California Employee Monitoring Laws and the CCPA
California is the strictest US state for employee monitoring. Since the CPRA extended the CCPA to employee data in 2023, workers have access and deletion rights, and employers must give notice at collection before any monitoring begins.
California regulates employee monitoring more tightly than any other US state, chiefly because the California Privacy Rights Act extended the California Consumer Privacy Act to cover employee personal information from January 2023. That change gave California workers formal privacy rights over the data their employer collects, including monitoring data. On top of the CCPA, California penal code rules on recording, a state constitutional right to privacy, and reimbursement duties for remote-work tools all shape what employers can do. This guide explains each requirement and how to build a compliant California program.
The CCPA now covers employee data
The defining feature of California law is that the CCPA, as amended by the CPRA, applies to employee personal information. Before 2023 there was a business-to-business and employment exemption, but it expired, so California employees now have consumer-style privacy rights over the data their employer holds, monitoring data included.
This makes California unlike other US states, where employee monitoring is largely unregulated at the state level. An employer covered by the CCPA has to treat monitoring data as regulated personal information, not as internal operational data it can handle freely. Our New York monitoring law guide shows how differently another major state approaches the same question.
The expiry of the employment exemption is what makes California genuinely different, and it caught many employers off guard. Monitoring data that HR once treated as ordinary operational information is now regulated personal information carrying access, correction, and deletion rights, so California employers have to manage it with the same rigor as customer data.
Which employers are covered
The CCPA applies to for-profit businesses that meet at least one threshold: annual gross revenue above 25 million dollars, buying or selling the personal information of 100,000 or more consumers or households, or deriving half of revenue from selling personal information. Many mid-sized and larger California employers meet the revenue threshold alone.
Employers below every threshold are not directly bound by the CCPA, but the state constitutional right to privacy and the recording-consent rules still apply to them. Covered employers should confirm their status early, because the notice and rights obligations shape how monitoring must be designed and disclosed.
Employers near the thresholds should check their status annually rather than assume, because crossing the 25-million-dollar revenue line or the data-volume threshold brings the full weight of the CCPA. Even organizations below every threshold remain bound by California's constitutional right to privacy and its recording-consent rules, so no California employer is entirely outside the framework.
Notice at collection
The central CCPA obligation for monitoring is notice at collection. Before or at the point an employer collects employee personal information, it must inform the employee of the categories of information collected, the purposes, and how long it will be retained. For monitoring, this means telling employees what is tracked and why before the tracking starts.
A monitoring notice folded into a clear privacy notice satisfies this duty. The requirement aligns naturally with transparent monitoring: an employer that already announces monitoring openly, as in our announcement guide, is most of the way to CCPA notice compliance.
A strong notice at collection reads in plain language and lists categories, purposes, and retention in a way an employee can actually understand, not buried in legalese. Because the CCPA lets workers ask about precisely these points, a notice that matches the real practice prevents the mismatch that turns a routine request into a compliance problem.
California's approach effectively imports consumer-grade privacy expectations into the workplace, which is a significant cultural shift for employers used to treating internal data freely. Designing the monitoring program around minimal collection and clear disclosure from the outset is far easier than retrofitting those principles onto a system built to gather everything by default.
CCPA-Ready Monitoring
Compliance signals
Activity mix
▲ Notice at collection and per-employee records made access and deletion requests routine.
Illustrative eMonitor dashboard.
Employee access and deletion rights
Under the CCPA, California employees can request access to the personal information collected about them, request correction of inaccurate data, and in some cases request deletion, subject to exceptions where the employer needs the data for legitimate business or legal reasons. They can also learn the categories of data and the purposes for which it is used.
These rights create an operational duty: the employer must be able to locate, export, and where required delete an individual employee monitoring record. Systems that store monitoring data in an accessible, per-employee form make this manageable, which is why data governance matters as much as the monitoring itself.
Handling access and deletion requests is an operational muscle, not just a policy: the employer must be able to locate, export, and where required delete an individual's monitoring record within statutory timeframes. Systems that store monitoring data per employee, rather than in an undifferentiated pool, make honoring these rights a routine task instead of a scramble.
Because enforcement and guidance in California continue to evolve, a program that documents its categories, purposes, and retention is best placed to adapt. When the rules or interpretations shift, an employer with clear records can adjust a well-scoped program quickly, whereas one relying on broad, undocumented collection faces a much harder path to compliance.
California is a two-party consent state
For audio and call recording, California requires the consent of all parties under Penal Code Section 632. An employer that records employee calls, or uses audio monitoring, must ensure every party to the communication has consented, typically through a clear disclosure and an announcement on monitored calls.
This is stricter than the federal one-party rule and stricter than many other states. Any monitoring feature that captures audio needs all-party consent in California, so employers should treat call and microphone monitoring as high-risk and disclose it explicitly, or avoid it where consent cannot be assured.
The all-party consent rule makes audio the riskiest feature in California. An employer that records calls needs every participant to consent, usually through a clear announcement, so many California employers simply disable microphone and call recording rather than manage the exposure, reserving audio only for contexts where consent can be guaranteed.
Remote work and expense reimbursement
California Labor Code Section 2802 requires employers to reimburse employees for necessary business expenses, which can include a portion of home internet and personal device costs when employees work remotely. While not a monitoring rule in itself, it interacts with bring-your-own-device monitoring, where the employer monitors work activity on personal hardware.
Employers who monitor on personal devices should pair that with a clear device policy and reimbursement approach, as covered in our bring-your-own-device guide. Monitoring a personal device without addressing reimbursement and scope invites both privacy and wage-law risk in California.
Remote monitoring on personal devices intersects with wage law in a way unique to California, because Section 2802 can require reimbursing a share of home internet and device costs. Pairing any bring-your-own-device monitoring with a clear reimbursement approach and a defined work-only scope keeps the program clear of both privacy and wage-and-hour claims.
Meet California Privacy Rules
eMonitor gives you minimal-data monitoring, clear notice, and per-employee records that make CCPA access and deletion requests straightforward.
Building a compliant California program
A compliant California program gives notice at collection before monitoring begins, limits collection to defined business purposes, secures the data, and has a process to handle employee access, correction, and deletion requests. It obtains all-party consent for any audio recording and addresses device and reimbursement questions for remote monitoring.
Documenting the categories collected, the purposes, and the retention period is essential, because the CCPA gives employees the right to ask about exactly those points. A program designed around minimal collection and clear disclosure meets the CCPA far more easily than one that collects broadly and explains little.
The retention period stated in the notice should be real and enforced, not aspirational. Employees can ask how long their data is kept, and a program that promises 90 days but retains indefinitely creates its own liability, so aligning the stated period with an automated deletion schedule is a small step that closes a common gap.
How eMonitor supports California compliance
eMonitor supports the CCPA notice-and-rights model with configurable data collection, work-hours-only tracking, per-employee data that can be exported or deleted to answer access and deletion requests, employee self-views, and role-based access. Audio features can be disabled where all-party consent is not assured.
eMonitor is a data processor, and the employer remains the CCPA business responsible for notice at collection and for responding to employee requests. At $3.90 to $13.90 per user with a 7-day free trial, it gives California employers the granular controls to collect minimally, disclose clearly, and honor the access and deletion rights the CPRA created.
eMonitor supports this rights-driven model by keeping monitoring data in per-employee form that can be exported or deleted on request, with configurable collection and retention and audio features that can be switched off entirely. The employer remains the CCPA business responsible for notice and responses, and the tool's structure is what makes those responses quick.