ScreenJournal

What are California's employee monitoring rules?

Updated on 6 July 2026

California employee monitoring is governed mainly by the CCPA. Since 1 January 2023 employees hold full privacy rights over data their employer collects about them, including monitoring data. New regulations effective 1 January 2026 add risk assessments for systematic workplace monitoring, and ADMT rules add notice, opt-out and appeal rights for automated employment decisions from 1 January 2027.

California has no single workplace monitoring statute. Instead, three layers do the work: the CCPA's data rights, the new regulations on risk assessments and automated decision-making technology (ADMT), and a pair of older rules on recording. Together they add up to the strictest monitoring regime of any US state, and the deadlines are staggered, so it pays to know which duty starts when.

Does the CCPA apply to employee monitoring data?

Yes, since 1 January 2023, when the CCPA's temporary exemption for workforce data expired. Employees, job applicants and independent contractors now hold the same rights over their personal information as consumers, and monitoring output is personal information: screenshots, application and website logs, derived productivity scores and anything else a tool records or infers about an identifiable person.

The CCPA does not reach every employer. It covers for-profit businesses doing business in California that meet any one of three thresholds: annual gross revenue above 26,625,000 USD (the inflation-adjusted figure in force since January 2025), buying, selling or sharing the personal information of 100,000 or more California consumers or households a year, or deriving half or more of annual revenue from selling or sharing personal information. Smaller employers escape the CCPA itself, though not the recording rules further down this page.

What rights do California employees have over monitoring data?

Employees hold the full set of CCPA rights, and five matter most in a monitoring context.

  • Notice at collection. Before or at the point of collection, employees must be told what categories of personal information are collected, for what purposes, and how long each category will be kept. A monitoring tool deployed silently is a violation on day one.
  • Access. An employee can ask what has been collected about them, and the employer has 45 days to respond.
  • Deletion and correction. Employees can ask for certain data to be deleted and for inaccurate data, including inaccurate inferences, to be corrected.
  • Limits on sensitive personal information. Employees can restrict some uses of their most sensitive data.
  • No retaliation. Exercising any of these rights cannot lawfully cost anyone their job, hours or pay.

What do California's ADMT rules require?

In September 2025 California finalised a package of new CCPA regulations covering ADMT, risk assessments and cybersecurity audits, effective 1 January 2026. The ADMT rules apply when technology that processes personal information replaces, or substantially replaces, human decision-making in a significant decision, and the definition names employment squarely: hiring, promotion or demotion, allocation of work, compensation, suspension or dismissal.

For those uses, an employer must give a pre-use notice explaining what the technology does and what data it uses, offer opt-out and access rights, including information about the ADMT's logic and how its output was used, and provide a route of appeal, with the exact duties depending on the decision involved. Businesses already using ADMT for significant decisions have until 1 January 2027 to comply; uses begun after that date must comply from the start.

When is a privacy risk assessment required?

Before starting any processing that poses a significant risk to privacy, and the regulations name workplace monitoring directly. One trigger is profiling workers through "systematic observation", defined as methodical, regular or continuous observation. Periodic screenshots, continuous application logging and keystroke capture can all qualify, which puts most conventional monitoring software squarely in scope. Using ADMT for significant decisions and processing sensitive personal information are further triggers.

California's monitoring obligations arrive in stages, summarised in the table below.

DateWhat starts
1 January 2023CCPA rights extend to employees, applicants and contractors
1 January 2026New regulations take effect; risk assessments required before new high-risk processing, including systematic workplace monitoring
1 January 2027ADMT duties apply to significant employment decisions
31 December 2027Risk assessments due for processing already underway before 2026
1 April 2028First risk assessment certifications due to the California Privacy Protection Agency

The California Privacy Protection Agency also opened preliminary rulemaking on employment-context data in April 2026, so more tailored employee-data rules may follow.

What other California rules affect workplace monitoring?

