider exception - This exception enables owners of a communications system (such as a server) to routinely review communications in order to manage and safeguard the system’s information.
  2. The business use exception - “Device” (as used in the definition of “interception”) does not include any equipment that is “furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business.” The precise boundaries of the business use exception are not exactly clear, but as a general rule, employer monitoring does not qualify as business use unless the monitoring device was supplied by a provider of wire or electronic communication in the ordinary course of business.
  3. The consent exception - For purposes of the ECPA only, if one party to the communication consents, there can be no “interception” of the communication. Courts have not yet defined prior consent, but it is clear that written consent by an employee is the strongest defense against an ECPA claim. It should be noted that this exception will not apply in several states that require two-party consent.

Personal phone calls

Courts are less inclined to allow interception of employee communications when employers are attempting to monitor the content of personal phone calls. In monitoring communications, an employer should stop the interception as soon as it realizes the communication is of a personal nature. 

Note: This does not limit an employer’s right to discipline an employee for excessive personal phone calls while at work.

At least one federal court case has addressed blanket monitoring and recording of all calls by an employer and determined that such blanket monitoring and recording, absent notice to the employees and with no determination and cessation with regard to personal calls, would be a violation of an employee’s privacy rights. The blanket recordings could not be considered to be in the ordinary course of business, where all personal calls (as well as business calls) were monitored and recorded.

Stored Communications Act 

The Stored Communications Act (SCA) prohibits unauthorized access, interception, and disclosure of information stored in electronic form. Stored communications can take many forms, but they most commonly include computer files and email messages that have been archived.


One important exception to the SCA is when a provider of wire or electronic communications service is given access to an employer’s stored electronic communications, which would presumably enable the employer to monitor email that is archived on its communication system. What constitutes storage, however, is not well defined. Some courts have distinguished different types of storage, such as “intermediate storage,” “back-up protection storage,” and “post-transmission storage.” 

Another exception to the SCA allows access to stored electronic communications that have been made by or sent to a user if the user consents.

The SCA also includes an exception that allows an employer to access stored communications on a system for the purpose of safeguarding the employer’s business interests. The boundaries of this exception will likely depend on the minimum level of access necessary to safeguard the employer’s interest.

It is important to note that exclusively internal email systems provided by employers might be outside the scope of the SCA, because such a service would not technically be provided to the public.

USA Freedom Act

Soon after 9/11, Congress passed the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act.” Key portions of the law expired in 2015, but were restored and renewed through the end of 2019 by the USA Freedom Act. These provisions may influence workplace privacy. This statute, which is primarily designed to combat terrorism, gives agencies of the government more extensive search powers, allowing them to conduct surveillance both traditionally and electronically to track and apprehend suspected terrorists.

The law allows the FBI to make an order "requiring the production of any tangible things (including books, records, papers, documents and other items) for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.” Employers face the possibility that their communications systems may be open to the government and therefore have a critical interest in making sure that no illegal communication or information is being transmitted or stored on their information systems.

Other sources of privacy rights

Employers should monitor new regulations that impact federal privacy rights, such as the Health Insurance Portability and Accountability Act (HIPAA), as amended, which restricts access to protected health information. See Health insurance portability and privacy.

In addition, while not a protection of the right to privacy itself, the Sarbanes-Oxley Act imposes criminal penalties on employers who retaliate against employees who provide to a law enforcement officer truthful information about a federal offense committed by the employer. Therefore, if an employer violates the Wiretap Act or the SCA and an employee tells a law enforcement officer of the violation, the employer cannot lawfully retaliate against that employee. Criminal penalties under this anti-retaliation provision include fines and up to 10 years’ imprisonment.

International sources of privacy rights

In the case of large multinational companies, other countries may have restrictions on access to personal information that can further complicate privacy compliance.

