78% of employers now monitor their employees in some form. But the legal framework governing that surveillance is a patchwork of federal defaults, state-specific requirements, and industry regulations that most workers — and many employers — don’t fully understand.
This guide breaks down the monitoring laws that apply to you in 2026, whether you’re an employee trying to understand your rights or an employer verifying compliance.
Federal Law: The Baseline
The Electronic Communications Privacy Act (ECPA) of 1986 is the primary federal law governing employee monitoring. It establishes two important exceptions that allow employers to monitor:
- Business Purpose Exception: Employers can monitor electronic communications on company-owned equipment if there is a legitimate business reason — productivity, security, compliance, or quality assurance.
- Consent Exception: If employees consent to monitoring (often through an employment agreement, handbook acknowledgment, or acceptable use policy), monitoring is permitted regardless of business purpose.
The Computer Fraud and Abuse Act (CFAA) prohibits unauthorized access to computers, but this generally protects employers from employees — not the other way around. And the ADA restricts monitoring that targets employees with disabilities disproportionately.
The key gap in federal law: no requirement to notify employees about monitoring on company devices. That’s where state laws come in.
State-by-State Compliance Table
The table below covers all 50 states plus DC. The “Strictness” rating reflects how much the state goes beyond the federal baseline: Strict means specific monitoring laws with penalties, Moderate means notice or consent requirements, Minimal means general privacy provisions only, and Federal Only means no state-specific monitoring laws.
| State | Audio Consent | E-Monitoring Notice | Key Statute | Strictness |
|---|---|---|---|---|
| Alabama | One-party | Not required | — | Federal Only |
| Alaska | One-party | Not required | — | Federal Only |
| Arizona | One-party | Not required | — | Federal Only |
| Arkansas | One-party | Not required | — | Federal Only |
| California | All-party | Privacy act applies | CCPA/CPRA, CalECPA, Penal §632 | Strict |
| Colorado | One-party | Required (CPA) | Colorado Privacy Act | Moderate |
| Connecticut | All-party | Required (written) | Conn. Gen. Stat. §31-48d | Strict |
| Delaware | All-party | Required (written) | Del. Code tit. 19 §705 | Strict |
| DC | One-party | Not required | — | Federal Only |
| Florida | All-party | Not required | Fla. Stat. §934.03 | Moderate |
| Georgia | One-party | Not required | — | Federal Only |
| Hawaii | One-party | Not required | — | Federal Only |
| Idaho | One-party | Not required | — | Federal Only |
| Illinois | All-party | BIPA for biometrics | 720 ILCS 5/14, BIPA (740 ILCS 14) | Strict |
| Indiana | One-party | Not required | — | Federal Only |
| Iowa | One-party | Not required | — | Federal Only |
| Kansas | One-party | Not required | — | Federal Only |
| Kentucky | One-party | Not required | — | Federal Only |
| Louisiana | One-party | Not required | — | Federal Only |
| Maine | One-party | Not required | — | Minimal |
| Maryland | All-party | Not required | Md. Code §10-402 | Moderate |
| Massachusetts | All-party | Not required | Mass. Gen. Laws ch.272 §99 | Moderate |
| Michigan | All-party | Not required | MCL §750.539 | Moderate |
| Minnesota | One-party | Not required | — | Federal Only |
| Mississippi | One-party | Not required | — | Federal Only |
| Missouri | One-party | Not required | — | Federal Only |
| Montana | All-party | Not required | Mont. Code §45-8-213 | Moderate |
| Nebraska | One-party | Not required | — | Federal Only |
| Nevada | One-party | Not required | — | Minimal |
| New Hampshire | All-party | Not required | N.H. Rev. Stat. §570-A | Moderate |
| New Jersey | One-party | Not required | — | Minimal |
| New Mexico | One-party | Not required | — | Federal Only |
| New York | One-party | Required (written + posted) | NYLL §203-e | Strict |
| North Carolina | One-party | Not required | — | Federal Only |
| North Dakota | One-party | Not required | — | Federal Only |
| Ohio | One-party | Not required | — | Federal Only |
| Oklahoma | One-party | Not required | — | Federal Only |
| Oregon | One-party | Not required | — | Minimal |
| Pennsylvania | All-party | Not required | 18 Pa.C.S. §5704 | Moderate |
| Rhode Island | One-party | Not required | — | Federal Only |
| South Carolina | One-party | Not required | — | Federal Only |
| South Dakota | One-party | Not required | — | Federal Only |
| Tennessee | One-party | Not required | — | Federal Only |
| Texas | One-party | CUBI for biometrics | Tex. Bus. & Com. §503.001 | Moderate |
| Utah | One-party | Not required | — | Minimal |
| Vermont | One-party | Not required | — | Federal Only |
| Virginia | One-party | VCDPA applies | Virginia Consumer Data Protection Act | Moderate |
| Washington | All-party | Not required | RCW 9.73.030 | Moderate |
| West Virginia | One-party | Not required | — | Federal Only |
| Wisconsin | One-party | Not required | — | Federal Only |
| Wyoming | One-party | Not required | — | Federal Only |
Key States in Detail
Connecticut — The Gold Standard
Connecticut was the first state to require employers to give written notice before any electronic monitoring. Under Conn. Gen. Stat. §31-48d, employers must inform employees in writing about the types of monitoring used, including email, internet, and telephone monitoring. Penalty: $500 for first offense, $1,000 for subsequent violations.
New York — Notice + Posting
Since May 2022, New York employers must provide written notice upon hiring and post a visible notice in the workplace informing employees about electronic monitoring of telephone, email, and internet usage. Penalties escalate: $500 first offense, $1,000 second, $3,000 for third and subsequent violations per employee.
