Free Template • Updated
Acceptable Use Policy Template with Employee Monitoring Clause (2026 Edition)
An acceptable use policy template with monitoring is a legal document that outlines permitted and prohibited employee computer and device usage, includes monitoring disclosure and consent language, and satisfies ECPA, GDPR, and state-specific notice requirements including Connecticut, New York, Delaware, and California. This page provides a complete, copy-ready AUP template plus jurisdiction-specific commentary explaining why each clause exists and what the legal risk is without it.
7-day free trial. No credit card required. Trusted by 1,000+ companies worldwide.
Why Does an AUP Need a Dedicated Monitoring Clause?
Most generic acceptable use policy templates cover permitted and prohibited computer uses, but omit the monitoring disclosure that transforms an AUP from a usage policy into a legally defensible monitoring notice. That omission creates a specific legal gap: courts have held that employers who monitor activities not explicitly described in advance may face privacy tort claims even on company-owned systems.
The Electronic Communications Privacy Act (ECPA) permits employer monitoring on company networks with a legitimate business purpose, but places the evidentiary burden on the employer to demonstrate that employees had advance notice. A written AUP with a monitoring clause is the most direct way to satisfy that burden. According to a 2025 Littler Mendelson survey, 61% of employment attorneys reported that the absence of a written monitoring policy was a contributing factor in at least one client lawsuit in the prior 24 months.
For EU employers, GDPR Article 13 requires that organizations inform employees about automated processing activities at the time data is first collected. Article 88 permits member states to set more specific rules for employee data, which most EU countries have done through works council consultation requirements, Data Protection Impact Assessment (DPIA) obligations, and proportionality constraints. An AUP with a monitoring clause that addresses Article 13 disclosure satisfies the transparency requirement that underpins most EU monitoring enforcement actions.
The template on this page is designed to cover both frameworks in a single document, with jurisdiction-specific commentary guiding employers on where to add or modify language based on where their employees work.
How to Customize and Deploy This Template in 5 Steps
This AUP template is structured to be customized in under one hour by an HR professional or legal team. The five-step process below walks through each customization point and the decisions you need to make at each stage.
Step 1: Identify Your Jurisdiction Layers
Before editing a single word, map your jurisdiction obligations. US employers start with ECPA as the federal floor, then check state law. If you have employees in Connecticut, New York, or Delaware, you have mandatory written notice requirements that must appear in the document verbatim. If you have EU or UK employees, GDPR (or UK GDPR) governs your disclosure obligations.
Use this checklist before opening the template:
- Do you have employees in Connecticut, New York, or Delaware? (Mandatory state notice language required)
- Do you have California employees? (CPRA Notice at Collection required)
- Do you have EU or UK employees? (GDPR Article 13 disclosure required)
- Are any employees subject to a collective bargaining agreement? (Union addendum required)
- Do employees use personal devices for work? (BYOD monitoring clause required)
Step 2: Customize the Scope Section
Replace every instance of [ORGANIZATION NAME] with your legal entity name. Then decide whether the policy covers company-owned devices only, or extends to personal devices used for work. If personal devices are in scope, the BYOD monitoring language in Section 4 of the template applies. For organizations using app and website tracking on mixed device environments, be explicit about which data is collected on personal devices versus company devices.
Step 3: Complete the Monitoring Activities List
Section 5 of the template (the monitoring disclosure) requires you to check every monitoring method your organization actually uses. Do not list monitoring activities you do not conduct: over-disclosure is not a problem, but monitoring activities not listed in the policy are a legal risk. Common monitoring types to include:
- Application usage tracking (which apps are open and for how long)
- Website visit logs (URLs visited on company networks or devices)
- Email metadata on company email accounts (sender, recipient, timestamp, subject line)
- Screenshot capture (frequency: continuous, on-demand, or triggered)
- Time tracking and idle time detection
- File access and transfer logs on company systems
- Network traffic metadata on company networks
For a full list of what eMonitor tracks and how it is configured, see the features overview.
