Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
When monitoring employees in the workplace in the U.S. and Canada, employers must be cognizant of their obligations under employment and data privacy laws.
In the U.S., employers can mostly negate privacy expectations from developing in the workplace by providing clear notice of monitoring practices and which notice is required in certain states, such as New York. But under the California Consumer Privacy Act, data minimization requirements apply and monitoring practices must be justifiable as necessary and proportionate.
In Canada, employers are required to balance operational needs such as safety, security and productivity, with the privacy rights of their employees. Monitoring should be reasonable, proportionate and tied to a legitimate business purpose. Organizations must comply with applicable federal or provincial privacy legislation, which can include safeguarding any employee personal information collected, obtaining employee consent in certain circumstances, and providing notice to employees of monitoring practices.
For federally regulated private-sector employers — such as banks, airlines and telecommunications companies — employee monitoring is generally governed by the Personal Information Protection and Electronic Documents Act. Provinces that have enacted privacy laws deemed "substantially similar" to PIPEDA are exempt from its collection, use and disclosure provisions under section 26(2)(b). Presently, only Alberta, British Columbia and Québec have privacy legislation that is substantially similar to PIPEDA.
US: A patchwork of requirements apply to employers
At the federal level in the U.S., employee monitoring is primarily governed by the Electronic Communications Privacy Act and the Stored Communications Act, which permit monitoring for legitimate business purposes but impose strict limits on unauthorized interception and access to private communications. Further, employers must conduct all workplace monitoring and surveillance in compliance with federal, state and local anti-discrimination laws. And, all employers, even those with a nonunionized workforce, must comply with the National Labor Relations Act when conducting workplace monitoring and surveillance.
In addition, some states have enacted data privacy and security laws or regulations governing the collection, use, transfer and disposal of certain types of personal information.
California is the U.S. state with the most comprehensive data privacy law with broad application. Under the CCPA, employers are permitted to monitor employees with notice only so long as the monitoring is reasonably necessary and proportionate in the particular employment context and processing purposes are not surprising to employees.
This CCPA requirement amounts to a data minimization principle in the California employment context. With increasingly sophisticated CCTV monitoring technologies, prevalence of video meetings with attention monitoring technologies and transcription features, employers should deploy new monitoring tools on California resident employees only after assessing against this principle.
In part because of the CCPA data minimization principle, U.S. employers should consider prohibiting personal use of company systems. Historically, limited personal use of company systems has been permitted by most U.S. employers. That made sense when employees may have needed to conduct limited personal tasks during work hours and did not have access to a personal device when away from home. But now that most employees carry a personal smartphone such needs have been reduced.
Prohibiting personal use of company systems should impose little practical burdens on employees and makes it easier for employers to justify more privacy intrusive, and company protective, monitoring practices. There is also the added benefit that employees are less likely to create risks for the company by visiting websites or downloading content or software not required to do their job.
The best way to negate surprises and put employees on notice of monitoring is to provide in time reminders of monitoring, such as when they log on to work devices, swipe a badge or otherwise authenticate themselves when entering physical employer premises.
In addition to the data minimization principle, under the CCPA and its regulations, all processing of sensitive personal information used to infer characteristics about an employee is subject to a purpose limitation or triggers a "right to limit" — an opt-out right that employers counterintuitively must operationalize through a link on their public facing website.
Because allowing employees to opt out of personal information processing in the employment context is generally not operationally feasible, employers should document in an internal assessment directed by their legal department why, for example, making inferences about employee productivity based on the frequency of personal emails sent from their work email is reasonably necessary based on an average employee's expectation of the provision of the employment relationship. An average employee's expectations will depend on the employer's particular business but also on what notice the employer provides.
In addition to the right to limit, from 1 Jan. 2026, employers are also required to conduct risk assessments for processing sensitive personal information — such as processing content of personal emails sent over company systems or if using automated processing to infer performance at work — with a goal of employers deciding not to engage in activities considered too risky.
Certain employee monitoring technologies may also involve automated decision-making technology, which is regulated from 1 Jan. 2027, under the CCPA regulations.
Beyond California, there are several other U.S. state laws to consider. For example, with limited exceptions, Connecticut employers engaging in electronic workplace monitoring are required to provide prior written notice to all employees who may be monitored. The notice is required to identify the types of electronic monitoring that may be in use and is required to be posted in a conspicuous place.
Delaware employers generally may only monitor employees' telephone or computer use after providing advance notice of the monitoring. The notice is required to be provided electronically at least once during each day that employees access employer-provided email or internet, unless the employer provides a one-time written or electronic notice of the monitoring that is acknowledged by employees, either in writing or electronically.
