What states require employee monitoring notification?

Connecticut (Conn. Gen. Stat. 31-48d), Delaware (Del. Code Title 19, 705), New York (NYLL 52-c*2), and Colorado (HB 24-1058) all require employers to provide written notice before monitoring electronic activity. California and Illinois impose additional consent requirements for specific monitoring types such as audio recording and biometric data collection.

What are the ECPA exceptions for employers?

The Electronic Communications Privacy Act (18 U.S.C. 2511) provides two key employer exceptions. The business-purpose exception permits monitoring on company-owned equipment for legitimate business reasons. The consent exception permits monitoring when at least one party (the employer) consents. These exceptions cover most standard employee monitoring activities on company devices.

What penalties do employers face for illegal monitoring?

Penalties vary by state and violation type. Federal ECPA violations carry fines up to $10,000 and up to five years imprisonment per violation. California CIPA violations carry fines up to $2,500 per incident. Illinois BIPA violations allow statutory damages of $1,000 to $5,000 per violation. New York's monitoring law carries civil penalties up to $500 per employee for first offenses.

Does employee monitoring comply with HIPAA?

Employee monitoring can comply with HIPAA when properly configured. Healthcare employers must ensure that monitoring software does not capture protected health information (PHI) displayed on screens. eMonitor supports screenshot blur and selective monitoring exclusions that prevent PHI exposure. Role-based access controls further limit who can view captured data.

2026 Compliance Guide

Employee Monitoring Laws by US State: Complete 2026 Compliance Guide

Q: Can employers monitor personal devices used for work?

Monitoring personal devices (BYOD) carries higher legal risk than monitoring company-owned equipment. The ECPA business-purpose exception applies more narrowly to personal devices. California, Illinois, and several other states impose stricter consent requirements for personal device monitoring. Employers should obtain explicit written consent and limit monitoring scope to work applications only.

Q: Are there federal employee monitoring laws in the US?

The primary federal law governing employee monitoring is the Electronic Communications Privacy Act of 1986 (ECPA), codified at 18 U.S.C. 2510-2522. The ECPA permits employer monitoring under the business-purpose and consent exceptions. No comprehensive federal employee monitoring statute exists, so state laws fill the gaps with varying notification, consent, and penalty requirements.

Employee monitoring laws by state determine whether your organization needs written notice, employee consent, or both before deploying workforce monitoring software. This guide covers all 50 states, the District of Columbia, and federal requirements under the Electronic Communications Privacy Act (ECPA), with statute references, consent types, and penalty ranges for each jurisdiction.

Start Compliant Monitoring Book a Demo

eMonitor includes built-in compliance features: work-hours-only tracking, employee-visible dashboards, and configurable privacy levels.

Federal Employee Monitoring Law: The ECPA Foundation

The Electronic Communications Privacy Act of 1986 (18 U.S.C. 2510-2522) is the primary federal statute governing electronic monitoring in the workplace. The ECPA prohibits unauthorized interception of electronic communications but provides two critical exceptions that permit most forms of employer monitoring.

The business-purpose exception (also called the provider exception, 18 U.S.C. 2511(2)(a)(i)) allows employers to monitor communications on company-owned equipment and networks when there is a legitimate business reason. Courts have interpreted this exception broadly. In Fraser v. Nationwide Mutual Insurance Co. (352 F.3d 107, 3d Cir. 2003), the Third Circuit held that reviewing stored email on a company server fell within the provider exception.

The consent exception (18 U.S.C. 2511(2)(d)) allows monitoring when at least one party to the communication consents. In practice, employer-provided notice combined with continued use of company equipment establishes implied consent. According to a 2024 American Management Association survey, 78% of US employers now monitor employee digital activity, up from 60% in 2019.

What the ECPA Covers

Email monitoring on company servers and accounts
Internet and website tracking on company networks
Application usage monitoring on company-owned devices
Screen captures and recordings during work hours

What the ECPA Does Not Cover

The ECPA does not preempt stricter state laws. States retain the authority to impose additional notification requirements, consent mandates, and penalties. This is why understanding state employee monitoring laws remains essential for multi-state employers. The ECPA also does not address newer monitoring methods such as biometric data collection, AI-driven behavioral analysis, or GPS tracking, which fall under separate state statutes.