For example, on May 25, 2018, the General Data Protection Regulation (GDP Reg.) went into effect, replacing the European Union's Data Protection Directive. It extends the scope of the European Union data protection law to all foreign companies processing data of EU residents under a single set of rules. Each member state establishes an independent Supervisory Authority (SA) to investigate complaints and impose sanctions. If a business has establishments in more than one nation in the EU, it is subject to the SA in the country where its main data processing activities take place. By harmonizing the data protection regulations throughout the EU, the new law makes it easier for American companies to comply. Failure to comply can be costly because financial penalties may range up to 4% of a company’s worldwide revenue.

Under the GDP Reg., companies are required to obtain explicit consent for the data collected and the purposes for which it is used. Further, companies must appoint data protection officers who serve as “mini-regulators” with their own independent support team when there is regular and systematic monitoring of the data subjects.

In the event of any breach, any company that collects information on EU residents is under an obligation to notify the SA within 72 hours, and the affected individuals must be notified if any adverse impact is determined.


Under Minnesota law, it is illegal to intercept any wire, oral, or electronic communication without the consent of at least one of the participants to the communication. It is also illegal to disclose or use the contents of a communication without the consent of at least one participant when there is reason to know those contents were obtained through an illegal interception. 

Under the statute, consent is not required for the taping of a nonelectronic communication (in other words, ordinary conversations) uttered by a person who does not have a reasonable expectation of privacy in that communication. 

Unlike many other states, Minnesota utilizes the “one-party consent” rule, which permits any party to a conversation to record it, even if an expectation exists among some of the participants that the communication will not be recorded. As a result, Minnesota businesses may tape-record conversations if taping is a necessary and ordinary operational practice, so long as at least one participant to the conversations knows of the recording.

Data breach disclosure

All 50 states including Minnesota have adopted a variation of the “Information Security Breach and Notification Act.” The Act applies to all state agencies and individuals or businesses “doing business” in the state who own or license computerized data that includes “private information.”

Data security can be breached in a number of ways, including the loss or theft of a laptop computer, external hard drive, thumb drive, or CD. The law applies regardless of whether the loss of data occurred as a result of intentional wrongdoing or as a result of an inadvertent disclosure.

“Private information” is defined as “personal information consisting of any information in combination with one or more of the following data elements, when either the personal information of the data element is not encrypted, or encrypted with an encryption key that has also been acquired:

  • Social Security number
  • driver’s license number or state identification card
  • account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • credit or debit card number in combination with any required access code.

Data that is dissociated because it is not linked together in a single database may be considered personal information if the means to link the data have also been accessed.

Employees who use personal cell phones, laptops, or other devices to conduct company business may pose special risks. When one of these devices is lost or stolen, it is not just the employee’s personal information that may find its way into the wrong hands. If company information is disclosed, it is the company that may have obligations to customers or other third parties to notify them of any data breach. For this reason, it is important that employers have in place policies that require their employees to report the loss of any electronic device from which confidential data may be compromised.

In the event of any suspected or actual breach of a Minnesota resident’s personal information, companies are required to immediately contact and also make a disclosure to those whose information was affected, normally its customers or employees. Damages and attorney fees may be awarded to an affected employee.

Special privacy protections for employee Social Security numbers

One of the primary sources of identity theft is from records kept by employers. As a result, Minnesota has joined a growing number of states that have adopted special privacy measures aimed at protecting employees. 

Under Minnesota’s Social Security Number Shield Law, all employers in Minnesota, regardless of their size, must take specific actions to protect the confidentiality of their employees’ Social Security numbers. First, employers must restrict access to Social Security numbers to ensure that only employees who require the numbers to perform their job duties have access. In addition, employers are prohibited from:

  • intentionally communicating or otherwise making employee Social Security numbers available to the general public
  • printing an individual's Social Security number on any card required for the individual to access products or services, such as a timecard or identification badge
  • requiring an individual to transmit a Social Security number over the Internet unless the connection is secure of the Social Security number is encrypted
  • requiring an individual to use a Social Security number to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the website
  • printing an individual's Social Security number on any materials that are mailed to the individual, unless federal or state law requires the Social Security number on the document to be mailed
  • assigning or using a number as the primary account identifier that is identical to or incorporates an individual's complete Social Security number
  • selling the Social Security numbers obtained from individuals in the course of business.