Step 4: Insert Jurisdiction-Specific Consent Language
The template includes placeholder brackets for state-specific language. For Connecticut employees, insert the notice required by Conn. Gen. Stat. Section 31-48d. For New York employees, insert the SWEM Act notice under Labor Law Section 52-c. For EU employees, insert the GDPR Article 13 lawful basis statement. The legal commentary in each section of this guide explains exactly what language is required and where it goes.
Step 5: Distribute, Collect Signatures, and File
Distribute the finalized policy to all current employees and collect signed acknowledgment forms before activating any monitoring tools. For new hires, include the AUP in the onboarding packet and collect the signature on Day 1, before system access is granted. Store signed acknowledgment forms in personnel files. Some state statutes (Connecticut, New York) require that you retain proof of notice; a signed acknowledgment is the standard proof. See the monitoring implementation checklist for a complete deployment sequence.
Complete Acceptable Use Policy Template with Monitoring Clause
The following template is ready to copy, customize, and distribute. Every section includes a brief legal commentary note (in italics, inside brackets) explaining the legal purpose of that section. Remove all commentary notes before distributing the final document to employees.
ACCEPTABLE USE POLICY — ELECTRONIC SYSTEMS AND EMPLOYEE MONITORING
[ORGANIZATION NAME]
Policy Number: [XXX-XX]
Effective Date: [DATE]
Last Revised: [DATE]
Approved By: [NAME, TITLE]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SECTION 1: SCOPE AND PURPOSE
1.1 Purpose
This Acceptable Use Policy ("Policy") establishes the rules governing employee
use of electronic systems, devices, and networks owned or operated by
[ORGANIZATION NAME] ("Company"). It also provides advance notice of the
Company's electronic monitoring practices on Company systems.
[Legal note: Stating "advance notice of monitoring" in the purpose section
establishes that the document serves as monitoring notice, which satisfies
ECPA's notification requirement and state statutes in Connecticut, New York,
and Delaware that require written notice before electronic monitoring begins.]
1.2 Scope
This Policy applies to:
(a) All employees, contractors, consultants, temporary workers, and
other personnel ("Covered Persons") who access Company systems.
(b) All devices, networks, servers, applications, email accounts,
and communication platforms owned, leased, or operated by the Company
("Company Systems"), whether accessed from a Company facility, a
remote location, or while traveling.
(c) Any personal device used to access Company Systems, Company email
accounts, or Company data networks ("Personal Devices").
[Legal note: Explicitly including personal devices in scope is critical if
you conduct any monitoring on BYOD devices. Monitoring a personal device
that is not listed in scope exposes the Company to wiretapping claims under
ECPA Title I. If you do not monitor personal devices at all, remove clause (c).]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SECTION 2: PERMITTED USES OF COMPANY SYSTEMS
Covered Persons may use Company Systems for:
(a) Conducting work directly related to their job duties and responsibilities.
(b) Limited personal use that does not interfere with work performance,
violate this Policy, or consume excessive Company resources.
(c) Professional development activities approved by a manager or HR.
(d) Communications necessary to perform job functions.
[Legal note: Explicitly permitting limited personal use is recommended because
it prevents employees from arguing that any personal use on a company device
constitutes a waiver of the employer's right to monitor. Courts have held that
allowing some personal use does not eliminate the employer's monitoring rights
when a clear written policy is in place.]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SECTION 3: PROHIBITED USES OF COMPANY SYSTEMS
Covered Persons may NOT use Company Systems for:
(a) Accessing, downloading, storing, or transmitting content that is
sexually explicit, obscene, harassing, or discriminatory.
(b) Engaging in activities that violate federal, state, or local law,
including unauthorized copying or distribution of copyrighted material.
(c) Installing unauthorized software, applications, or browser extensions
on Company devices without IT department approval.
(d) Sharing, transferring, or storing Company confidential information
on personal cloud storage, personal email, or unapproved third-party
platforms.
(e) Accessing or attempting to access systems, networks, or data for
which the Covered Person has not been granted authorization.
(f) Conducting outside business activities or self-employment on Company
time or using Company resources.
(g) Gambling, gaming, or streaming entertainment content during work hours
unless expressly approved by a manager for business purposes.
(h) Accessing or using Company Systems in a manner intended to circumvent
monitoring, logging, or security controls (including use of VPNs,
proxy servers, or anonymization tools not approved by IT).
