ScreenJournal

Is employee monitoring legal?

Updated on 6 July 2026

Employee monitoring is generally legal on company-owned devices when it serves a legitimate business purpose. But the rules differ sharply by region: some places require written notice or consent, some restrict what can be captured, and privacy regulators increasingly test whether the method is proportionate to the goal. This page is general information, not legal advice.

For a state-by-state breakdown of US notice rules, see employee monitoring laws by US state.

Employee monitoring is legal in most jurisdictions when three conditions hold: the monitoring serves a legitimate business purpose, it happens on company-owned devices or systems, and the method is proportionate to that purpose. Regulators rarely object to work visibility itself; they object to covert, excessive or indiscriminate collection.

In the United States, the federal baseline is the Electronic Communications Privacy Act (ECPA). It allows employers to monitor communications on company systems for legitimate business reasons, known as the business-purpose exception, or with the consent of one party to the communication, which is why acceptable-use policies are signed at onboarding. The ECPA does not license everything: personal accounts and personal communications sit outside the business-purpose exception even on a company laptop, and state law can add duties on top.

Outside the United States, monitoring is treated as the processing of personal data. Laws such as the EU and UK GDPR, India's Digital Personal Data Protection Act and the Philippine Data Privacy Act all ask the same three questions: is there a lawful basis, is the collection necessary for the stated purpose, and is the method proportionate. A tool that stores continuous screen recordings has a much harder time answering those questions than one that keeps only a derived record of the work.

Do employers have to tell employees about monitoring?

Often, yes. Connecticut, Delaware and New York require employers to give notice before electronic monitoring begins, Maine joins them in July 2026, and Delaware and New York require the employee to acknowledge it. Data protection regimes in Europe, India and the Philippines all require transparency about what is collected and why. Even where notice is not strictly required, telling people is the standard regulators expect.

Recording conversations is stricter still: several US states, including California and Illinois, require all parties to consent before a private conversation is recorded. Covert monitoring is lawful only in narrow situations, such as Connecticut's exception for investigating suspected misconduct, and unlawful recording can carry criminal penalties. Treat covert monitoring as the exception a lawyer signs off on, never the default.

What are the penalties for unlawful employee monitoring?

Penalties range from modest statutory fines to company-threatening damages. Connecticut and New York fine employers up to $3,000 per offence for monitoring without notice. Illinois biometric privacy violations carry statutory damages of $1,000 to $5,000 per violation, enforceable by private lawsuit. California privacy fines reach $7,500 per intentional violation, and India's DPDP Act allows penalties of up to ₹250 crore for serious failures.

The indirect costs are usually larger than the fines. Unlawfully gathered monitoring data can be unusable as evidence in a dismissal dispute, privacy claims attract class actions in the United States, and a covert monitoring story does more damage to hiring and retention than most penalties do to the balance sheet.

What are the monitoring rules where ScreenJournal operates?

ScreenJournal is currently available in India and the Philippines, with California and New York City coming soon. Each of those regions permits workplace monitoring within limits, and each tests it differently.

The table below summarises the governing law in each region and what it asks of employers, as of mid-2026.

RegionGoverning lawWhat it means for monitoring
IndiaDPDP Act 2023, with rules phasing in from November 2025Employee data can be processed for employment purposes without separate consent, but monitoring must be necessary and proportionate
PhilippinesData Privacy Act 2012, National Privacy Commission guidanceMonitoring is a recognised legitimate interest; the method must be proportionate, and keystroke logging with random screenshots has been ruled excessive
CaliforniaCCPA and CPPA regulations; Penal Code § 632Notice at collection for employee data, risk assessments for high-risk processing, and all-party consent for confidential conversations
New York CityNY Civil Rights Law § 52-c; NYC Local Law 144Written, acknowledged notice of electronic monitoring on hiring, plus bias audits and notice for automated hiring and promotion tools

Yes, within limits. India's Digital Personal Data Protection Act 2023, with implementing rules notified in November 2025 and phasing in from that date, lets employers process employee personal data for employment purposes without separate consent, including safeguarding the employer from loss or liability. That permission is not unlimited: processing must still be for a lawful purpose, necessary and proportionate, so intrusive methods such as constant webcam capture or keystroke logging are hard to justify. Serious failures can draw penalties of up to ₹250 crore.