Social Security numbers may be included in applications and forms sent by mail, provided they are not visible without the envelope having been opened.

Invasion of privacy

In addition to several statutory protections afforded personal privacy, Minnesota also recognizes several common law tort claims under the general heading of “invasion of privacy.” Generally speaking, invasion of privacy is the interference with the right of a person to be left alone and does not require a malicious intent on the part of the actor. A viable invasion of privacy claim in Minnesota will take one of the following three forms:

  1. intrusion upon seclusion
  2. appropriation of likeness or name
  3. publication of private facts.

Intrusion upon seclusion

The first invasion of privacy claim is intrusion upon seclusion. This occurs when someone intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another person (or that person’s private affairs or concerns), and the intrusion is highly offensive. The offensiveness of the intrusion is to be judged by the standard of a reasonable person. For this element to be satisfied, both the manner of intrusion as well as the nature of the information obtained must be highly offensive to a reasonable person. The intrusion must be substantial, and no publication (transferring of the information learned to another individual or entity) is required. The simple act of intruding, provided the highly offensive standard is met, is sufficient to establish liability. The actor must, however, physically or by means of the senses, place himself or herself within the other person’s zone of privacy.

The use of binoculars to peer into the window of someone’s house can give rise to an intrusion upon seclusion claim. Additionally, a person may be liable for an unauthorized phone tapping, or for the use of other such electronic devices designed to provide the user with access to a person’s private affairs. Other acts that may trigger liability include, but are not limited to, opening a person’s private and personal mail, searching a wallet or purse, or examining a private bank account.

Appropriation of likeness or name

The second invasion of privacy claim is appropriation of a person’s likeness or name without that person’s permission for another person’s use or benefit. This claim is designed to protect an individual’s identity and can occur, for example, when a company utilizes employee photographs in its advertising without permission of the individuals.

Publication of private facts

The third invasion of privacy claim occurs when an individual publicizes matters concerning the private life of another, provided the matters are of a kind that would be highly offensive to a reasonable person. The law is clear that publicity involving one or just a few individuals is not sufficient. Rather, the publicity must be made to the public at large or to so many persons that the matter would be regarded as fairly certain to become public knowledge.

Where an employee has told others of the private matter that is the subject of an action, courts may find that the employee has waived the right to make a claim against an employer. In addition, matters of public record cannot be the subject of a claim of publicity given to private life.

Privacy rights "by contract"

Employee manuals, collective bargaining agreements, and employment agreements can also be the source of privacy rights, so employers should make clear that such agreements are not intended to create rights. The inclusion of simple, express language in such manuals and agreements can be used to make it clear that it is not the employer’s intention to create such rights or expectations of privacy.

Other types of monitoring 

Video surveillance

The use of video cameras to monitor employees at work – which is on the rise in many workplaces due to terrorism threats and increased levels of security – can trigger employee privacy rights. Video monitoring may violate privacy rights in at least three circumstances:

