Compliance Guide — United States
Multi-State Employee Monitoring Compliance: A 50-State Employer Framework
Multi-state employee monitoring compliance is the practice of designing and operating an employee monitoring program that satisfies the electronic monitoring notice laws, audio recording consent requirements, and biometric data regulations of every US state where the employer has workers. The patchwork of state laws creates compliance traps that catch employers off guard, particularly in the remote work era where a worker's location determines which law applies. This guide maps all three tiers of state law for 2026 and shows how to build one policy that works everywhere.
Why Multi-State Employee Monitoring Compliance Is a Trap
Multi-state employee monitoring compliance requires employers to navigate three distinct categories of state law simultaneously: statutes that require advance written notice before monitoring begins, statutes that require all parties to consent before any telephone or voice call is recorded, and statutes that specifically regulate biometric identifiers collected through monitoring technology. An employer operating only in one state needs to master one set of rules. An employer with workers in ten states faces combinations of these three tiers that interact in ways no single tool or template can automatically resolve.
The compliance trap intensifies with remote work. Before 2020, most employers had workers concentrated in the states where the employer's offices were located. Today, a company headquartered in Texas with no state electronic monitoring notice law may have remote workers in Connecticut (mandatory notice law), Michigan (all-party audio consent), Illinois (BIPA biometric requirements), and California (constitutional privacy right plus all-party consent for in-person recording). That Texas employer must comply with all four state frameworks simultaneously, even though Texas imposes none of these requirements on its own employers.
The determining factor in every case is the employee's physical location at the time of monitoring, not the employer's state of incorporation or headquarters. This geographic dependency makes state-mapping the first essential step of any multi-state monitoring program.
The "Most Restrictive State" Rule
When an employer's workforce spans multiple states with different monitoring laws, the practical compliance standard is to identify the most restrictive requirement in each category (notice, audio consent, biometric) and apply it universally. A monitoring notice that satisfies Connecticut's prescriptive statutory requirements will also satisfy every other state's less prescriptive notice standards. A call recording system that obtains all-party consent satisfies both one-party and all-party consent states. A BIPA-compliant biometric consent process satisfies every other state's biometric requirements. Building to the strictest standard in each category creates a single universal policy that works everywhere.
The Three Tiers of State Employee Monitoring Law
State employee monitoring law organizes into three distinct tiers based on the type of monitoring activity regulated and the compliance obligation imposed. Understanding which tier applies to each state simplifies the analysis considerably.
Tier 1: Electronic Monitoring Notice Laws
Tier 1 states require employers to provide advance written notice to employees before monitoring their electronic communications or computer activity. The notice must typically describe the types of monitoring conducted, the systems and devices subject to monitoring, and the employer's right to access monitored communications. Tier 1 states include Connecticut (Conn. Gen. Stat. Section 31-48d), Delaware (Del. Code Title 19 Section 705), New York (N.Y. Civil Rights Law Section 52-c, effective 2022), and Washington State (SHB 1672, effective 2024).
Connecticut's law is the oldest and most detailed, requiring employers to provide prior written notice that specifies the types of monitoring the employer may engage in. Delaware's law is similar in structure. New York's law adds a requirement that employers post the notice in the workplace and file a notice with the New York Department of Labor for entities with 25 or more employees. Washington's SHB 1672, the newest major Tier 1 law, requires notice at the time of hiring and whenever monitoring practices change.
Tier 2: All-Party Audio Consent States
Tier 2 states require all parties to a telephone or in-person conversation to consent before any recording is made. Violating all-party consent requirements creates criminal exposure in addition to civil liability. All-party consent states as of 2026 include California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. Note that several states appear in both Tier 1 and Tier 2, creating a combined obligation for employers with workers in those states.
All-party consent states are the most dangerous tier for employers because violations typically carry criminal penalties. California's Penal Code Section 632 makes unauthorized recording a wobbler offense (misdemeanor or felony). Nevada's NRS 200.620 makes it a Category D felony. Pennsylvania's Wiretapping and Electronic Surveillance Control Act creates felony exposure. Employers who configure call recording tools under their home state's one-party consent standard and then hire workers in all-party consent states create serious criminal risk.
Tier 3: Biometric-Specific Laws
Tier 3 states regulate the collection, storage, and use of biometric identifiers through monitoring technology. Biometric identifiers include facial geometry (captured by facial recognition monitoring), fingerprints (captured by biometric time clocks), voiceprints (captured by AI-powered call monitoring), retina scans, and hand geometry. Tier 3 states include Illinois (BIPA, effective 2008), Texas (CUBI, effective 2009), Washington (effective 2017), and several states with emerging legislation.