(i) Sending communications that are threatening, defamatory, or that
constitute workplace harassment.
(j) Using Company accounts or systems to engage in political activity,
campaigning, or fundraising unrelated to Company-approved programs.
[Legal note: Clause (h) prohibiting circumvention of monitoring tools is
important for organizations that have experienced employees using VPNs or
browser extensions to avoid detection. Making circumvention a policy violation
subjects it to disciplinary action independent of what the underlying behavior was.]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SECTION 4: MONITORING DISCLOSURE AND NO EXPECTATION OF PRIVACY
4.1 Monitoring Disclosure
THE COMPANY RESERVES THE RIGHT TO MONITOR, ACCESS, REVIEW, AUDIT, AND
DISCLOSE ALL ACTIVITY, COMMUNICATIONS, AND DATA TRANSMITTED, STORED, OR
ACCESSED ON COMPANY SYSTEMS. EMPLOYEES HAVE NO EXPECTATION OF PRIVACY WITH
RESPECT TO THEIR USE OF COMPANY SYSTEMS.
Monitoring includes but is not limited to:
(a) Application usage: which applications are open, active, or idle,
and the duration of use for each application.
(b) Website visits: URLs visited during work hours on Company devices
or Company networks, including browsing history and search queries
made through Company accounts.
(c) Email communications: metadata (sender, recipient, timestamp, subject
line) and content of email sent or received on Company email accounts.
[Note: Remove "and content" if your organization does not read email
content, only metadata. Accuracy is required.]
(d) Screen activity: periodic or continuous screenshots or screen recordings
captured on Company devices during work hours.
[Remove this item if you do not use screenshot monitoring.]
(e) Time tracking: records of active work time, idle time, login and logout
times, and application focus time used for payroll and productivity
analysis.
(f) File access and transfers: logs of files accessed, created, modified,
deleted, or transferred on Company systems or to external storage.
(g) Network traffic: metadata of network activity on Company networks,
including connection logs and bandwidth usage.
[Note: This covers network metadata, not content of encrypted traffic,
unless your organization uses a TLS inspection proxy. Adjust accordingly.]
(h) Keyboard and mouse activity: aggregate activity metrics indicating
whether a device is in active use. [Remove if not applicable.]
4.2 Scope of Monitoring
Monitoring is conducted on Company-owned or Company-operated systems only,
during established work hours. The Company does not intentionally monitor
personal devices, personal email accounts, personal social media accounts,
or off-duty activities on personal networks, except where Personal Devices
are used to access Company Systems or Company accounts.
[Legal note: This scope limitation is important under GDPR (proportionality
under Article 5(1)(c)) and under US state law frameworks that require
monitoring to be reasonably related to a legitimate business purpose.
Do not remove this limitation; it demonstrates proportionate monitoring.]
4.3 Purpose of Monitoring
The Company conducts electronic monitoring for the following legitimate
business purposes:
(a) Protecting confidential Company information and trade secrets from
unauthorized disclosure or exfiltration.
(b) Ensuring compliance with applicable laws, regulations, and industry
standards (including HIPAA, SOX, PCI-DSS, and applicable state laws,
as relevant to the Company's operations).
(c) Maintaining the security and integrity of Company networks, systems,
and data against malware, intrusion, and unauthorized access.
(d) Verifying accurate recording of work hours for payroll, billing,
and compliance purposes.
(e) Measuring and managing employee productivity in accordance with
performance management practices.
(f) Investigating alleged violations of this Policy or other Company
policies.
[Legal note: Listing specific business purposes is required under GDPR
Article 13(1)(c) and is recommended for US employers to establish legitimate
business purpose under ECPA. Courts evaluate whether monitoring is
proportionate to its stated purpose. Vague justifications ("to improve
operations") are regularly challenged in litigation.]
4.4 Data Retention
Monitoring data is retained for [INSERT RETENTION PERIOD, e.g., 90 days]
for routine productivity monitoring. Data associated with open investigations,
litigation holds, or regulatory inquiries is retained until the matter is
resolved. Data is stored on secure Company or third-party servers with
access restricted to authorized personnel only.