  • Video surveillance may violate state common law or statutes that protect employees. Generally speaking, the use of video cameras may infringe on employees’ rights in situations when the employee has a reasonable expectation of privacy, for example, in bathrooms, locker rooms, or other locations where employees can reasonably expect to be free from surveillance. An employer can eliminate this expectation, however, if it has a legitimate business need, such as safety or security, to conduct video monitoring and notifies employees of the monitoring.
  • Video monitoring has the potential to violate federal and state wiretap statutes. Silent video surveillance does not run afoul of the Wiretap Act, but videotaping that includes an audio transmission or recording element does constitute “interception” of an oral communication. An employer can avoid liability by conducting surveillance without audio transmission or, as with other interceptions, obtaining written consent from employees. Employers, however, should keep in mind that even if conduct is not in violation of the Wiretap Act, it could be in violation of other provisions of the ECPA or state laws.
  • Federal labor law may limit the use of video monitoring and other surveillance. The National Labor Relations Board (NLRB) has held that a company committed an unfair labor practice when it failed to bargain with its employees’ union regarding the use of surveillance cameras. According to the NLRB, a labor union has a statutory right to bargain with employers over the activation of video cameras, the placement of cameras, and the discipline of employees who are observed engaging in misconduct.

Email monitoring

Many employers have policies that retain the right to monitor employee email traffic over the employer’s electronic communication network. As described previously, federal law does not prohibit this in most circumstances, but the law in this area is still developing. Therefore, employers that monitor email may want to exercise caution when they come across communications that are obviously intended to be private, such as communication between employees and their doctors or lawyers.

Workplace searches

Unquestionably, employers have a significant interest in monitoring the workplace to minimize employee theft, drug abuse, and other wrongdoing. Employers also have an important interest in ensuring workplace safety. Employee searches are one way that employers can prevent wrongdoing and maintain a safe work environment, but employers must recognize that there are limits on intrusive, unwarranted workplace searches.

Searches at work may take a number of forms. Sometimes the employer needs to search company property, such as offices, desks, drawers, or lockers that have been provided for employee use. The employer may also want to search the property of an employee, such as a purse, gym bag, or briefcase. Finally, an employer might also search an employee’s person, as with a pat-down search. These searches, some of which are more intrusive than others, can expose an employer to potential liability.

The risk of liability can be reduced if an employer provides advance notice to employees of the circumstances under which such searches may be conducted. Employers that establish such policies should strictly adhere to them.

Searches by public employers

The Fourth Amendment to the United States Constitution protects individuals from unreasonable searches and seizures by federal, state, and local government officials. Public sector employees can invoke this right in the workplace if, under the circumstances, they have a reasonable expectation of privacy. This question always is addressed on a case-by-case basis and may turn on factors such as whether the workplace is so open to the public or other employees that no expectation of privacy is reasonable. An employee’s privacy rights may be outweighed by the reasons that the government wishes to conduct the search.

The U.S. Supreme Court has twice analyzed this issue. In 1987, the Court upheld the search of an employee’s desk and file cabinet, noting “government searches to retrieve work-related materials or to investigate violations of workplace rules – searches of a sort that are regarded as reasonable and normal in the private employer context – do not violate the Fourth Amendment” in the public agency environment. In 2010, the Court also ruled that a municipality did not violate an employee’s Fourth Amendment privacy rights when it reviewed personal text messages that the employee sent on a pager that was owned and paid for by the employer. In the context of a somewhat ambiguous policy on electronic communications that the municipality had adopted, the Court deliberately bypassed the issue of whether the employee had a reasonable expectation of privacy in his electronic communications. Instead, the Court resolved the case by holding that the search was reasonable because it was motivated by a non-investigatory, work related purpose since the city sought to determine whether the employee had been provided with an adequate limit on his text messaging.

Although these cases arose in the public sector, the decisions have implications for all employers. To safeguard against privacy claims, employers should ensure that they have appropriate policies in place to avoid creating unintended expectations of privacy. When a search is warranted, it should be supported by adequate business reasons and extend no further than reasonably necessary given the business purpose behind it.

Searches by private employers

Whether a search is justified depends on both the need for the search and the privacy interests of the employee. Non-investigatory searches, such as entering an employee’s office or opening a desk drawer to locate necessary business items, generally are permissible so long as the employer has a legitimate business reason and the search is limited to what is necessary. In most instances to preserve good employee relations, an employer should contact the employee before conducting this type of search.

