Employee Data Privacy: Employer Obligations by State (2026)

Employers collect vast amounts of personal data about their workers: Social Security numbers, health information, biometric scans, location data, email contents, web browsing history, and increasingly, behavioral analytics from AI-powered monitoring tools. The legal framework governing what employers can and cannot do with this data varies dramatically by state, creating a compliance challenge for multi-state employers and genuine confusion for employees about their rights.

Federal Employee Privacy Laws

While no single federal statute comprehensively addresses employee data privacy, several federal laws establish baseline protections.

Electronic Communications Privacy Act (ECPA)

The Electronic Communications Privacy Act of 1986 (18 USC 2510-2522) is the primary federal law governing employer monitoring of employee electronic communications. The ECPA generally prohibits intercepting electronic communications, but two exceptions make employer monitoring broadly permissible:

The consent exception. If an employee consents to monitoring, the interception is lawful. Most employers obtain consent through employee handbooks, acceptable use policies, or login banners stating that communications on company systems are subject to monitoring.

The business use exception (provider exception). An employer that provides the communications system (email servers, phone systems, company computers) can monitor communications conducted on those systems for legitimate business purposes. Courts have interpreted this exception broadly, allowing employers to monitor email, internet usage, and chat messages on company-provided devices and networks.

The ECPA does limit monitoring of purely personal communications even on company systems, though the boundaries of this limitation are fact-specific and vary by circuit.

Stored Communications Act (SCA)

The Stored Communications Act (18 USC 2701-2712), part of the ECPA, governs access to stored electronic communications. Under the SCA, employers generally can access emails stored on company servers. However, accessing an employee's personal email account (Gmail, Yahoo) without authorization violates the SCA, even if accessed from a company computer.

Americans with Disabilities Act (ADA)

The ADA restricts employer collection and use of medical information. Employers may not make disability-related inquiries or require medical examinations unless they are job-related and consistent with business necessity (42 USC 12112(d)). Medical records must be maintained in separate, confidential files with restricted access.

Genetic Information Nondiscrimination Act (GINA)

GINA (42 USC 2000ff) prohibits employers from requesting, requiring, or purchasing genetic information about employees or their family members, with narrow exceptions. Genetic information includes family medical history, genetic test results, and the fact that someone has sought genetic services. Violations can result in enforcement by the EEOC.

Fair Credit Reporting Act (FCRA)

The FCRA (15 USC 1681) regulates employer use of background checks obtained from consumer reporting agencies. Before obtaining a background check, employers must provide written disclosure and obtain the employee's or applicant's written authorization. If the employer takes adverse action based on the report, they must provide a copy of the report and a summary of rights before the action takes effect.

Workplace Monitoring by State

Email and Computer Monitoring

Federal law permits workplace computer monitoring with minimal restrictions. State laws add modest requirements:

Connecticut (Conn. Gen. Stat. 31-48d) is the most protective state. Employers must give prior written notice to employees before monitoring email or internet activity. The notice must describe the types of monitoring that may occur. Failing to provide notice before monitoring violates the statute.

Delaware (Del. Code tit. 19, 705) similarly requires employers to provide advance electronic notice of monitoring at least one time. The notice must be acknowledged by the employee.

New York enacted the New York Civil Rights Law Section 52-c*2 effective May 7, 2022, requiring employers that monitor telephone calls, email, or internet access to provide prior written notice upon hiring. The notice must be posted in a conspicuous place and acknowledged in writing by the employee.

In all other states, employer monitoring of company-provided email and devices is largely unrestricted under federal law, provided the employer has not created a reasonable expectation of privacy (typically negated through handbook policies and login banners).

Biometric Data Collection

Biometric privacy is one of the fastest-evolving areas of employee data law. Several states have enacted specific statutes governing employer collection of fingerprints, facial geometry, retinal scans, voiceprints, and other biometric identifiers.

Illinois Biometric Information Privacy Act (BIPA). 740 ILCS 14 is the most significant biometric privacy law in the country because it provides a private right of action with statutory damages. Under BIPA, employers must:

• Provide written notice of the biometric data being collected and the purpose
• Obtain a written release from the employee before collection
• Publish a retention schedule and destruction guidelines
• Not sell, lease, trade, or profit from biometric data

Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation. Following the Illinois Supreme Court's 2023 ruling in Cothron v. White Castle, each individual scan or collection event constitutes a separate violation. This has generated billions of dollars in potential exposure for employers using biometric timekeeping systems. A 2024 amendment capped damages at one violation per employee per method of collection in response.

Texas (Tex. Bus. & Com. Code 503.001) prohibits capturing biometric identifiers for commercial purposes without consent. Unlike Illinois, Texas does not provide a private right of action; enforcement lies with the Texas Attorney General, who can seek penalties of up to $25,000 per violation.

Washington (RCW 19.375) restricts commercial use of biometric identifiers and requires notice and consent. Enforcement is through the Washington Attorney General.

Additional states: Colorado, Virginia, Connecticut, and other states with comprehensive privacy laws include biometric data as "sensitive data" requiring consent for processing, though these laws generally do not provide private rights of action.