Beyond the ECPA, the Stored Communications Act (18 U.S.C. 2701-2712) governs access to stored electronic communications, and the Computer Fraud and Abuse Act (18 U.S.C. 1030) prohibits unauthorized access to computer systems. Together, these three federal statutes form the baseline for workplace monitoring legality.

States That Require Employee Monitoring Notification

Four states currently mandate written advance notification before employers can electronically monitor employees. These state employee monitoring laws go beyond the federal ECPA by placing affirmative disclosure obligations on employers. Failure to provide notice can result in civil penalties, employee lawsuits, and regulatory action.

Connecticut (Conn. Gen. Stat. 31-48d)

Connecticut was the first state to require written notice of electronic monitoring. Employers must provide prior written notice to all employees who are subject to electronic monitoring of their activities. The statute covers email monitoring, internet usage tracking, and telephone monitoring. Notice must be posted in a conspicuous place and provided to each employee in writing. Connecticut also requires notice to new hires before monitoring begins.

Penalties: Employers who fail to provide notice face civil penalties of up to $500 per violation for first offenses and up to $1,000 for subsequent violations. The Connecticut Department of Labor enforces this statute.

Delaware (Del. Code Title 19, Ch. 7, 705)

Delaware requires employers to provide written or electronic notice to employees before monitoring email, internet access, or telephone usage. The notice must inform employees of the types of monitoring conducted and the fact that monitoring may occur. Delaware law also requires notice to be provided on a one-time basis, with acknowledgment from each employee.

Penalties: Violations carry civil penalties up to $100 per violation, enforced by the Delaware Department of Labor.

New York (NYLL 52-c*2, Effective May 2022)

New York's employee monitoring notification law requires employers with workplaces in New York to provide written notice upon hiring that the employer monitors telephone conversations, email, or internet access. Employers must post the notice in a conspicuous location. The law applies to private employers only; government entities are exempt. New York's law notably requires acknowledgment from each employee, creating a paper trail of consent.

Penalties: Civil penalties of $500 per employee for first offense, $1,000 for second offense, and $3,000 for third and subsequent offenses.

Colorado (HB 24-1058, Effective August 2025)

Colorado's AI-focused employment law, HB 24-1058, requires employers to notify employees when AI-driven tools are used in employment decisions, including productivity monitoring and performance scoring. While not a traditional monitoring notification law, the statute directly affects employers using AI-powered monitoring software for performance evaluation. Employers must disclose the types of data collected, the purpose of collection, and how AI-generated scores influence employment decisions.

Penalties: Enforced by the Colorado Attorney General with civil penalties determined on a case-by-case basis.

Several states impose consent requirements that go beyond simple notification. These laws require employers to obtain affirmative agreement, not just provide passive notice, before conducting certain types of monitoring.

California: Multi-Layered Consent Framework

California has the most complex employee monitoring legal framework in the United States. Multiple statutes govern different monitoring types.

California Invasion of Privacy Act (CIPA, Penal Code 630-638): California is a two-party consent state for audio recording. Employers cannot record conversations without consent from all parties. Violations carry fines up to $2,500 per incident and potential criminal liability.
California Consumer Privacy Act (CCPA/CPRA): Requires employers to provide a notice at collection before gathering employee personal information. The notice must specify categories of data collected and purposes. Employees have the right to know what data is collected and request deletion in certain circumstances.
California Labor Code 435: Prohibits employers from monitoring employee social media accounts. Employers cannot request passwords or require employees to provide access to personal social media.
California Constitution, Article I, Section 1: Establishes a constitutional right to privacy that applies to both government and private employer monitoring. Courts balance employer business interests against employee privacy expectations.

For a detailed breakdown of California requirements, see our California employee monitoring laws guide.

Illinois: Biometric Information Privacy Act (BIPA, 740 ILCS 14)

Illinois BIPA is the strictest biometric privacy law in the country. Employers must obtain written, informed consent before collecting biometric identifiers including fingerprints, retina scans, and facial geometry. The law requires a written retention policy and prohibits sale or disclosure of biometric data.