Illinois BIPA is the most consequential biometric law for employers because it includes a private right of action allowing any person aggrieved by a BIPA violation to sue for $1,000 per negligent violation and $5,000 per intentional or reckless violation. Class action BIPA litigation against employers who use facial recognition timekeeping, AI-powered surveillance, and voice recognition monitoring has generated hundreds of millions of dollars in settlements. No other biometric law has generated comparable litigation exposure.
50-State Employee Monitoring Law Matrix (2026)
The table below maps every US state and territory to its applicable monitoring law tier. States marked with multiple tiers require compliance with each applicable tier simultaneously.
| State | Tier 1: Electronic Notice | Tier 2: All-Party Audio | Tier 3: Biometric | Notes |
|---|---|---|---|---|
| Alabama | No | One-party | No | Follows federal ECPA floor |
| Alaska | No | One-party | No | Follows federal ECPA floor |
| Arizona | No | One-party | No | Follows federal ECPA floor |
| Arkansas | No | One-party | No | Follows federal ECPA floor |
| California | Practical notice req. | All-party | Emerging | Constitutional privacy right; CPRA employee rights; Penal Code 632 |
| Colorado | No | One-party | No | CPA does not exempt employee data |
| Connecticut | Yes | All-party | No | Conn. Gen. Stat. 31-48d; both Tier 1 and Tier 2 |
| Delaware | Yes | One-party | No | Del. Code Title 19 Sec. 705 |
| Florida | No | All-party | No | Fla. Stat. 934.03 |
| Georgia | No | One-party | No | Follows federal ECPA floor |
| Hawaii | No | One-party | No | Follows federal ECPA floor |
| Idaho | No | One-party | No | Follows federal ECPA floor |
| Illinois | No | All-party | BIPA | Both Tier 2 and Tier 3; BIPA private right of action |
| Indiana | No | One-party | No | Follows federal ECPA floor |
| Iowa | No | One-party | No | Follows federal ECPA floor |
| Kansas | No | One-party | No | Follows federal ECPA floor |
| Kentucky | No | One-party | No | Follows federal ECPA floor |
| Louisiana | No | One-party | No | Follows federal ECPA floor |
| Maine | No | One-party | No | Maine Privacy Act has limited employee scope |
| Maryland | No | All-party | No | Md. Code Ann., Cts. & Jud. Proc. 10-402 |
| Massachusetts | No | All-party | No | Mass. Gen. Laws Ch. 272 Sec. 99 |
| Michigan | No | All-party | No | Mich. Comp. Laws 750.539c |
| Minnesota | No | One-party | No | Pending biometric legislation as of 2026 |
| Mississippi | No | One-party | No | Follows federal ECPA floor |
| Missouri | No | One-party | No | Follows federal ECPA floor |
| Montana | No | All-party | No | Mont. Code Ann. 45-8-213 |
| Nebraska | No | One-party | No | Follows federal ECPA floor |
| Nevada | No | All-party | No | NRS 200.620; Class D felony for violations |
| New Hampshire | No | All-party | No | RSA 570-A:2 |
| New Jersey | No | One-party | No | Follows federal ECPA floor |
| New Mexico | No | One-party | No | Follows federal ECPA floor |
| New York | Yes | One-party | NYC local biometric ord. | N.Y. Civil Rights Law 52-c; NYC local law for commercial biometrics |
| North Carolina | No | One-party | No | Follows federal ECPA floor |
| North Dakota | No | One-party | No | Follows federal ECPA floor |
| Ohio | No | One-party | No | Follows federal ECPA floor |
| Oklahoma | No | One-party | No | Follows federal ECPA floor |
| Oregon | No | All-party | No | ORS 165.540; pending biometric legislation |
| Pennsylvania | No | All-party | No | 18 Pa. C.S. Sec. 5703; felony violations |
| Rhode Island | No | One-party | No | Follows federal ECPA floor |
| South Carolina | No | One-party | No | Follows federal ECPA floor |
| South Dakota | No | One-party | No | Follows federal ECPA floor |
| Tennessee | No | One-party | No | Follows federal ECPA floor |
| Texas | No | One-party | CUBI | Tier 3 biometric law; CUBI covers capture or use of biometric identifiers |
| Utah | No | One-party | No | Follows federal ECPA floor |
| Vermont | No | One-party | No | Follows federal ECPA floor |
| Virginia | No | One-party | No | VCDPA does not exempt employee data; limited scope |
| Washington | Yes | All-party | Yes | SHB 1672; all three tiers; RCW 9.73.030 audio consent |
| West Virginia | No | One-party | No | Follows federal ECPA floor |
| Wisconsin | No | One-party | No | Follows federal ECPA floor |
| Wyoming | No | One-party | No | Follows federal ECPA floor |
This table reflects statutory law as of April 2026. Pending legislation in several states may change these classifications during 2026. Always verify current state law or consult employment counsel before finalizing your monitoring policy.