Social Media Password Laws

A growing number of states prohibit employers from requesting or requiring employees or job applicants to disclose social media login credentials. As of early 2026, at least 28 states have enacted such laws, including:

State	Statute	Key Provisions
California	Lab. Code 980	Prohibits requesting social media usernames or passwords; prohibits retaliation
Illinois	820 ILCS 55	Prohibits requesting access; covers applicants and employees
Maryland	Lab. & Empl. 3-712	First state to pass such a law (2012); prohibits requiring disclosure
New Jersey	N.J.S.A. 34:6B-5	Prohibits requiring access to personal social media accounts
Oregon	ORS 659A.330	Prohibits requiring disclosure; includes civil penalty provisions

These laws generally prohibit employers from: requesting login credentials, requiring employees to log in to personal accounts in the employer's presence, requiring employees to add the employer or its agents to their contacts, and retaliating against employees who refuse to comply.

GPS and Location Tracking

Employer tracking of employee location raises distinct legal issues depending on whether the tracking occurs on company-owned or personal devices and vehicles.

Company vehicles and devices. Employers generally can track company-owned vehicles and devices without specific employee consent under federal law. The reasoning parallels the ECPA business use exception: the employer owns the equipment.

Personal vehicles. Several states restrict or prohibit employer GPS tracking of employees' personal vehicles:

• California courts have held that tracking an employee's personal vehicle without consent can constitute an invasion of privacy under the California Constitution.
• New York (N.Y. Penal Law 158.10) criminalizes the use of GPS devices to track another person without consent, which courts have applied to employer-employee contexts involving personal vehicles.
• Texas (Tex. Penal Code 16.06) prohibits installing tracking devices on vehicles owned or leased by another person without consent.

Off-duty tracking. Even where GPS tracking of company vehicles is legal, tracking employees during non-work hours raises additional concerns. California, Colorado, and New York courts have recognized employee privacy interests in off-duty location data, and several proposed state bills would explicitly restrict off-hours tracking.

Drug Testing

Drug testing privacy varies significantly by state:

• Random testing: Some states (Vermont, Connecticut, Minnesota, Montana, Rhode Island) restrict random drug testing to safety-sensitive positions only.
• Marijuana protections: As marijuana legalization expands, a growing number of states (California, New York, New Jersey, Montana, Nevada, Washington) prohibit employers from taking adverse action based on off-duty marijuana use or positive THC tests, with exceptions for safety-sensitive positions and federal requirements.
• Notice requirements: Many states require advance written notice of drug testing policies and procedures.

CCPA Employee Data Rights

The CCPA originally included a moratorium on employee data rights, which expired on January 1, 2023. California employees now have the same rights as consumers under the CCPA/CPRA, including:

• Right to know what personal information the employer collects and how it is used
• Right to delete personal information (subject to exceptions for legal obligations and employment administration)
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information
• Right to limit the use of sensitive personal information
• Right to non-retaliation for exercising these rights

Under Cal. Civ. Code 1798.100, employers must provide a privacy notice to employees at or before the point of collection describing the categories of personal information collected and the purposes for each category. This is separate from the public-facing privacy policy and must address the employment context specifically.

The practical impact has been significant. Large California employers have had to build new intake systems for employee data requests, train HR departments on response procedures, and audit the flow of employee data to third parties (payroll processors, benefits administrators, background check vendors).

Common Law Privacy Torts

Beyond statutory protections, employees may bring common law tort claims against employers for privacy violations. The four traditional privacy torts, as defined in the Restatement (Second) of Torts, are:

Intrusion upon seclusion. An employer invades an employee's privacy by intentionally intruding into a matter in which the employee has a reasonable expectation of privacy. Courts have found intrusion claims viable for: searching personal belongings without cause, hidden camera surveillance in restrooms or changing areas, and accessing personal email accounts without authorization.

Public disclosure of private facts. An employer publishes embarrassing private facts about an employee. Examples include disclosing medical conditions, sharing salary information publicly (in states without pay transparency laws), or revealing the results of drug tests.

False light. An employer publishes information that places an employee in a false light. This is less common in the employment context but can arise from misleading characterizations in references or public statements.

Appropriation of name or likeness. An employer uses an employee's name or image for commercial purposes without consent. This has become more relevant with employer social media practices and the use of employee images in marketing materials.

These common law claims are available in most states and exist independently of statutory protections. They provide a legal basis for employees to challenge privacy violations even in states without specific employee privacy statutes.

Emerging Issues

AI-Powered Workplace Monitoring

The use of AI tools to monitor employee productivity, analyze communications, and predict behavior is growing rapidly. Keystroke logging, screen capture, sentiment analysis of messages, and even webcam-based "attention tracking" are now commercially available. Few existing laws directly address AI workplace monitoring, though:

• Colorado's AI Act (SB 205, effective February 2026) requires employers to notify employees when AI is used in consequential decisions affecting employment.
• Illinois' AI Video Interview Act (820 ILCS 42) requires employers to provide notice and obtain consent before using AI to analyze video interviews, and to destroy videos within 30 days of a request.
• The FTC has warned that surveillance-based management practices may constitute unfair practices under Section 5.

Reproductive Health Privacy

Following Dobbs v. Jackson Women's Health Organization (2022), several states enacted laws protecting employee reproductive health data. Washington, California, and Illinois have enacted or proposed legislation restricting employer access to reproductive health information and prohibiting adverse employment actions based on reproductive health decisions.

Sources and References

This article provides general legal information about employee data privacy across US jurisdictions. Employment law varies by state and changes frequently. Consult an attorney for advice specific to your situation.