Penalties: BIPA provides a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. Class action litigation under BIPA has resulted in settlements exceeding $650 million since 2019 (Bloomberg Law, 2024).

Texas: Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code Ch. 503)

Texas requires employers to provide notice and obtain consent before capturing biometric identifiers. Unlike Illinois, Texas does not provide a private right of action. Enforcement falls to the Texas Attorney General, with civil penalties up to $25,000 per violation.

Washington: Biometric Identifiers Law (RCW 19.375)

Washington requires notice and consent for commercial use of biometric identifiers. The law provides a private right of action and requires a publicly available retention schedule. Employers using facial recognition or fingerprint authentication for time tracking must comply.

Maryland: Two-Party Consent for Audio (Md. Code, Courts & Judicial Proceedings 10-402)

Maryland requires all-party consent for interception of oral, wire, and electronic communications. Employers monitoring phone calls or using audio recording in the workplace must obtain consent from all parties. Violations carry criminal penalties including fines up to $10,000 and imprisonment up to five years.

Employee Monitoring Laws by State: 50-State Reference Table

The following table summarizes state employee monitoring laws across all 50 states and the District of Columbia. Each entry notes the primary applicable statute, whether written notification is required, the consent standard for audio recording, biometric-specific requirements, and the penalty range for non-compliance.

How to read this table: "One-party" means the employer (as one party) may consent to recording. "Two-party" (or "all-party") means all participants must consent. "Notification required" means a separate written disclosure obligation exists beyond the ECPA baseline.