Investigatory searches, such as a search for illegal drugs or illegally concealed weapons, should generally be limited to situations when the employer has a specific reason to believe an employee is engaged in wrongdoing. The more intrusive the search, the more likely it may violate an employee’s rights. For example, a search of an open bag left in an employee’s cubicle is less intrusive (and therefore less likely to violate privacy rights) than a search of a locker sealed with an employee-provided lock or key.

An employer can limit an employee’s reasonable expectation of privacy by maintaining appropriate policies. In Minnesota, employers must notify employees, either in an employee handbook or by posting a policy, if lockers, desks and offices are subject to being searched. Employers should also be discreet and, when possible, avoid contact with the employee’s person and avoid using force. Solutions that do not involve searches – such as inventory control systems and systems for tracking internet use – can eliminate the need for many searches.


Another way employers may monitor employees is by:

  • conducting investigations
  • making inquiries to others about the employee
  • reviewing prior employment records, credit reports, and school records (see also Background checks)
  • investigating workplace harassment or other wrongdoing.

There are many legal issues implicated in employer investigations, which are covered in Workplace investigations.


Employee testing is yet another way of monitoring workplace conduct. Testing may be as simple as a drug test or as complicated as a battery of questions for psychological evaluation. What makes testing different from other types of monitoring is that the information is supplied directly by the employee. Certain testing, such as physical examinations, may be prohibited by statutes such as the Americans with Disabilities Act (ADA) (see Disabilities and reasonable accommodation). Testing for illegal drugs is not covered by the ADA, but alcohol testing may be. Employers should seek legal counsel in developing drug testing policies and should comply with the federal Drug-Free Workplace Act, if applicable. Psychological tests may have an adverse impact on minority applicants or employees and therefore raise an inference of discrimination. As a general rule, employers should work with legal counsel and testing professionals to develop testing policies that comply with all applicable employment laws.

Issues related to use of the Internet


The ability to post videos on social media sites such as YouTube and other websites creates enormous risks for employers. Trade secrets may be compromised or reputations maligned by employees who are engaging in prank behavior. Take the case of Domino’s Pizza, which found itself maligned by two employees who posted a video showing one of them preparing sandwiches for delivery while putting cheese up his nose and performing other unhygienic acts. After more than one million views on YouTube, the video was removed, but not before Domino’s suffered major damage to its reputation. Although there is no way to prevent such conduct from occurring, it might in some cases be prevented by adopting and publicizing a policy making clear that such conduct is prohibited. Before adopting such a policy, however, employers need to be mindful that an overbroad rule may result in an unfair labor practice finding by the NLRB. See also Social Media.


Sometimes employees can create nightmares for their companies by trying to be helpful, such as by endorsing the company’s products on internet blog sites. This can run afoul of laws prohibiting certain unfair and deceptive practices in commerce. The United States Federal Trade Commission (FTC) issued rules pertaining to the use of endorsements and testimonials in advertising, which highlight the need to disclose any connection between the seller of the product or service and the person endorsing it. 

To limit potential liability, an advertiser should make sure that the advertising service provides guidance and training to its bloggers concerning the need to ensure that statements they make are truthful and substantiated. The advertiser should also monitor bloggers who are being paid to promote its products and take steps necessary to halt the continued publication of deceptive representations when they are discovered.

Employers need to pay attention to what their employees do and say so far as it relates to the products and services that the employer offers to the general public. Companies should develop a policy on whether employees should refrain from communicating with the general public over the Internet about the employer’s products and services. At a minimum, such policies should identify the types of statements that are inappropriate to post and the kinds of disclosures that should be made regarding the employee’s relationship with the company.

The FTC’s guides concerning the use of endorsements and testimonials in advertising are available at:

Discriminatory and harassing comments

The ease of cyberspace communication makes it possible to transmit offensive material to large groups of people instantaneously. Courts analyze harassing photographs, cartoons, comments, and other materials on the Internet under the same standards that they apply to other forms of behavior that create a hostile work environment. See Discrimination. When an employer has notice that such conduct is occurring in the workplace, there is an obligation to investigate and take corrective action.