[Legal note: GDPR Article 5(1)(e) requires that personal data not be kept
longer than necessary. Specifying a retention period in the policy satisfies
this requirement. For US employers, retention periods should be consistent
with your litigation hold policy and any applicable industry regulations.]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SECTION 5: CONSENT AND ACKNOWLEDGMENT
5.1 Consent
By accessing Company Systems, each Covered Person acknowledges that they
have read, understood, and agreed to the terms of this Policy, including
the monitoring practices described in Section 4. Use of Company Systems
after distribution of this Policy constitutes implied consent to monitoring
as described herein.
5.2 State-Specific Notice (US Employees)
Connecticut Employees: Pursuant to Conn. Gen. Stat. Section 31-48d, the
Company is required to provide advance written notice that it may monitor
electronic devices and systems. This Policy constitutes that written notice.
A copy of this notice will be posted in a conspicuous location at the
Company's Connecticut workplaces.
New York Employees: Pursuant to New York Labor Law Section 52-c (SWEM Act,
effective May 7, 2022), the Company provides notice that it monitors
telephone conversations, email, and internet access or usage on Company
systems. This Policy constitutes written notice as required by the Act.
New York employees will receive a separate written acknowledgment at the
time of hire.
Delaware Employees: Pursuant to 19 Del. C. Section 705, the Company
provides advance notice that electronic monitoring of Company systems
occurs. This Policy constitutes that notice. An electronic notice will
also be displayed at the first login to Company systems.
California Employees: Pursuant to the California Privacy Rights Act
(CPRA), the Company provides this Notice at Collection describing the
categories of personal information collected through monitoring, the
business purpose for collection, and your rights under CPRA including
the right to access, correct, and delete personal information.
Contact [privacy@yourcompany.com] to exercise CPRA rights.
5.3 EU and UK Employee Notice (GDPR / UK GDPR)
For employees subject to GDPR or UK GDPR, the Company processes
monitoring data under the lawful basis of legitimate interests
(Article 6(1)(f) of the GDPR) in protecting Company assets, maintaining
network security, and managing workforce productivity, having conducted
a Legitimate Interests Assessment (LIA). A Data Protection Impact
Assessment (DPIA) has been completed where required by Article 35.
EU and UK employees have the following rights regarding monitoring data:
- Right of access (Article 15): request a copy of monitoring data held.
- Right to restriction (Article 18): request processing be restricted
in certain circumstances.
- Right to object (Article 21): object to processing based on legitimate
interests where personal circumstances justify it.
Contact [dpo@yourcompany.com] or our Data Protection Officer for data
subject rights requests.
[Legal note: GDPR Article 88 permits EU member states to adopt more specific
rules. Germany requires works council agreement before monitoring deployment
(Betriebsverfassungsgesetz). France requires CNIL notification. The Netherlands
requires works council consultation. If you have employees in these countries,
additional steps beyond this policy are required.]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SECTION 6: VIOLATION CONSEQUENCES
Violations of this Policy may result in disciplinary action up to and
including termination of employment or the applicable service agreement.
The Company reserves the right to report violations to law enforcement
where the conduct may constitute criminal activity.
Specific violation tiers:
Category A (Minor Violations): Informal counseling and written warning.
Examples: Excessive personal use of social media during work hours;
installing unauthorized browser extensions.
Category B (Moderate Violations): Formal written warning or suspension.
Examples: Accessing prohibited content; installing unauthorized software.
Category C (Severe Violations): Immediate termination and possible
legal referral.
Examples: Attempting to circumvent monitoring controls; unauthorized
transfer of Company confidential data; accessing systems without
authorization.
Nothing in this Policy limits the Company's right to seek civil or criminal
remedies for violations that constitute theft, fraud, or computer crimes
under applicable law.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SECTION 7: POLICY UPDATES
The Company reserves the right to modify, suspend, or terminate this Policy
at any time. Material changes to the scope of monitoring or the categories
of data collected will be communicated to Covered Persons with at least
[INSERT NOTICE PERIOD, e.g., 14 days] advance notice, except where an
immediate change is required for security or legal reasons. Continued use
of Company Systems after a policy update constitutes acceptance of the
revised terms.