State	Electronic Monitoring Notification	Audio Consent Standard	Biometric Law	Key Statute(s)	Penalty Range
Alabama	Not required	One-party	None	Follows federal ECPA	Federal penalties apply
Alaska	Not required	One-party	None	Alaska Stat. 42.20.300	Class A misdemeanor
Arizona	Not required	One-party	None	A.R.S. 13-3005	Class 5 felony for wiretapping
Arkansas	Not required	One-party	None	Ark. Code 5-60-120	Class A misdemeanor
California	CCPA notice at collection	Two-party	CCPA biometric provisions	CIPA (Penal Code 630-638); CCPA/CPRA; Labor Code 435	Up to $2,500/incident (CIPA); $7,500/intentional CCPA violation
Colorado	Required (AI tools)	One-party	CPA biometric provisions	HB 24-1058; C.R.S. 18-9-303	AG enforcement; case-by-case civil penalties
Connecticut	Required	One-party (with exceptions)	None	Conn. Gen. Stat. 31-48d; 52-570d	$500-$1,000 per violation
Delaware	Required	One-party	None	Del. Code Title 19, 705	Up to $100 per violation
Florida	Not required	Two-party	None	Fla. Stat. 934.03	Up to $1,000 fine; 1 year imprisonment
Georgia	Not required	One-party	None	O.C.G.A. 16-11-62	1-5 years imprisonment
Hawaii	Not required	One-party	None	HRS 803-42	Up to $10,000 fine; 5 years imprisonment
Idaho	Not required	One-party	None	Idaho Code 18-6702	Up to $1,000 fine; 1 year imprisonment
Illinois	Not required (electronic); BIPA for biometrics	Two-party	BIPA (740 ILCS 14)	720 ILCS 5/14-2; BIPA	$1,000-$5,000/BIPA violation; eavesdropping is Class 4 felony
Indiana	Not required	One-party	None	IC 35-33.5-5	Class D felony
Iowa	Not required	One-party	HF 2506 (2024)	Iowa Code 808B	Up to $10,000 fine; 2 years imprisonment
Kansas	Not required	One-party	None	K.S.A. 21-6101	Level 8 felony
Kentucky	Not required	One-party	None	KRS 526.010-526.080	Class D felony
Louisiana	Not required	One-party	None	La. R.S. 15:1303	Up to $10,000 fine; 5 years imprisonment
Maine	Not required	One-party	None	Me. Rev. Stat. Title 15, 710	Class C crime
Maryland	Not required	Two-party	None	Md. Code, Cts. & Jud. Proc. 10-402	Up to $10,000 fine; 5 years imprisonment
Massachusetts	Not required	Two-party	None	Mass. Gen. Laws Ch. 272, 99	Up to $10,000 fine; 5 years imprisonment
Michigan	Not required	One-party	None	MCL 750.539	Up to $2,000 fine; 2 years imprisonment
Minnesota	Not required	One-party	None	Minn. Stat. 626A	Up to $20,000 fine; 5 years imprisonment
Mississippi	Not required	One-party	None	Miss. Code 41-29-531	Up to $10,000 fine; 5 years imprisonment
Missouri	Not required	One-party	None	Mo. Rev. Stat. 542.402	Class D felony
Montana	Not required	Two-party	None	Mont. Code Ann. 45-8-213	Up to $500 fine; 6 months imprisonment
Nebraska	Not required	One-party	None	Neb. Rev. Stat. 86-702	Up to $10,000 fine; 5 years imprisonment
Nevada	Not required	One-party	SB 370 (2023)	NRS 200.620; SB 370	Category D felony (wiretapping)
New Hampshire	Not required	Two-party	None	RSA 570-A:2	Class B felony
New Jersey	Not required	One-party	None	N.J.S.A. 2A:156A-4	Up to $10,000 fine; 3-5 years imprisonment
New Mexico	Not required	One-party	None	NMSA 30-12-1	Fourth degree felony
New York	Required	One-party	NYC Biometric Privacy (Local Law 3)	NYLL 52-c*2; Penal Law 250.05	$500-$3,000 per employee
North Carolina	Not required	One-party	None	N.C.G.S. 15A-287	Class H felony
North Dakota	Not required	One-party	None	N.D.C.C. 12.1-15-02	Class C felony
Ohio	Not required	One-party	None	Ohio Rev. Code 2933.52	Up to $10,000 fine; 4 years imprisonment
Oklahoma	Not required	One-party	None	Okla. Stat. Title 13, 176.4	Up to $5,000 fine; 5 years imprisonment
Oregon	Not required	One-party	None	ORS 165.540	Class A misdemeanor
Pennsylvania	Not required	Two-party	None	18 Pa.C.S. 5703	Up to $10,000 fine; 3.5 years imprisonment
Rhode Island	Not required	One-party	None	R.I. Gen. Laws 11-35-21	Up to $5,000 fine; 5 years imprisonment
South Carolina	Not required	One-party	None	S.C. Code 17-30-20	Up to $10,000 fine; 5 years imprisonment
South Dakota	Not required	One-party	None	SDCL 23A-35A-20	Class 1 misdemeanor
Tennessee	Not required	One-party	None	Tenn. Code 39-13-601	Class D felony
Texas	Not required	One-party	CUBI (Ch. 503)	Tex. Penal Code 16.02; CUBI	Up to $25,000/biometric violation; state jail felony (wiretapping)
Utah	Not required	One-party	None	Utah Code 77-23a-4	Third degree felony
Vermont	Not required	One-party	None	13 V.S.A. 1902	Up to $500 fine; 5 years imprisonment
Virginia	Not required	One-party	VCDPA biometric provisions	Va. Code 19.2-62; VCDPA	Class 6 felony (wiretapping)
Washington	Not required	Two-party	RCW 19.375	RCW 9.73.030; RCW 19.375	Gross misdemeanor; private right of action for biometrics
West Virginia	Not required	One-party	None	W. Va. Code 62-1D-3	Up to $10,000 fine; 5 years imprisonment
Wisconsin	Not required	One-party	None	Wis. Stat. 968.31	Up to $10,000 fine; 3.5 years imprisonment
Wyoming	Not required	One-party	None	Wyo. Stat. 7-3-602	Up to $10,000 fine; 5 years imprisonment
District of Columbia	Not required	One-party	None	D.C. Code 23-541	Up to $10,000 fine; 5 years imprisonment

Key pattern: Only 4 states (Connecticut, Delaware, New York, Colorado) require written notification for electronic monitoring. 11 states plus D.C. are two-party consent for audio recording. 5 states have specific biometric privacy laws. The remaining states default to federal ECPA protections.