The ability to forward email communications makes it much more likely that potentially defamatory communications will be published beyond those who are privileged to receive them. In one case that received a great deal of publicity, New York Life Insurance Company was sued by a former employee. An email from a corporate vice-president reported that she had been terminated for use of her corporate credit card “in a way in which the company was defrauded.” Because the email was forwarded to several managers and non-managers who were not privileged to receive this information, a court held that the employee had met the initial burden to prove a case of defamation.

Cell phones and personal electronic devices in the workplace

Many employers are adopting specific policies to cover use of mobile electronic devices, primarily cell phones, in the workplace and in other locations while performing duties for the employer. This policy applies to not only the use of cellular phones for phone calls, but also for leaving messages, sending text messages, surfing the Internet or downloading and allows for reading of and responding to work-related messages and information whether the device is company supplied or personally owned.

Company-owned and -supplied devices

For company-supplied devices or for corporate accounts in which some portion of the service and access fees are paid, a policy should be in place regarding using the device while operating a vehicle. Having a prohibition from use should also include both calls and texts as well as Internet surfing and email.


A company should have a policy about using a cellular phone for business purposes during work hours. To ensure effectiveness during meetings, the company should consider a provision requiring employees keep their phones at their desks. If circumstances require, the cell phone should be allowed in the meeting on vibrate.

Personal device used for business

For employees who use personal devices for business purposes, a company should have a policy to prohibit use for business purposes while driving. All other use of cellphone for business purposes such as texting, surfing the Internet, checking and sending email, voicemail, or other purposes should be addressed if it is related to employment.

Expectation of privacy

Whether the device belongs to the employer or is a personal device, the employer should clearly state the privacy expectations and the extent to which the employer wishes to reserve the right to review employer-owned information or information about the employer.

Creating a cellphone usage policy

  • Address state laws about texting while driving. In Minnesota, it is illegal to text while driving. Additionally, pending legislation in Minnesota would require drivers to only use hands’ free devices.
  • Be reasonable with policies. If an employee is required to work long hours, allowing minimal cell phone usage may help morale. 
  • Address camera phones, which are an ever-present issue in today’s technology. Intellectual property, trade secrets, personal customer information, or other confidential data can be captured and used easily with a camera phone. Camera, video, and audio recording capabilities also make ripe the possibility of misuse toward other employees and can lead to claims of harassment.
  • Make sure the policy created is enforced, and that employees understand the consequences of failing to abide by its terms.
  • All employees should sign a copy of the policy, after education and time to review.
  • Give notice of privacy rights and considerations.

Handling texting and instant messaging 

Many employers have adopted specific policies to cover use of electronic devices, primarily cell phones, in the workplace and in other locations while performing duties for the employer. Because of the increase in use of mobile electronic devices, a comprehensive electronic usage policy should be developed. 

Texting and messaging in the workplace can pose serious safety and privacy concerns. Many view texting and instant messaging as an informal, social activity; unfortunately, some are not discriminating in topic and the most ready topic while one is at work is often work itself or co-workers. Additionally, a growing source of liability exists as business-related texting continues to increase. Employers must adopt policies to define the acceptable limits of text and messaging in the workplace.