Policy Revision Log:
Version 1.0 — [DATE] — Initial policy
Version [X.X] — [DATE] — [Description of change]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SECTION 8: EMPLOYEE ACKNOWLEDGMENT SIGNATURE BLOCK
I, the undersigned, acknowledge that:
1. I have received a copy of the [ORGANIZATION NAME] Acceptable Use Policy
(Version [X.X], dated [DATE]).
2. I have read and understand the Policy, including the monitoring
disclosure in Section 4 stating that Company Systems are monitored
and that I have no expectation of privacy on Company Systems.
3. I understand that violations of this Policy may result in disciplinary
action up to and including termination of employment.
4. I understand that this Policy may be updated and that I will be
notified of material changes.
[For New York employees only:]
I acknowledge receipt of the notice required by New York Labor Law
Section 52-c (SWEM Act) that the Company monitors telephone conversations,
email, and internet access or usage on Company systems.
Employee Full Name (print): ___________________________________
Employee Signature: ___________________________________
Date: ___________________________________
Employee ID / Personnel Number: ___________________________________
Department: ___________________________________
Manager Name: ___________________________________
HR Representative Signature: ___________________________________
Date Received by HR: ___________________________________
Legal Commentary: What Each Monitoring Clause Requires by Jurisdiction
The template above contains commentary notes explaining each clause. This section provides expanded legal context for the jurisdictions most commonly affecting US and EU employers deploying monitoring software.
US Federal: ECPA Compliance
The Electronic Communications Privacy Act (ECPA) permits employer monitoring of communications on company-provided equipment and networks when: (1) there is a legitimate business purpose, (2) the employee has been given advance notice (the "consent exception" under 18 U.S.C. Section 2511(2)(d)), and (3) monitoring is conducted consistently with the stated purpose. The monitoring disclosure in Section 4 of the template satisfies all three requirements. The critical ECPA risk is monitoring communications not listed in the policy: if your AUP says you monitor email but not screen activity, and you deploy screenshot capture, that undisclosed monitoring may fall outside the consent exception.
New York: SWEM Act (Labor Law Section 52-c)
New York's Stop Hacking and Improve Electronic Data Security (SHIELD) Act and the Workplace Electronic Monitoring Act (SWEM Act, effective May 7, 2022) require employers to provide prior written notice that they monitor telephone conversations, email, and internet access or usage on company systems. Employers must obtain a written acknowledgment from employees, which must be retained in personnel files. The acknowledgment block in Section 8 of the template satisfies this requirement. New York does not require the employer to specify exactly what monitoring data is collected, only that monitoring occurs and what systems are monitored.
Connecticut: Section 31-48d
Connecticut law requires employers to give prior written notice before monitoring and to post a notice in a conspicuous location in the workplace. The written notice must describe the types of monitoring that may occur. The template's Section 5.2 includes the required Connecticut notice language. Unlike New York, Connecticut does not require a signed acknowledgment, only that notice was given and posted. However, best practice is to collect signatures for all states.
California: CPRA Notice at Collection
Under the California Privacy Rights Act, employers must provide a Notice at Collection at or before the point of data collection. The notice must cover: categories of personal information collected, the purposes for which each category is used, whether the information is sold or shared, the retention period, and a link to the full privacy policy. For employee monitoring specifically, this means the AUP must include CPRA notice language if any California employees are subject to monitoring. The template's California section in Section 5.2 covers this requirement. For detailed GDPR and CPRA compliance guidance, see the GDPR employee monitoring compliance guide.
EU/UK: GDPR Article 13 and Article 88
GDPR Article 13 requires that when personal data is collected, the data controller provide the data subject with specific information at the time of collection, including: the identity of the controller, the lawful basis for processing, the purposes of processing, the retention period, and the data subject's rights. For employee monitoring, this information is most efficiently delivered through the AUP and an accompanying privacy notice. Most EU employment lawyers recommend using legitimate interests (Article 6(1)(f)) as the lawful basis rather than consent, because genuine consent in an employment relationship is rarely considered freely given due to the power imbalance. The template's EU section reflects this approach.
For a comprehensive international legal framework, see the employee monitoring legal guide for 2026.
What Is the Legal Risk Without a Monitoring Clause?