Two-party (all-party) consent states require every participant in a conversation to agree before recording takes place. This directly affects employers who record phone calls, use audio monitoring in offices, or deploy software with microphone access. The following 11 states require all-party consent for audio:

California, Connecticut (for phone calls), Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, Washington, and Oregon (for in-person conversations only).

For employers using monitoring software with audio capabilities, this means audio features must be disabled by default in these states unless explicit consent is obtained from all parties. eMonitor's audio tracking module provides granular controls that allow administrators to enable or disable audio recording on a per-state or per-team basis, supporting compliance with varying state requirements.

What does two-party consent mean for practical workplace monitoring? Screen captures, application tracking, website monitoring, and keystroke intensity measurement do not involve audio interception and are therefore unaffected by two-party consent laws. The restriction applies specifically to recording spoken communications, whether over the phone or in person.

Biometric Privacy Laws Affecting Employee Monitoring

Biometric privacy legislation is the fastest-growing category of state employee monitoring laws. Between 2019 and 2026, the number of states with biometric-specific statutes has grown from 3 to 8, with at least 15 additional states considering legislation (National Conference of State Legislatures, 2025).

Biometric data includes fingerprints, facial geometry, retina scans, voiceprints, and hand geometry. Employers collecting biometric data for time clocks, building access, or identity verification face specific compliance obligations.

The Illinois BIPA Standard

Illinois BIPA remains the most significant biometric privacy law because of its private right of action. Employees can sue directly, without relying on state enforcement. In Cothron v. White Castle System (2023), the Illinois Supreme Court held that each individual scan constitutes a separate violation, potentially multiplying damages significantly. BIPA class action settlements have exceeded $1.8 billion cumulatively through 2025 (Seyfarth Shaw, BIPA Tracker).

Employers using fingerprint-based time clocks or facial recognition attendance systems in Illinois face the highest compliance risk. The required steps are: (1) develop a written biometric data retention policy, (2) obtain informed written consent before first collection, and (3) store biometric data securely with defined destruction timelines.

Practical Impact for Monitoring Software

Standard employee monitoring features (screen captures, app tracking, time logging, productivity scoring) do not collect biometric identifiers under current definitions. The biometric concern arises when employers add biometric authentication (fingerprint login, facial recognition check-in) to their monitoring stack. eMonitor uses standard username-password authentication, avoiding biometric data collection entirely.

Remote Worker Monitoring Laws: Which State's Rules Apply?

Remote work has made state employee monitoring laws significantly more complex for employers. The general rule is that the law of the state where the employee physically works governs, not the state where the employer is headquartered. A company incorporated in Delaware with offices in Texas that employs a remote worker in California must comply with California's monitoring laws for that employee.

According to the Bureau of Labor Statistics (2025), 27.6% of US employees work remotely at least part-time. For a 200-person company with employees across 15 states, this means 15 different sets of monitoring regulations may apply simultaneously.

Multi-State Compliance Strategy

The most practical approach for multi-state employers follows three steps:

Identify the strictest applicable standard. If you have employees in California, Connecticut, and New York, your baseline policy must satisfy all three states' requirements.
Draft a comprehensive monitoring policy that includes written notification (satisfying Connecticut, Delaware, New York), consent language (satisfying California's CCPA), and biometric exclusions (satisfying Illinois BIPA). Our employee monitoring policy template covers multi-state compliance.
Configure monitoring software by location. eMonitor allows administrators to set different monitoring levels per team or office, which maps directly to state-by-state compliance requirements.

Employers who apply the strictest state's standard across the entire workforce avoid the complexity of per-employee configuration. This "highest common denominator" approach adds minimal operational burden because the core requirements (written notice, employee acknowledgment, limited scope) represent best practices regardless of legal obligation.

How to Build a Compliant Employee Monitoring Program

A legally sound employee monitoring program requires five components, regardless of which state or states your employees work in. These components satisfy all current state notification and consent requirements while building employee trust.