Useful guidelines in implementing and maintaining electronic usage/texting policies:

  • Employers should implement and clearly communicate an electronic resources policy intended to shape employees’ privacy expectations.
  • The policy must be very clear about what, if any, expectations the employee has to privacy.
  • Policy reminders should be considered to provide employees with ongoing notice of the employer’s policy and any updates to the policy.
  • The policy should address not only communications transmitted through the company’s own electronic resources but also communications related in any way to the employer’s business that are transmitted using an employee’s personal accounts or devices through a third-party service provider, regardless of whether the employer or the employee is the subscriber on the service contract.
  • Managers and supervisors should be trained to make statements consistent with the company’s policy (e.g., They should not disclose, “We never actually review personal text messages.”).
  • The policy should emphasize that it may be modified only in writing via established procedure, and otherwise individuals shall not have the authority to modify the policy.
  • The policy should be reviewed and updated regularly to address new technologies and new developments in the law.
  • Searches, reviews, and monitoring should be done only for legitimate, business purposes.
  • Searches, reviews, and monitoring should be done in a reasonable manner aimed at collecting information that is relevant to the search’s legitimate, business purpose.

Driving while texting

Given the fact that Minnesota has enacted distracted driving laws, as well as employers could be liable for injuries caused by accidents when their employees are driving and talking and/or texting on cellphones for work purposes, employers should adopt a distracted-driving policy. A distracted-driving policy should clearly state that it is against company rules to text, email or use a hand-held phone or communication device while operating a company vehicle, driving a personal vehicle for business use or using a company-issued communication device. The distracted-driving policy must be clearly communicated to employees, taken seriously and enforced.

"Textual harassment"

“Textual harassment” has moved into the workplace with the rise of usage of mobile electronic devices. Employment lawsuits sometimes start as the result of text messages, or the messages appear later as evidence of harassing conduct. Employees often think that texts are harmless and cannot be traced. However, text messages leave behind an electronic record which is increasingly retrievable and being used to bolster litigation of claims. As stated previously, employers should put employees on notice that they should have no expectation of privacy in their electronic communications. A well-crafted and broadly distributed policy that puts employees on notice of how and when the employer will access these communications can go a long way toward strengthening the employer’s position in litigation. Employees should be advised that harassing comments made through any type of electronic media are prohibited and not tolerated, and that such conduct may lead to termination.

Communications with top management

If employees communicate with management via text message, a policy should be in place regarding those communications. The policy should require that any communications regarding compensation or hours worked, medical or disability leaves or absences, and attendance should be made in a writing other than a text message (via letter or email) so that there is a clear record for files. If business issues are discussed via such messages, they should be retained to document the business discussion.

How to deal with employee privacy

The courts continue to deal with the difficult tug-of-war between employers’ legitimate business interests and employees’ reasonable expectations of privacy. As technology develops new ways to monitor employees, employers will continue to need legal counsel to advise them of what sorts of monitoring may expose them to liability. What constitutes acceptable monitoring and investigation by employers, as well as what employee expectations are reasonable, continues to evolve. However, there are certain guidelines that employers can follow to avoid liability arising from monitoring their employees:

  • Determine how the relevant state and federal laws impact your monitoring policies. The law in this area is evolving, and practices that are acceptable today may incur more risk in the future, so keep an eye on legislation that currently is being considered. Because many employee monitoring systems are costly to design and implement, employers should consider anticipated future legal developments when planning to incorporate monitoring policies.
  • Inform employees in writing of the ways in which the employer plans to monitor them. By giving employees notice, the employer diminishes any reasonable privacy expectations the employees might have. Written notice is also critical for establishing that the employee consented to the monitoring, and that consent places the employer in a strong legal position to defend alleged privacy violations. However, policies identifying the type of monitoring an employer may perform can also give rise to expectations of privacy based on the reasonable assumption that the employer will not go beyond its policy. Therefore, employers should adhere to their policies and not conduct more expansive monitoring without good reason for doing so.
  • Consider consulting an attorney for assistance in drafting and obtaining signed consents that will best shield the employer from liability.
  • Create a well-written policy regarding information technology practices and provide it to employees. Employees generally want to know what the policies are regarding email and telephone use and other forms of office communication, so it is critical to formulate a reasonable and well-thought-out policy for technology use. Make clear to employees that work communications, including voicemail and email, can and will be monitored, and explain that the employer is the sole owner of electronic communications.
  • Clearly define the ways in which the employer will monitor employees, including the types of monitoring that will be used and the kinds of technology at your disposal, and then educate employees on the rules regarding use of the employers’ communication technology. Adequate instruction and notice will help employees understand the rules and also prevent claims that employees were not aware of policies regarding technology resources.
  • Give employees notice that email messages may be monitored even though it may seem to them that the email messages are private. Many employees may mistakenly believe that because their emails may be deleted and password-protected, they cannot be viewed by the employer. Stress that abuses of communications systems will not be tolerated and intellectual property will be guarded vigilantly.
  • Forbid defamatory, offensive, and abusive communications. Make efforts to prevent communications that could amount to defamation, slander, verbal abuse, harassment, or trade disparagement of employees, customers, clients, vendors, competitors, or any person or entity. Communications that are harassing or threatening, including derogatory comments based on race, national origin, marital status, sex, age, disability, pregnancy, religion, or any other characteristic protected under local, state, or federal law should be forbidden.
    • Note: Be cautious about the scope of any prohibitions against non-work related communications because of the impact of the NLRA. In December 2014, the NLRB ruled that employees who have access to employer e-mail systems in the course of their work must, in most cases, be permitted to communicate with each other during non-working time about workplace issues. The NLRB decided this issue by a 3-2 vote, and its ruling was subsequently appealed to the United States Court of Appeals for the Ninth Circuit. However, in September 2018, the Ninth Circuit essentially paused the appeal, holding the case, and several others, in abeyance until the NLRB decides whether to keep or revoke the email usage standard. In the meantime, employers may subject themselves to unfair labor practice charges or have victories in union elections set aside if they fail to provide employees with such e-mail access.
  • Justify employee monitoring from the start with legitimate business interests. The employer should be able to list the reasons for monitoring and the business interests served by the monitoring, such as preventing unacceptable levels of personal technology use, maintaining productivity and high levels of employee service, and ensuring that employees abide by local, state, and federal laws. If surveillance is done for a specific investigatory purpose, then be able to prove that you had a specific reason for suspecting the individual employee or employees.
  • Be vigilant in enforcing a policy of keeping business lines open for business purposes only and not for personal calls. However, if the employer does monitor calls, stop listening once a call is identified as personal.
  • Inform callers that their phone calls may be monitored. The employer can inform callers through a recording at the beginning of the call. Although Minnesota law only requires the consent of one party to a phone call in order to monitor or record the call, a reminder at the outset that calls may be monitored will give rise to implicit consent.
  • Tailor any monitoring so that sensitive information will be disclosed only to individuals who have a legitimate need to know the information. Use the information for lawful business purposes only, and limit dissemination of the information to individuals with a legitimate need to know, such as upper-level management or law enforcement officers. 
  • On a regular basis, review policies regarding employee privacy and access to communications and information, as well as the relevant law governing such issues. Because this area of the law is rapidly evolving, it is important to keep up with developments that may impact existing privacy policies.

COVID-19 considerations

As a result of the COVID-19 pandemic, many employers have been torn between how to protect employee privacy interests and protecting others in their workforce from the spread of the virus. Information regarding the medical condition of an employee who tests positive for COVID-19 is treated as medical information that the employer must protect against disclosure except in limited circumstances as permitted by the American with Disabilities Act (ADA). See Disabilities and reasonable accommodation. At the same time, COVID-19 is a nationally notifiable disease, which when diagnosed, must be reported by healthcare providers to government health departments. The health departments are responsible for leading case investigations and contact tracing. In carrying out this role, they will ask the patient questions about work status, work environment and persons they have been in touch with. Employers are encouraged by the Centers for Disease Control (CDC) to permit health department-initiated interviews, site visits and record reviews to identify close contacts who may have been exposed to the virus bearer. It is permissible for employers to provide identifying information to the health department under these circumstances.