Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
For generations, American workers have had very few privacy rights in the workplace, especially compared to peers in other Western nations.
Employers could monitor employees' internet use, install cameras to watch them in common spaces like coffee stations and read work email accounts. Until the 1980s, when Congress largely banned the practice, employers could even force employees to take lie-detector tests.
Recently, thanks to state-level laws, more employees are gaining privacy rights to their personal information and devices, forcing employers to treat employees as they would customers.
This is reinforcing the fragmentary Electronic Communications Privacy Act and contributing to a quiet revolution in the workplace that is rewriting the rules shaping the employer-employee relationship as it relates to workplace technology. Yet, the green shoots of these privacy protections are at risk under the deregulatory push taken by the Trump administration and furthered by Republicans in Congress who seek to preempt state laws.
Nearly two-thirds of U.S. adults report using their personal smartphone for work. Almost one-third use a smart watch, with the majority wearing them while at work. In short, we've never been more connected, both at the office and at home. This connectivity is fueling concern about privacy, harkening back to the original definition of 1890s concept of the "right to be let alone."
In response, as of 2 Feb., 19 states now have comprehensive data privacy laws on the books. Unlike so many issues in U.S. politics, this trend bucks the typical red/blue-state divide. States as diverse as California, Indiana, Utah and New Hampshire have all acted in recent years, with more states considering bills.
The lack of Congressional action is fueling this trend, and while all these laws are not all identical — with California being an outlier — some are converging on certain privacy rights similar to what many Europeans already enjoy. These include heightened consent requirements.
California broke new ground when it became the first state to mandate its new privacy law, the California Privacy Rights Act, apply equally to employees and to customers. In 2023, legislation regulating employee location tracking in the Golden State also came into force.
Connecticut, Delaware and New York similarly have laws that determine the circumstances in which employers may monitor employees' email and telephone conversations. Illinois' Biometric Information Privacy Act requires employers to provide notice, obtain consent and adhere to certain data minimization principles. Employers in Illinois have to be very careful with the employee biometric information they collect. If they run afoul of the law, employees can sue for up to USD5,000 per violation. Colorado similarly has a privacy law that applies to employers' collection of employees' biometric data.
New York City has become the first community in the country to regulate the use of AI to manage job applications and functions.
Although there is not yet a clear nationwide trend toward comprehensive employee workplace tech protections, we have seen a sea change in the benefits and challenges associated with workplace tech. For years, employers have encouraged employees to use fitness trackers such as smart watches to help ensure a healthy workforce. But not anymore. Instead, there is growing pushback surrounding the surveilling of these devices, with 87% of IT managers surveyed in one study reporting negative impacts after the rollout of these practices.
These developments point to the need for employers to review their digital footprints, especially if they are doing business in California, Illinois, Colorado or New York. If so, they must respect employees' data privacy and biometric rights, as well as those pertaining to AI and automation.
Across the board, employers need to ensure appropriate notice and consent, and pay attention to the cybersecurity of wearable tech that is permitted in the workplace. All 50 states now have data breach legislation on the books, while a growing number are also mandating "reasonable" cybersecurity. Since 2020 in California, all internet-connected devices must be able to be updated and not have hard-coded passwords.
In short, even without Congressional action, employers should think of employees' privacy rights as they would their customers'. This means consent should be explicit, easy to understand and as easy to take back as it was to give in the first place.
Bring-your-own-device policies should be updated with best practices from California, Illinois and New York in mind.
And data should not be kept longer than necessary. A new wave of reform is also swelling as it pertains to other workplace tech innovations, including background checks, occupancy tracking, identity management and the use of AI in the workplace.
To be clear, employees across the U.S. will not wake up tomorrow and enjoy the same level of privacy rights enjoyed by their European colleagues, and the progress we have seen could be reversed if a new federal privacy law draws enough support to preempt these state-level efforts.
But for now, it's getting harder in some states for employers to use smart products or apps that track employees' location, performance, or other personal information without their explicit consent going forward. And even if such practices remain legal in the near term, whether they are ethical is another matter.
A growing number of employees would say no and could well vote with their feet.
Scott Shackelford is provost professor of business law and ethics at Indiana University's Kelley School of Business and executive director of the Center for Applied Cybersecurity Research.