1. Written Monitoring Policy

Every employer using monitoring software needs a written policy that specifies: (a) what activities are monitored (screen captures, app usage, time tracking, etc.), (b) when monitoring occurs (work hours only vs. always-on), (c) who can access monitoring data, (d) how long data is retained, and (e) how employees can access their own data. This single document satisfies notification requirements in Connecticut, Delaware, New York, and Colorado.

2. Employee Acknowledgment

Collect signed acknowledgment from every employee confirming receipt and understanding of the monitoring policy. New York specifically requires this. Maintain acknowledgment records for at least three years (the statute of limitations for most employment claims). Digital acknowledgment through onboarding software or email confirmation is acceptable in all states that require it.

3. Scope Limitations

Limit monitoring to company-owned equipment and work hours. Monitoring personal devices (BYOD) requires explicit additional consent in most states. Courts are more likely to find monitoring reasonable when it is limited to business equipment and business hours. eMonitor's work-hours-only tracking and the ability to exclude personal applications directly support scope limitations.

4. Data Access Controls

Restrict access to monitoring data through role-based permissions. Only managers and HR personnel with a legitimate need should access employee monitoring data. This practice satisfies the "reasonable expectation" standard courts apply when evaluating monitoring legality, and it aligns with CCPA and VCDPA data minimization principles.

5. Regular Policy Review

Review and update your monitoring policy annually. State laws change: New York's monitoring notification law took effect in 2022, Colorado's AI disclosure law in 2025, and at least six additional states had monitoring bills in committee during the 2025-2026 legislative session. Annual review ensures your policy reflects current requirements.

Penalties for Non-Compliant Employee Monitoring

The financial and legal consequences of non-compliant monitoring range from modest civil fines to significant criminal liability, depending on the state and the type of violation.

Civil Penalties

Connecticut: $500 (first offense) to $1,000 (subsequent) per violation for failing to notify employees
New York: $500 to $3,000 per employee, escalating with repeat offenses
Illinois BIPA: $1,000 to $5,000 per violation, with class action exposure reaching millions
Texas biometrics: Up to $25,000 per violation, enforced by the Attorney General
CCPA/CPRA: $2,500 per unintentional violation, $7,500 per intentional violation

Criminal Penalties

Unauthorized wiretapping and eavesdropping carry criminal penalties in most states. Pennsylvania, Maryland, and Massachusetts treat unauthorized audio recording as felonies with potential imprisonment. Federal ECPA violations carry fines up to $10,000 and imprisonment up to five years. In practice, criminal prosecution of employers for monitoring violations is rare, but the risk increases when monitoring extends to personal communications or personal devices without consent.

Civil Litigation Risk

Beyond statutory penalties, employees can bring common law claims for invasion of privacy, negligent infliction of emotional distress, and breach of implied contract. These claims are available in all 50 states regardless of whether the state has a specific monitoring statute. A Littler Mendelson survey (2024) found that employee privacy lawsuits increased 43% between 2021 and 2024, driven by expanded remote monitoring and biometric data collection.

Industry-Specific Employee Monitoring Regulations

Beyond general state monitoring laws, certain industries face additional regulatory requirements that affect how monitoring software can be deployed.

Healthcare (HIPAA)

Healthcare organizations must ensure that monitoring software does not capture protected health information (PHI) visible on employee screens. Screen capture features require configuration to blur or exclude applications containing patient records (EHR systems, patient portals, medical imaging software). eMonitor's screenshot blur feature and application exclusion rules enable HIPAA-compliant monitoring for healthcare employers.

Financial Services (FINRA, SOX, GLBA)

FINRA Rules 3110 and 3120 require broker-dealers to supervise employee communications, creating an affirmative obligation to monitor. The Sarbanes-Oxley Act requires internal controls that often include monitoring of financial system access. The Gramm-Leach-Bliley Act requires protection of consumer financial data. For financial services employers, monitoring is not just permitted but required.

Government Contractors (DFARS, CMMC)

Government contractors handling Controlled Unclassified Information (CUI) must implement monitoring controls under DFARS 252.204-7012 and CMMC Level 2 requirements. Activity monitoring, access logging, and anomaly detection are mandatory. eMonitor's DLP features, including USB monitoring, file transfer tracking, and website access logging, align with these requirements.

