Navigating Employee Privacy Rights

By Kevin M. Brown, Patricia Brum, Clint S. Engleson, and D. Alexander Kat

Employee privacy continues to be a complex and evolving area. As workplace technology advances and states enact new protections, employers are increasingly called upon to balance business interests with employees’ reasonable expectations of privacy. From monitoring remote workers to evaluating a candidate’s social media presence, each decision carries potential legal risk.

Social Media and Online Activity

Reviewing an applicant’s or employee’s online presence can offer insight into character or cultural fit, but it also presents substantial legal risk. Employers that examine personal social media profiles may inadvertently expose themselves to information about protected characteristics such as religious affiliation, sexual orientation, or disability status. If a hiring or disciplinary decision follows such a review, it may be difficult to demonstrate that the decision was not influenced by the existence of a protected characteristic. Notably, California Labor Code section 980 prohibits employers from requiring or requesting that employees or applicants disclose usernames or passwords for personal social media accounts; it further prohibits employers from requiring them to access personal social media in an employer’s presence.

To mitigate risk, employers may want to consider delaying social media reviews until after extending a conditional offer, delegating reviews to human resources personnel (rather than direct supervisors), and documenting the business rationale behind any employment decisions that follow such a review. Developing a written social media policy that sets clear expectations for both an employer’s review practices and employees’ use of social media in connection with the workplace may also be a prudent step.

Medical Privacy and the ADA

Medical privacy remains one of the most sensitive areas for employers. The Americans with Disabilities Act (ADA) places strict limits on when and how employers may obtain and use medical information. Employer-required medical examinations, for instance, may not be used to screen out individuals with disabilities unless the condition genuinely prevents the individual from performing the essential functions of the job, with or without a reasonable accommodation. Under both the ADA and the Genetic Information Nondiscrimination Act (GINA), maintaining medical records in separate, confidential files is not merely a best practice—it is a legal requirement. In California, the Confidentiality of Medical Information Act (CMIA) imposes additional obligations, restricting employers from using, disclosing, or knowingly permitting employees or agents to disclose medical information without the employee’s written authorization, except in narrowly defined circumstances.

Employers may want to consider developing written procedures for handling medical information that clearly define who may access such records, as well as routinely training human resources personnel and managers on permissible and impermissible inquiries during the hiring process and throughout employment.

Workplace Surveillance and Monitoring

Employers generally retain the right to monitor employee activity on company-owned devices. However, the scope of that right can narrow depending on whether employees have a reasonable expectation of privacy. Courts have generally found that communications sent through a company email account are not private, particularly where the employer has a technology-use policy in place that discloses monitoring practices.

Employers may want to consider taking a measured approach to surveillance, using the least intrusive means necessary to accomplish their business objectives. Surveillance generally should not extend to areas where employees have a reasonable expectation of privacy, such as restrooms or private changing areas. A clearly written technology-use policy, acknowledged by employees, that states communications on company devices and accounts are subject to monitoring, can go a long way toward setting reasonable expectations of privacy and reducing exposure. The growing use of artificial intelligence in monitoring tools, including keystroke logging, screen capture, and productivity scoring, raises additional considerations, and employers may wish to evaluate whether such tools comply with applicable privacy laws and align with employee expectations.

Off-Duty Conduct

It may be tempting for employers to regulate employee behavior outside of working hours, particularly when off-duty conduct reflects poorly on the company. However, a number of states prohibit employers from disciplining employees for lawful off-duty conduct. California Labor Code sections 96(k) and 98.6, as well as Colorado Revised Statutes section 24-34-402.5, provide protections for employees who engage in lawful conduct during nonworking hours away from the employer’s premises. Off-duty behavior that violates an employer’s code of conduct, materially affects the employer’s reputation, or creates workplace disruption may justify discipline in certain circumstances. For example, an employee’s social media posts made during off-hours may warrant further review if they potentially violate anti-harassment or anti-discrimination policies.

Employers may want to consider clarifying their expectations through a well-drafted code of conduct that addresses behavior impacting the workplace, even when it occurs off-site or off-duty. Any such policy would benefit from careful review to ensure it does not infringe on lawful behavior or constitutionally protected activities, including political expression.