The Illinois Biometric Information Privacy Act applies if monitoring involves biometric data and the statute requires informed written consent and strict data handling protocols.
To engage in monitoring or interception of telephone conversations, emails, and internet access or use, New York employers typically are required to notify employees at hiring, in writing or electronically, obtain employees' acknowledgement of this notice in writing or electronically, and post a notice of electronic monitoring in a conspicuous place.
Canada: Legal framework varies across provinces
Ontario is the only province that statutorily requires employers to have a written policy in place on the electronic monitoring of employees. As of October 2022, employers with 25 or more employees in Ontario must have a policy disclosing whether they electronically monitor their employees. If so, the policy must include a description of how and in what circumstances the employer electronically monitors its employees, the purposes for which the information obtained through electronic monitoring may be used, the date the policy was prepared and the date any changes were made to the policy.
Electronic monitoring goes beyond simply tracking which websites the employee visits or the messages they send coworkers on Microsoft Teams. It also includes, as applicable, tracking employee badge data and connections to workplace Wi-Fi. Employers who have mandated a return to the office in Ontario should ensure such monitoring practices, often relied upon to ensure work-from-office policy compliance, are accurately described in the company's electronic monitoring policy. It is important to note that this requirement does not create new privacy rights — only that the employer state in the policy what their electronic monitoring practices are.
In British Columbia, employee monitoring is governed by two provincial statutes: the Personal Information Protection Act for private-sector employers and the Freedom of Information and Protection of Privacy Act for public-sector employers. Under FIPPA, public bodies do not need employee consent to collect personal information if the collection is necessary and directly connected to a program or activity of the public body. However, public-sector employers must provide notice when collecting information indirectly, particularly for managing or ending an employment relationship.
For private-sector employers, British Columbia's PIPA generally requires consent to collect personal information. An exception applies where the collection is of employee personal information and is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual. In such cases, employers may collect the employee personal information without the individual's consent.
For example, a private-sector employer could track employee badge data without the employee's consent if the purpose is to ensure compliance with a mandatory return-to-office company policy. But a 2024 decision in British Columbia resulting in mid five-figure damages highlighted that public sector employers in British Columbia cannot treat semi-private online content as open for monitoring unless there is a clear and legitimate justification.
In Alberta, the Personal Information Protection Act governs employee monitoring and the collection, use and disclosure of personal employee information. Under Alberta's PIPA, employers generally must obtain an employee's consent before collecting their personal information. However, consent may not be required if the collection or use is solely for the purpose of establishing, managing or terminating an employment relationship or managing a post‑employment relationship. It is reasonable to collect or use information for the particular purpose for which it is being collected or used, and, for a current employee, if the organization has provided them with reasonable notification prior to collection or use, as well as the purposes behind it.
Thus, to avoid the requirement to obtain employee consent, private-sector employers in Alberta should ensure their relevant workplace policies contain statements notifying existing employees of any electronic monitoring practices and the purposes for which personal employee information will be collected or used.
Québec's Act Respecting the Protection of Personal Information in the Private Sector, modernized by Law 25, applies to all private-sector employers. Monitoring must have a legitimate purpose — such as safety or investigating misconduct — and be proportionate and minimally intrusive. Employers are also required to inform employees about the type, purpose and timing of monitoring and obtain employee consent to all monitoring. Noncompliance may result in complaints to Quebec's privacy and access to information regulator, the Commission d’accès à l’information.
In a 2025 decision, an employer was found to have had an excessive in-vehicle video surveillance system in company-owned vehicles. This decision reinforces the principle of proportionality and the need to consider less intrusive alternatives with data collection in Quebec.
Key takeaways for employers
While monitoring employees in the workplace is generally permissible across the U.S. and Canada, employers should assess the necessity and proportionality of each monitoring practice to comply with data minimization principles and restrictions on certain processing of sensitive personal information about employees, such as personal emails sent by employees over company systems or biometric information to identify employees.
As a best practice, an employer's monitoring practices should be described and captured in some capacity in its relevant workplace policies to negate privacy expectations from developing where employees would otherwise not have them.
U.S. employers should provide IT monitoring notice to all employees and are statutorily required to give California residents CCPA compliant notice.
In Canada, notice to employees of workplace monitoring activities is generally required.
Helena Engfeldt, CIPP/E, CIPP/US, is a partner and Rono Khan is an associate at Baker McKenzie.