Delaware — Written Notice Required
Delaware requires employers to give written notice before monitoring email and internet activity. Violation penalties are modest at up to $100 per incident, but the law creates a clear compliance obligation.
California — Multi-Layered Protection
California has the most complex monitoring landscape. The CCPA/CPRA gives employees data access rights. CalECPA requires warrants for government access to electronic data. Penal Code §632 is an all-party consent law for audio recording with penalties up to $2,500 per violation. California courts have also recognized an implicit right to privacy that can apply to workplace monitoring.
Illinois — BIPA: The Biometrics Giant
Illinois’s Biometric Information Privacy Act (BIPA) is the most powerful employee privacy law in the country. It requires informed consent before collecting fingerprints, facial geometry, or other biometrics. Penalties of $1,000–$5,000 per violation have produced massive class action settlements — including Facebook’s $650 million settlement. Any employer using fingerprint scanners or facial recognition for attendance must comply.
One-Party vs Two-Party Consent
The consent distinction primarily affects audio recording (phone calls, in-person conversations, video with audio). It does not apply to screen monitoring, keystroke logging, or screenshot capture.
- One-party consent (39 states): Only one participant needs to know about the recording. Your employer can record calls they’re a party to without telling you.
- All-party consent (11 states + DC): California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Pennsylvania, and Washington require all parties to consent. Recording without consent is a crime in most of these states.
For employers using tools like Teramind or CleverControl that capture audio, operating in an all-party consent state means explicit employee consent is required for that feature.
US vs EU: How the Rules Compare
The fundamental difference: the US starts from a position of “permitted unless prohibited” while the EU starts from “prohibited unless justified.” Amazon France learned this the hard way with a €32 million fine for excessively intrusive warehouse worker monitoring in 2024.
Penalties for Violations
Federal (ECPA)
Illinois (BIPA)
New York
Texas (CUBI)
California (CIPA)
Connecticut
The trend is toward stricter enforcement. Employee monitoring litigation has increased 43% since 2021, and 89% of monitoring lawsuits result in settlements over $100,000. Industry analysts project 15 states will have specific monitoring disclosure laws by 2028.
What You Can Do as an Employee
- Read your employment agreement — look for monitoring consent clauses, acceptable use policies, and technology agreements. Most employers include monitoring disclosure in onboarding documents.
- Check your state’s laws — use the table above to understand what your employer is required to disclose.
- Ask HR directly — in many states, HR must answer honestly about monitoring practices if asked. Document the response in writing.
- Check for monitoring software — see our guide on how to identify if you’re being monitored, including process names, system tray icons, and network traffic.
- Know the limits on personal devices — unless you installed company software (VPN, MDM, monitoring agent), your employer generally cannot monitor your personal phone or laptop.
- Understand BYOD implications — if you use a personal device for work through a bring-your-own-device policy, the employer may monitor work-related activity through company apps.
Frequently Asked Questions
Is it legal for employers to monitor employees in the US?
Yes. Under federal law (ECPA), employers can monitor electronic communications on company-owned devices with a legitimate business purpose. Most states follow this default. However, some states like Connecticut, Delaware, and New York require written notice before monitoring, and 11 states plus DC require all-party consent for audio recording.
Which states require employers to notify employees about monitoring?
As of 2026, four states have specific electronic monitoring notification laws: Connecticut (requires written notice), Delaware (requires written notice), New York (requires written notice and visible posting), and Colorado (requires notice under the Colorado Privacy Act). Several more states have broader privacy laws that effectively require disclosure.
Can my employer monitor me without telling me?
In most US states, yes. Federal law does not require employers to notify employees about monitoring on company devices. However, if you are in Connecticut, Delaware, New York, or Colorado, your employer must provide written notice. In the EU under GDPR, employers must always disclose monitoring and provide a lawful basis. See how many employees are unaware they’re being monitored.
What is the difference between one-party and two-party consent states?
In one-party consent states, only one person in a conversation needs to consent to recording — meaning your employer can record calls if they are a party to them. In two-party (all-party) consent states like California, Florida, and Illinois, everyone being recorded must consent. This mainly applies to audio recording, not screen monitoring or keystroke logging.
Does GDPR apply to employee monitoring?
Yes. If your employer operates in the EU or monitors EU-based employees, GDPR requires a lawful basis for monitoring (usually legitimate interest), a Data Protection Impact Assessment for systematic monitoring, clear employee notification, data minimization, and the right for employees to access their monitoring data. Violations can result in fines up to 4% of global turnover or €20 million.
Can my employer monitor my personal phone or computer?
Generally no, unless you installed company software (like a VPN, MDM profile, or monitoring agent) on your personal device. If you use a personal device for work through a BYOD policy, the employer may monitor work-related activity through company apps. On a company-owned device, the employer has broad monitoring rights in most US states.
What are the penalties for illegal employee monitoring?
Penalties vary by state. Federal ECPA violations can result in fines up to $10,000 and 5 years imprisonment. State penalties range from $100 per violation in Delaware to $25,000 per biometric violation in Texas. Illinois BIPA allows $1,000–$5,000 per violation in class action suits — Facebook settled for $650 million under BIPA.
How many states are expected to pass monitoring laws by 2028?
Industry analysts project that 15 US states will have specific employee monitoring disclosure laws by 2028, up from 4 states in 2026. The trend is accelerating, driven by public pressure, union advocacy, and EU regulatory influence through multinational companies that apply GDPR-like standards globally.
Understand What Your Employer Tracks
Now that you know the legal landscape, see how monitoring tools actually work and what they capture.
Read Our Complete Guide