Deep Dive: The Strictest State Monitoring Frameworks
A handful of states create disproportionately high compliance risk and deserve detailed analysis. Multi-state employers should master these frameworks first, because satisfying the strictest states creates a policy that works everywhere else.
Washington State: SHB 1672 and RCW 9.73.030
Washington State has created the most comprehensive multi-tier monitoring framework among US states. SHB 1672 (effective 2024) requires employers to provide written notice at the time of hire describing the types of monitoring technology used, what data is collected, and how it is used. The notice must be updated whenever monitoring practices change materially. Washington's audio consent law, RCW 9.73.030, requires all-party consent for recording private communications. Washington's biometric law (RCW 19.375) requires informed consent before collecting biometric data and mandates data retention schedules and deletion policies. An employer with even one Washington-based employee must satisfy all three tiers simultaneously.
Connecticut: The Original Electronic Monitoring Notice State
Connecticut enacted the first electronic monitoring notice statute in the United States under Conn. Gen. Stat. Section 31-48d. The statute requires employers to give prior written notice to employees before monitoring their electronic transmissions, including telephone calls, computer usage, internet activity, and email. The notice must describe the types of monitoring the employer may conduct. Connecticut is also an all-party consent state for telephone recording, creating a combined Tier 1 and Tier 2 compliance obligation. Civil penalties for violating Section 31-48d include fines of $500 for the first offense, $1,000 for the second offense, and $3,000 for each subsequent offense.
New York: Mandatory Filing and Posted Notice
New York's electronic monitoring law (N.Y. Civil Rights Law Section 52-c, effective May 7, 2022) requires employers with employees in New York to: (1) provide prior written notice to employees before monitoring telephone, email, or internet activity on employer systems; (2) obtain employee acknowledgment of the notice in writing or electronically; and (3) post the notice in a conspicuous place in the workplace. Employers with 25 or more New York employees must also file the notice with the New York Department of Labor. Violations carry civil penalties of $500 for the first offense, $1,000 for the second offense, and $3,000 for subsequent offenses. New York is a one-party consent state for telephone recording, so audio consent is not an additional requirement.
California: Constitutional Privacy and Practical Notice
California's monitoring framework derives from Article I, Section 1 of the California Constitution, which establishes a fundamental right to privacy that courts have interpreted to protect employees from unreasonably invasive monitoring. Penal Code Section 632 makes confidential communication recording without all-party consent punishable as a wobbler offense (misdemeanor or felony). The California Privacy Rights Act (CPRA, effective January 2023) grants employees rights to know what personal information is collected, to request deletion, and to opt out of certain uses of personal information. While California does not have a specific statute prescribing the form of monitoring notice, practical compliance requires written disclosure before monitoring begins.
Illinois: BIPA's Private Right of Action
Illinois BIPA (740 ILCS 14) is the most consequential biometric law in the United States for employers who use facial recognition, fingerprint scanning, or voice biometrics in their monitoring or timekeeping systems. BIPA requires employers to: obtain written, informed consent before collecting biometric identifiers; publish a retention schedule and destruction guidelines for biometric data; and prohibit the sale or profit from biometric data. BIPA's private right of action allows any affected person to sue for $1,000 per negligent violation or $5,000 per intentional or reckless violation. BIPA class action settlements have totaled over $2 billion across all industries since the statute's enactment. The 2023 amendment clarified that each photograph, scan, or collection constitutes a separate violation, significantly increasing potential exposure.
Michigan: All-Party Consent With Criminal Penalties
Michigan's eavesdropping statutes (Mich. Comp. Laws Section 750.539c) require all-party consent for recording private conversations. Michigan courts have applied this statute to telephone calls, in-person meetings, and video conferences that include voice. Violations are felonies under Michigan law. Michigan does not have a Tier 1 electronic monitoring notice statute, but the all-party consent requirement for audio recording creates significant exposure for employers deploying call recording or meeting recording tools to Michigan-based remote workers. Michigan's monitoring law is discussed in detail in our dedicated state guide.