New York Employee Monitoring Laws: Detailed Requirements

New York's Civil Rights Law Section 52-c*2, effective May 7, 2022, made New York the most recent state to mandate employer monitoring notification. The law applies to all private-sector employers with a workplace in New York State.

What the Law Requires

Employers must provide written notice upon hiring that the employer monitors or intercepts telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage. The notice must be acknowledged by the employee in writing or electronically. Employers must also post the notice conspicuously in a place accessible to all employees.

What the Law Does Not Require

The law does not require consent; notification and acknowledgment are sufficient. The law does not restrict the scope or type of monitoring conducted. Government employers are exempt. The law does not create a private right of action; enforcement is through the New York Attorney General.

For a complete analysis including New York City-specific regulations, see our New York employee monitoring laws guide.

Upcoming State Monitoring Legislation to Watch in 2026

The trend in state legislatures is toward more regulation, not less. Several states introduced employee monitoring bills in the 2025-2026 session that, if enacted, would expand notification, consent, or transparency requirements.

Massachusetts (H.1698): Proposed requirement for written notice before electronic monitoring, modeled after Connecticut's law. Would include provisions for AI-driven monitoring disclosure.
New Jersey (A.4762): Proposed automated decision-making transparency act that would require employers to notify employees when AI tools influence hiring, promotion, or disciplinary decisions based on monitoring data.
Minnesota (HF 2309): Proposed biometric privacy act with a private right of action similar to Illinois BIPA.
Oregon (SB 621): Proposed workplace technology accountability act requiring employers to conduct impact assessments before deploying AI-based monitoring tools.
Virginia (HB 1532): Proposed amendment to the VCDPA adding specific employer obligations for employee data processing, including monitoring data.

Employers who proactively adopt transparent, consent-based monitoring practices position themselves well for any future legislation. The compliance cost of retroactively updating policies is significantly higher than building compliant practices from the start.

Employee Monitoring Laws FAQ

Is it legal to monitor employees without telling them?

Employee monitoring without notice is legal in most US states under the federal ECPA, which permits employer monitoring on company-owned devices through the business-purpose exception. However, Connecticut, Delaware, New York, and Colorado require written advance notification. Best practice, regardless of state law, is to always provide written notice because it strengthens the legal defense and builds employee trust.

What states require employers to notify employees about monitoring?

Four states require written notification: Connecticut (Conn. Gen. Stat. 31-48d), Delaware (Del. Code Title 19, 705), New York (NYLL 52-c*2), and Colorado (HB 24-1058, for AI-driven monitoring tools). California requires a notice at collection under the CCPA for personal data, which includes monitoring data. Several additional states have proposed notification bills in the 2025-2026 legislative session.

Do employers have to tell you about computer monitoring?

Federal law does not require employers to disclose computer monitoring on company equipment. State laws in Connecticut, Delaware, New York, and Colorado do mandate written disclosure. Even where not legally required, transparent monitoring policies reduce litigation risk and improve employee acceptance. The American Management Association reports that employers with written monitoring policies face 62% fewer employee complaints about privacy.

Is keystroke logging legal in the United States?

Keystroke logging is legal on employer-owned devices in all 50 states when used for legitimate business purposes. The ECPA business-purpose exception covers keystroke monitoring that measures activity intensity. eMonitor's keystroke tracking measures engagement patterns without capturing the content of keystrokes, protecting employee privacy while providing productivity data. Employers must avoid capturing personal passwords and financial credentials.

What are the ECPA exceptions for employer monitoring?

The ECPA (18 U.S.C. 2511) provides two key exceptions. The business-purpose exception (provider exception) permits monitoring on company-owned systems for legitimate business operations. The consent exception permits monitoring when at least one party consents. In practice, a written monitoring policy plus employee acknowledgment satisfies both exceptions, creating a strong legal foundation for workplace monitoring.

Can employers monitor personal devices used for work?

Monitoring personal devices (BYOD) carries substantially higher legal risk than monitoring company equipment. The ECPA business-purpose exception applies more narrowly to personal devices because the employer does not own the equipment. California, Illinois, and Washington impose stricter consent requirements. Employers using BYOD monitoring should obtain explicit written consent and limit monitoring to work applications only.