Two older laws still bite. Penal Code section 632 makes California an all-party consent state: recording a confidential conversation without every participant's consent is a crime, which is why audio monitoring of workers is rare and risky. Labor Code section 435 bans audio or video recording in restrooms, locker rooms and changing rooms outright.

There is also a live legislative thread. The legislature passed the No Robo Bosses Act (SB 7) in 2025, which would have required human oversight of AI-driven discipline and dismissal, but the Governor vetoed it. A revised version, SB 947, was introduced in 2026 and is pending, so the direction of travel is towards more constraint on automated management, not less.

What are the penalties for getting it wrong?

CCPA fines run to 2,500 USD per violation and 7,500 USD per intentional violation, and each affected employee can count as a separate violation. A missing notice at collection across a monitored workforce of two hundred people is therefore not one violation but potentially two hundred, which is how a modest paperwork failure scales into serious exposure. Enforcement sits with the California Privacy Protection Agency and the Attorney General.

How does ScreenJournal reduce exposure under California's rules?

ScreenJournal is an AI work visibility tool that reads on-screen work as it happens, turns it into a detailed timeline of what each person actually did, and then deletes the raw screen data. Timelines accumulate into a searchable chronicle of everyone's work history, and from them ScreenJournal generates timesheets and reports automatically and drafts standup summaries on request, answering questions about any of it in plain English.

California's rules reward tools that collect less and explain more, and that is the shape of the product. The notice at collection is easy to write because the design is simple: the screen is recorded as short-lived video, the work is read from it, and the video is deleted immediately during processing, leaving a plain-English work timeline of each person's workday. It is scoped to work apps and work-related activity; personal activity is skipped in real time. There is no screenshot or video archive to inventory in a risk assessment, produce in an access request or lose in a breach. Access and correction requests are also easier to honour when employees already see the same activity view managers do, can redact entries before a manager sees them, and can contest any score directly from the timeline. A redacted entry is erased entirely and never appears in anyone's search; redaction is unavailable only for roles a company flags as a data-leak risk.

One honest caveat: ADMT duties attach to how an employer decides, not which tool it buys. If any tool's scores fed an automated decision on pay, promotion or dismissal without meaningful human involvement, the employer would need to meet the ADMT requirements. ScreenJournal is built for human review, with contestable scores and nudges off by default, but the compliance obligation follows the decision process.

For how this approach compares with screenshot trackers and surveillance suites, see ScreenJournal vs the alternatives; for the reasoning behind derive-and-discard, read We record work, not people; and for the other US notice regime worth knowing, start with the New York electronic monitoring law.

Frequently asked questions

Yes, with conditions. An employer can monitor work devices and work activity, but CCPA-covered businesses must give notice at collection and honour employee data rights, risk assessments are required for systematic monitoring from 2026, audio recording of confidential conversations needs all-party consent, and recording in restrooms, locker rooms and changing rooms is banned outright.

Generally no; the CCPA framework runs on notice and rights rather than consent. The exception is audio: Penal Code section 632 requires every party's consent to record a confidential conversation, so voice recording without agreement is a crime rather than a paperwork problem.

Does the CCPA apply to small employers?

Only if they cross a threshold: annual gross revenue above 26,625,000 USD, data on 100,000 or more California consumers or households, or half of revenue from selling or sharing personal information. Employers below all three escape the CCPA, but the recording bans and consent rules apply to everyone.

Can employees see the data a monitoring tool holds about them?

Yes. Under the CCPA an employee can request access to the personal information collected about them, including inferences such as productivity scores, and the employer has 45 days to respond. Tools that show employees their own data by default make this right far cheaper to honour.

This page is general information, not legal advice. Speak to your own counsel before relying on it.

ScreenJournal is currently available in India and the Philippines, with California and New York City coming soon.

See the work itself, not screenshots of it

Timesheets, reports and answers from the work your team actually did. Available for Windows and macOS, with Linux and mobile support coming soon.