Without a monitoring clause in your AUP, the three most common legal risks are:
- ECPA claims: Employees who did not receive advance notice may claim that monitoring of their communications violated ECPA's wiretapping provisions, even on company devices.
- State statute violations: Employers with Connecticut, New York, or Delaware employees who lack written notice policies face civil penalties and regulatory enforcement under those states' electronic monitoring statutes.
- GDPR enforcement: EU employers without documented Article 13 disclosures face fines of up to 4% of annual global turnover and regulatory action by the relevant supervisory authority.
A written AUP with a monitoring clause costs one to two hours to implement. The cost of defending a single ECPA or GDPR claim typically exceeds $50,000 in legal fees before trial. For organizations deploying productivity monitoring software, the AUP is a prerequisite, not an afterthought.
What to Do After You Deploy the AUP
Deploying the AUP is the legal foundation. The monitoring program itself requires additional steps to ensure ongoing compliance. Here is the sequence organizations should follow after distributing and collecting signed acknowledgments.
Pair the AUP with a Consent Form
The AUP and the employee acknowledgment serve different functions. The AUP is the policy document. The signed acknowledgment form (Section 8 of the template) is the proof of notice. Some organizations use a standalone consent form as a separate one-page document for simplicity. The employee monitoring consent form template on this site provides a standalone version that references the AUP by name and version number.
Configure Your Monitoring Tool to Match the Policy
Every monitoring activity listed in your AUP must be active in your monitoring software configuration, and conversely, no monitoring activity should be active in the software that is not listed in the AUP. A mismatch between what the policy says and what the tool does is a legal liability. When configuring eMonitor features, use the AUP as a checklist: if screen capture is enabled, it must appear in Section 4(d). If it is not enabled, remove it from the template to avoid over-disclosure that creates confusion.
Communicate the Policy Before Activation
The monitoring communication plan template provides a step-by-step framework for notifying your workforce before monitoring tools go live. Communication best practice includes a manager briefing one week before launch, an all-hands or department-level communication three days before launch, and a FAQ document (using the employee FAQ template) distributed at the same time as the AUP.
Review and Update the AUP Annually
Employee monitoring law changes frequently at the state and federal level. The annual monitoring program review checklist includes a legal update review step covering new state statutes, federal agency guidance, and case law developments. Review the AUP at minimum once per year, and re-distribute to employees whenever monitoring scope, tools, or applicable law changes materially.
Related Policy Templates and Compliance Resources
An AUP with a monitoring clause is one component of a complete monitoring compliance program. The following resources cover the other components:
- Employee monitoring policy template: The broader workplace monitoring policy that this AUP monitoring clause feeds into, covering data governance, access controls, and grievance procedures.
- Digital nomad monitoring policy template: Extends the AUP framework to employees who work across international borders, with a country-by-country permissibility matrix.
- GDPR employee monitoring compliance guide: Detailed coverage of Article 13 disclosures, DPIA requirements, legitimate interests assessments, and works council consultation requirements by EU member state.
- Employee monitoring legal guide 2026: Federal and state law overview covering ECPA, state electronic monitoring statutes, NLRA collective bargaining requirements, and industry-specific regulations.
- Employee monitoring consent form: The standalone acknowledgment document to pair with this AUP.
- Data retention policy template: Specifies retention periods by data category, consistent with the retention language in this AUP.
Frequently Asked Questions
What should an acceptable use policy include about employee monitoring?
An acceptable use policy with employee monitoring should include the scope of company systems covered, a complete list of monitoring activities (application usage, website visits, screenshots, time tracking, email), the business justification for monitoring, a monitoring disclosure statement removing expectation of privacy on company systems, consent acknowledgment language, violation consequences, and a signed employee acknowledgment block.
Does an AUP monitoring clause need to specify what data is collected?
Yes. An AUP monitoring clause should list every category of data collected, including application usage logs, website visit histories, screenshot frequency, email metadata on company accounts, time tracking records, and keyboard or mouse activity. Courts and regulators (especially under GDPR Article 13) require that employees are informed specifically about data categories, not just given a blanket monitoring statement.
Is an AUP legally required before deploying monitoring software?