Background Checks and Credit Reports

The use of background and credit checks is increasingly regulated at both the state and federal levels. The federal Fair Credit Reporting Act (FCRA) imposes procedural obligations on employers, including obtaining written consent before accessing a consumer report and providing notice before taking adverse action based on its contents. At the state level, California’s Investigative Consumer Reporting Agencies Act (ICRAA) adds further requirements, including providing applicants with a specific disclosure identifying the scope of the investigation. Additionally, several states, including California, Colorado, Illinois, Massachusetts, Oregon, Pennsylvania, and Washington, have “ban the box” laws that limit employers’ ability to inquire about an applicant’s criminal history, often until a conditional offer of employment is made. Employers should also be mindful of local “ban the box” laws, such as those imposed by New York City and dozens of other cities and counties throughout the country.  

Overuse or misuse of background checks can also lead to claims of disparate impact discrimination, particularly if the screening criteria disproportionately exclude individuals based on protected characteristics. To reduce exposure, employers may want to consider ensuring that background checks are job-related and consistent with business necessity, reserving checks for later stages of the hiring process, and evaluating criminal history on an individualized basis rather than applying blanket exclusions. Where a conviction is used as a basis for an adverse decision, documenting a clear rationale tying the specific offense to the responsibilities of the position (e.g., a theft conviction for a cash-handling role) is a practice worth considering.

Drug Testing and Marijuana Use

Drug testing remains largely permissible and is often required in safety-sensitive industries. However, the legal landscape has shifted significantly as more states legalize marijuana for recreational and medicinal use. While marijuana remains a Schedule I controlled substance under federal law, a growing number of states now extend employment protections for off-duty marijuana use. California’s Assembly Bill 2188, which took effect on January 1, 2024, amended the Fair Employment and Housing Act (FEHA) to prohibit employers from discriminating against applicants or employees based on their use of cannabis off the job and away from the workplace. The law also bars employers from taking adverse action based on an employer-required drug test that detects non-psychoactive cannabis metabolites in hair, blood, urine, or other bodily fluids. Exceptions exist for employees in the building and construction trades and for positions requiring a federal background investigation or clearance.

Given these developments, employers may want to consider reviewing and updating their drug testing policies to account for evolving state-law protections. Blanket zero-tolerance policies may be increasingly difficult to sustain in states with employee protections for off-duty cannabis use, such as California, New Jersey, New York, and Washington. For non-safety-sensitive roles, focusing on workplace impairment rather than off-duty usage may be a more defensible approach. Employers in California should be especially attentive to whether their testing methodologies can distinguish between current impairment and the mere presence of non-psychoactive metabolites.

Monitoring Remote Workers

The widespread shift to remote and hybrid work arrangements accelerated the adoption of productivity tracking software, webcam monitoring, keystroke logging, and location-based tracking. While these tools can help manage dispersed teams, they raise significant privacy concerns, particularly when deployed without employee knowledge or for purposes unrelated to job performance.

Excessive monitoring can erode employee trust and may give rise to claims of constructive discharge or invasion of privacy, particularly where the monitoring is disproportionate to its stated purpose. In California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), may impose additional obligations on employers regarding the collection, use, and disclosure of employee personal information, including data gathered through remote monitoring tools. While certain employment-related exemptions have been in flux, employers operating in California may want to stay informed about the current status of these provisions and assess whether their data collection practices trigger notice or other compliance obligations under the CCPA framework.

Employers may want to consider limiting monitoring to data that directly relates to productivity or security, updating their policies to specifically address remote work scenarios, and clearly informing employees about what is being tracked, why, and how the data will be used. Transparency and proportionality remain the cornerstones of defensible remote monitoring practices.

What Should Employers Consider Going Forward?

Employee privacy is a moving target that requires ongoing attention and strategic thinking. While employers retain broad rights to manage their operations, those rights are not absolute—and the boundaries continue to shift, particularly in states like California that have been at the forefront of expanding employee privacy protections.

Employers may want to consider the following practical steps as the legal landscape continues to evolve:

As laws continue to develop, staying ahead of emerging obligations through proactive policy review and legal consultation will be essential to maintaining a workplace environment that respects employee privacy while supporting organizational objectives.