Nevada: Class D Felony for Recording Without Consent
Nevada's NRS 200.620 requires all-party consent for recording telephone and wire communications, with violations classified as Class D felonies carrying one to four years in state prison. Nevada's monitoring law is particularly significant for employers because Nevada has become a major destination for remote workers relocating from California and other states. Nevada does not have a Tier 1 electronic monitoring notice statute, but the criminal exposure from NRS 200.620 violations makes Nevada's monitoring framework one of the highest-risk in the country for employers using call recording tools. Nevada's monitoring law is discussed in detail in our Nevada state guide.
How to Build a Multi-State Compliant Monitoring Policy in 6 Steps
A universal monitoring policy built to the most restrictive state standard is the most practical solution for multi-state employers. The following six-step process creates a policy that satisfies all three tiers across all 50 states.
- Map your workforce to states. Identify every state where you currently have employees or contractors, including remote workers who may have relocated since their hire date. Remote work relocation is common and frequently undisclosed: build a policy update process that captures state changes when employees move. Classify each state using the three-tier matrix above.
- Identify the most restrictive standard in each tier. For Tier 1, Connecticut's and New York's prescriptive requirements are the strictest. For Tier 2, any all-party consent state requirement satisfies all-party consent states. For Tier 3, Illinois BIPA is the strictest biometric standard. These three standards become the baseline for your universal policy.
- Draft a written monitoring notice meeting Connecticut and New York standards. The notice must describe the types of monitoring conducted (electronic communications, computer activity, internet usage, telephone calls), the systems and devices subject to monitoring, and the employer's right to access monitored data. Obtain written or electronic acknowledgment from every employee. Post the notice in the workplace and, for New York employers with 25+ employees, file with the New York Department of Labor.
- Configure call recording for all-party consent universally. Implement an automated announcement at the start of every recorded call. The announcement must identify that the call may be recorded and give all parties an opportunity to disconnect if they do not consent. This satisfies all-party consent states' requirements and creates a defensible record. Apply this configuration globally, not just for calls with employees in all-party consent states, because the caller's state is not always knowable in advance.
- Address biometric data with BIPA-compliant consent. For any monitoring tool that collects biometric identifiers, obtain written, informed consent from each employee before collecting biometric data. Publish a biometric data retention and destruction schedule. If your monitoring program does not use facial recognition, fingerprint, voice recognition, or similar biometrics, this step may not apply, but verify this with each monitoring tool's vendor before concluding biometric data is not collected.
- Establish a state-change update and legislative monitoring process. Remote workers relocate. State laws change. Assign someone in HR or legal to track state monitoring law changes quarterly and update the monitoring policy when material changes occur. Build a process to capture employee state changes when relocation occurs and deliver updated monitoring notices to relocated employees before monitoring resumes in their new state.
How eMonitor Supports Multi-State Monitoring Compliance
eMonitor's architecture eliminates the most dangerous multi-state compliance exposure by focusing on computer activity monitoring rather than telephone call recording. eMonitor captures screen activity, application usage, URL visits, idle time, and work-session data on employer-owned devices without intercepting or recording telephone or voice call audio. This keeps eMonitor's core monitoring features entirely outside Tier 2 all-party consent requirements.
Transparent Monitoring That Supports Tier 1 Compliance
eMonitor provides employee-facing dashboards where employees see their own monitoring data. This transparency creates a practical record that employees are aware of the monitoring, which supports the notice requirements of Connecticut, Delaware, New York, and Washington State. Combined with eMonitor's policy acknowledgment tracking, employers maintain a digital audit trail showing that every employee received, reviewed, and acknowledged the monitoring disclosure before monitoring began.
Configurable Monitoring Scope by Location
eMonitor allows administrators to configure different monitoring settings for different teams or locations. Employers can apply lighter monitoring configurations to employees in states with stricter privacy frameworks and more detailed configurations to employees in states with minimal restrictions, all within a single platform. This configurability supports the state-specific policy differentiation that sophisticated multi-state compliance programs require.
Work-Hours-Only Monitoring Boundary
eMonitor monitors only during active work sessions, not during personal time or off-hours. Monitoring confined to work hours and employer-owned systems satisfies the "legitimate business purpose" test applied by courts across all three tiers of state monitoring law. Unrestricted monitoring that bleeds into personal time is the most common trigger for successful privacy litigation in multi-state contexts.
Multi-State Employee Monitoring Compliance: Frequently Asked Questions
Which US states have electronic monitoring notice laws?