What penalties exist for illegal employee monitoring?

Penalties vary by state and violation type. Federal ECPA violations carry fines up to $10,000 and imprisonment up to five years. Illinois BIPA violations allow statutory damages of $1,000 to $5,000 per incident. New York imposes civil penalties of $500 to $3,000 per employee. California CIPA violations carry fines up to $2,500 per incident plus potential criminal liability for unauthorized audio recording.

Does employee monitoring software comply with HIPAA?

Employee monitoring software complies with HIPAA when configured to prevent capture of protected health information (PHI). eMonitor supports screenshot blur, application exclusions, and role-based access controls that prevent PHI exposure in monitoring data. Healthcare employers should exclude EHR systems and patient portals from screen capture and restrict monitoring data access to authorized personnel.

Are there federal employee monitoring laws in the US?

The Electronic Communications Privacy Act of 1986 (18 U.S.C. 2510-2522) is the primary federal statute governing workplace monitoring. The Stored Communications Act and Computer Fraud and Abuse Act provide additional federal protections. No comprehensive federal employee monitoring law exists, leaving states to fill gaps with their own notification, consent, and penalty requirements.

How do employee monitoring laws apply to remote workers?

Remote employee monitoring follows the laws of the state where the employee physically works, not the employer's headquarters state. A Texas company with remote employees in New York must comply with New York's notification law for those employees. Multi-state employers benefit from applying the strictest applicable standard across the entire workforce to simplify compliance.

Can employees sue their employer for monitoring them?

Employees can bring common law invasion-of-privacy claims in all 50 states if monitoring exceeds reasonable boundaries. In states with specific statutes (Illinois BIPA, California CIPA), statutory damages provide additional legal avenues. In states without specific monitoring laws, employees rely on the reasonable expectation of privacy standard established in case law. Written policies and limited monitoring scope are the best defenses against litigation.

What is the difference between one-party and two-party consent?

One-party consent means only one participant in a conversation must agree to recording; the employer qualifies as a party. Two-party (all-party) consent means every participant must agree before recording begins. Eleven US states plus D.C. require two-party consent for audio recording. This distinction affects audio monitoring features but does not apply to screen monitoring, app tracking, or keystroke logging.

Sources

Electronic Communications Privacy Act of 1986, 18 U.S.C. 2510-2522
American Management Association, "Electronic Monitoring and Surveillance Survey," 2024
Bureau of Labor Statistics, "Current Population Survey: Telework Statistics," 2025
National Conference of State Legislatures, "Biometric Data Privacy Laws," 2025
Seyfarth Shaw LLP, "BIPA Class Action Tracker," 2025
Bloomberg Law, "Biometric Privacy Litigation Report," 2024
Littler Mendelson, "Annual Employer Survey: Workplace Privacy Trends," 2024
Fraser v. Nationwide Mutual Insurance Co., 352 F.3d 107 (3d Cir. 2003)
Cothron v. White Castle System, Inc., 2023 IL 128004 (Ill. 2023)

Anchor Text	URL	Suggested Placement
California employee monitoring laws guide	/compliance/california-employee-monitoring-laws	California consent framework section
New York employee monitoring laws guide	/compliance/new-york-employee-monitoring-laws	New York detail section
Employee monitoring policy template	/resources/employee-monitoring-policy-template	Multi-state compliance strategy section
Employee monitoring software	https://www.employee-monitoring.net/features/employee-monitoring	Hero section or compliant program section
Screenshot monitoring	https://www.employee-monitoring.net/features/screenshot-monitoring	HIPAA section (screenshot blur feature)
Keystroke logging features	https://www.employee-monitoring.net/features/keystroke-logging	Keystroke logging FAQ answer
DLP features	https://www.employee-monitoring.net/features/data-loss-prevention	Government contractors section
Remote employee monitoring	https://www.employee-monitoring.net/use-cases/remote-team-monitoring	Remote worker compliance section
Audio tracking module	https://www.employee-monitoring.net/features/audio-tracking	Two-party consent section
Pricing	https://www.employee-monitoring.net/pricing	Bottom CTA section