Yes, under conditions. The Data Privacy Act of 2012 requires transparency, legitimate purpose and proportionality, and the National Privacy Commission accepts that employers generally have a legitimate interest in monitoring. The method matters: in Advisory Opinion 2018-084 the Commission found a proposal to log keystrokes and take random screen captures excessive and disproportionate, while Advisory Opinion 2024-005 accepted AI analysis of work communications for performance scoring as a legitimate interest. The regulator's line, in short, favours deriving insight over hoarding surveillance data.

Yes, with the most active rulebook in the United States. The California Consumer Privacy Act has applied fully to employee data since January 2023, so employees must receive a notice at collection describing what monitoring collects and why, and they hold access, deletion and correction rights over it. CPPA regulations effective from January 2026 add risk assessments for high-risk processing, and automated decision-making rules with duties phasing in through 2027 where technology substantially replaces human judgment in decisions such as hiring, promotion or termination. Separately, Penal Code § 632 requires all-party consent to record confidential conversations.

Yes, with two layers of law. New York's Civil Rights Law § 52-c, in force since May 2022, requires private employers to give written notice of telephone, email and internet monitoring to each new hire, obtain written or electronic acknowledgment, and post the notice conspicuously; the Attorney General can fine violations at $500 for a first offence, $1,000 for a second and $3,000 for each after that. On top of that, NYC Local Law 144 requires an independent bias audit and candidate notice before automated tools are used to make hiring or promotion decisions.

Most legal risk in monitoring comes from the data: how much is collected, how personal it is, and how long it is kept. A design that collects less, strips identifiers and keeps no footage leaves less to breach, less to litigate over and less for a regulator to call disproportionate.

ScreenJournal is an AI work visibility tool that reads on-screen work as it happens, turns it into a detailed timeline of what each person actually did, and then deletes the raw screen data. Timelines accumulate into a searchable chronicle of everyone's work history, and from them ScreenJournal generates timesheets and reports automatically and drafts standup summaries on request, answering questions about any of it in plain English.

That design maps directly onto the tests above. Derive-and-discard means the transient video capture is deleted immediately during processing, so there is no screenshot or video archive to secure, disclose or defend; what remains is the work timeline, a derived record of the work itself. Capture is scoped to work apps and work-related activity, with personal activity skipped in real time, which is what proportionality asks for. PII is removed during processing. And the transparency that notice laws require is built into the product: employees see the same activity view managers do, and can redact personal entries before a manager sees anything. A redacted entry is erased entirely and never appears in anyone's search; redaction is unavailable only for roles a company flags as a data-leak risk.

Proof: the member timeline has a Redact control and an auto-hidden "Personal" entry type, and employees share the manager's view of their own data.

ScreenJournal member timeline with a Redact control and an auto-hidden Personal entry, viewed by the employee themselves.

No tool makes monitoring lawful by itself: notice, acknowledgment and lawful-basis obligations sit with the employer, and this page is general information, not legal advice. How this design compares with recording-based tools is covered in ScreenJournal vs surveillance suites, and the thinking behind it in our privacy blog.

Frequently asked questions

In several places, no. Connecticut, Delaware, New York and, from July 2026, Maine require notice before electronic monitoring, and data protection laws in Europe, India and the Philippines require transparency about what is collected. Even where covert monitoring is technically lawful, it is legally fragile and corrosive to trust, so disclosure is the safer default.

It depends on the regime. Most US notice states require acknowledgment rather than consent, though Illinois requires written consent for biometric data and all-party consent to record private conversations. In the Philippines, consent or a legitimate interest is needed; in India, employment purposes are a recognised ground without separate consent.

Generally yes, but under the strictest conditions. GDPR treats monitoring data as personal data, so employers need a lawful basis, a data protection impact assessment for systematic monitoring, and proportionate methods. Employee consent rarely counts because of the power imbalance, so necessity and proportionality carry the weight.

No tool makes monitoring legal by itself. Notice, acknowledgment and lawful-basis obligations sit with the employer. What ScreenJournal changes is the risk surface: it reads the work, keeps derived timelines rather than footage, skips personal activity in real time and lets employees redact entries, which aligns with the necessity and proportionality tests regulators apply.

This page is general information, not legal advice. Laws change; the statutes above were verified in June 2026. Take advice from counsel in your jurisdiction before relying on any of it.

See the work itself, not screenshots of it

Timesheets, reports and answers from the work your team actually did. Available for Windows and macOS, with Linux and mobile support coming soon.