As of 2026, Connecticut, Delaware, New York, and Washington State have enacted statutes requiring employers to provide advance written notice before monitoring employees' electronic communications and computer activity. Connecticut's law (Conn. Gen. Stat. Section 31-48d) is the oldest. New York's law (N.Y. Civil Rights Law Section 52-c, effective 2022) added a workplace posting requirement and a filing obligation for employers with 25 or more employees. Washington's SHB 1672 (effective 2024) requires notice at hire and when monitoring practices change.
What is the strictest state employee monitoring law?
California is widely considered the strictest state for employee monitoring due to its constitutional right to privacy, all-party consent requirement under Penal Code Section 632, and CPRA employee data rights. Illinois is the highest-risk state for biometric monitoring due to BIPA's private right of action and per-violation statutory damages of $1,000 to $5,000. Multi-state employers should use California and Illinois requirements as their policy baseline.
Do I need to follow state monitoring laws if I am based in a different state?
Yes. State employee monitoring laws apply based on where the employee is physically located at the time of monitoring, not where the employer is headquartered. An employer based in Texas with remote workers in Connecticut must comply with Connecticut's electronic monitoring notice law. An employer based in a one-party consent state with workers in an all-party consent state must obtain all-party consent for recorded calls involving those workers.
What states require all-party consent for audio recording?
All-party consent states as of 2026 include California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. These states require every party to a telephone or in-person conversation to consent before recording begins. Employers with workers in any of these states must configure call recording systems to capture all-party consent, regardless of the employer's home state law.
Which states have biometric monitoring laws?
Illinois BIPA (Biometric Information Privacy Act) is the most expansive biometric law, with a private right of action and per-violation damages of $1,000 to $5,000. Texas CUBI (Capture or Use of Biometric Identifier Act) and Washington's biometric law impose similar restrictions without a private right of action. New York City's local biometric ordinance covers commercial biometric identifier use. Several states including Maryland, Massachusetts, and Minnesota have introduced biometric legislation as of 2026.
Does federal law preempt state employee monitoring laws?
No. The federal Electronic Communications Privacy Act (ECPA) sets minimum standards but expressly preserves more protective state laws. States may enact stricter requirements than federal law, and employers must comply with both the federal standard and any more restrictive state standard applicable to each employee's location. There is no federal statute that preempts state all-party consent laws, electronic monitoring notice requirements, or biometric regulations.
What is the safest monitoring notice approach for multi-state employers?
The safest approach is to apply the most restrictive state standard universally. Draft a written monitoring notice satisfying Connecticut's and New York's prescriptive statutory requirements, configure call recording to obtain all-party consent, and obtain BIPA-compliant consent for any biometric data collection in Illinois. Apply this universal policy to every employee regardless of state. This single-policy approach eliminates the risk of missing a state-specific requirement and simplifies compliance as the workforce grows into new states.
Does California have an employee monitoring notice law?
California does not have a specific statute requiring advance written notice of electronic computer monitoring in the same form as Connecticut or Delaware. However, California's constitutional right to privacy and Penal Code Section 632 create practical notice obligations. The California Privacy Rights Act (CPRA) grants employees rights to know what personal information is collected, which effectively requires monitoring disclosure. Employers monitoring California workers without clear written notice face both statutory and constitutional liability exposure.
How do I manage different monitoring policies for different states?
Multi-state employers have two options: a universal policy built to the most restrictive standard (simpler to administer), or a state-specific policy matrix with different disclosures and consent forms by state (more precise but administratively complex). Most employment attorneys recommend the universal approach because it eliminates the risk of misclassifying a worker's state, simplifies expansion into new states, and is easier to audit. The additional administrative burden of a state-specific matrix rarely justifies the precision benefit for employers with fewer than 500 employees.
How does eMonitor support multi-state monitoring compliance?
eMonitor supports multi-state compliance through computer activity monitoring that does not capture telephone call audio, keeping employers outside Tier 2 all-party consent requirements. Transparent employee dashboards document overt monitoring for Tier 1 notice purposes. Policy acknowledgment tracking creates a digital record of employee notice. Configurable monitoring scope settings allow different monitoring levels for employees in different states, all within a single administrative console.
Related Compliance Resources
Washington State
SHB 1672, RCW 9.73.030, and Washington's three-tier monitoring framework.
Learn more →New York
N.Y. Civil Rights Law Section 52-c: the mandatory notice filing requirement.
Learn more →California
Constitutional right to privacy, Penal Code 632, and CPRA employee rights.
Learn more →