A written AUP is legally required as advance notice in Connecticut (Conn. Gen. Stat. Section 31-48d), New York (SWEM Act, Labor Law Section 52-c), and Delaware (19 Del. C. Section 705). Under GDPR, a written policy satisfies the Article 13 transparency obligation. Even where not legally mandated, a documented AUP is the primary defense against wrongful termination and privacy claims.
How should the AUP monitoring disclosure be written for GDPR compliance?
For GDPR compliance, the AUP monitoring disclosure must identify the lawful basis for processing under Article 6 (typically legitimate interests under Article 6(1)(f)), describe each monitoring activity and its purpose, state the data retention period, list employee rights (access, erasure, restriction), and name the data controller. A Data Protection Impact Assessment (DPIA) may be required under Article 35 for high-risk monitoring activities.
Can employees refuse to sign an acceptable use policy with a monitoring clause?
Employees can refuse to sign, but refusal typically constitutes failure to comply with a lawful workplace policy. In most US jurisdictions, an employer may discipline or terminate an employee who refuses to acknowledge a lawful monitoring policy. Under GDPR, if consent is the stated lawful basis, genuine refusal must be accepted, which is why most EU employers use legitimate interests as the lawful basis rather than consent.
What is the difference between an AUP and a monitoring policy?
An acceptable use policy governs how employees are permitted to use company technology systems, covering permitted uses, prohibited activities, and consequences of violations. A monitoring policy specifically addresses the employer's data collection practices. Many organizations combine both into a single document with a dedicated monitoring disclosure section, which is what this template provides. Keeping them combined reduces the number of documents employees must sign.
Does the monitoring clause apply to remote employees?
Yes. The monitoring clause in an AUP applies to any use of company-owned systems and accounts, regardless of location. Remote employees working on company devices from home, a co-working space, or another country are subject to the same monitoring disclosure. International employees may require additional jurisdiction-specific language, particularly in EU countries where GDPR imposes stricter proportionality requirements.
How often should the AUP monitoring clause be updated?
The AUP monitoring clause requires review at least annually and whenever a material change occurs: new monitoring tools are deployed, monitoring scope expands, relevant laws are enacted or amended, or a data breach reveals policy gaps. Employees should re-sign an updated acknowledgment when material changes are made. Tracking policy revisions in the revision log section of this template supports compliance audits.
Can monitoring data collected under the AUP be used in a termination decision?
Monitoring data is admissible in employment termination proceedings when the AUP was distributed before the conduct in question, the employee signed the acknowledgment, the monitoring followed the stated policy scope, and the data directly relates to the alleged violation. Courts have consistently upheld terminations supported by monitoring data when a properly disclosed AUP was in place.
What happens if the monitoring clause is incomplete or vague?
An incomplete or vague monitoring clause creates significant legal exposure. Courts have held that monitoring a type of activity not listed in the policy can constitute a privacy violation even on company systems. Under GDPR, insufficiently specific disclosure may constitute a breach of Article 13 transparency requirements and trigger regulatory enforcement. This template is designed to be explicit and comprehensive to eliminate ambiguity.
Should the AUP include a monitoring clause for company mobile devices?
Yes. Company-issued mobile devices should be explicitly named in the AUP monitoring clause. Mobile device monitoring may include call logs on company SIM cards, app usage data, location data if GPS tracking is deployed, and mobile data usage. Each monitoring type should be listed specifically. Location tracking on mobile devices carries additional consent requirements in several states and under GDPR.
What is the legal risk of deploying monitoring software without a written AUP?
Monitoring without a written AUP exposes organizations to wrongful termination claims when monitoring data is used in disciplinary decisions, privacy tort claims under state law, regulatory enforcement under state electronic monitoring statutes in Connecticut, New York, and Delaware, and GDPR enforcement actions with fines up to 4% of annual global turnover for EU operations. A written AUP is the lowest-cost risk mitigation measure available.
What is the California CPRA notice requirement for employee monitoring?
Under the California Privacy Rights Act (CPRA), employers must provide employees with a Notice at Collection prior to or at the time of collecting personal information, including monitoring data. The notice must describe the categories of personal information collected, the business purposes for collection, and the retention period. This template's California section includes CPRA-compliant notice language for employers with California-based employees.