The short answer
Yes — employee monitoring is legal in every major jurisdiction covered below, as long as the employer has a legitimate purpose, gives the employee prior notice, limits the data collected to what the purpose requires, and keeps it secure. The argument is almost never "can we monitor at all?" but "are we monitoring proportionately, transparently, and for a reason we can defend?"
The details differ sharply. The United States leans on a patchwork of federal and state rules and generally allows monitoring on company devices with notice. The European Union, United Kingdom, and Canada place the burden on the employer to show the monitoring is proportionate and lawful before it begins. Australia regulates specific techniques such as camera, computer, and location surveillance at the state level, with New South Wales setting the tightest bar.
The fastest way to fail a compliance review in 2026 is to pick a monitoring tool and configure it the same way across every country. The fastest way to pass is to start from the policy, match the tool's configuration to the policy, and write both down.
United States — a federal baseline, then states
Federal law in the United States treats employer monitoring of company-owned equipment relatively permissively. The Electronic Communications Privacy Act (ECPA) of 1986, 18 U.S.C. §§ 2510-2523, permits employers to monitor electronic communications under either the "business use" or "consent" exception. The Stored Communications Act adds rules for stored messages. Federal protections for employee privacy in the workplace are thin relative to Europe.
States have filled the gap with notice and consent rules. The pattern to watch:
| State | What the law requires | Statute |
|---|---|---|
| Connecticut | Prior written notice to employees of electronic monitoring; post a notice in a conspicuous place. | Conn. Gen. Stat. § 31-48d |
| Delaware | Daily electronic notice at login OR one-time written acknowledgment before monitoring telephone, email, or internet activity. | 19 Del. C. § 705 |
| New York | Written notice upon hire and posted notice; applies to email, telephone, and internet usage monitoring. | N.Y. Civ. Rights § 52-c |
| Illinois | Biometric Information Privacy Act (BIPA) regulates collection of biometrics; AI Video Interview Act regulates AI analysis of candidates. | 740 ILCS 14; 820 ILCS 42 |
| California | California Consumer Privacy Act (as amended by CPRA) extends certain data rights to employees; invasion-of-privacy tort law is active. | Cal. Civ. Code § 1798.100 et seq. |
Federal agencies have also started to weigh in. In an October 2022 memo, the National Labor Relations Board's General Counsel signaled that "intrusive" electronic surveillance can chill protected concerted activity under Section 7 of the NLRA. The memo is guidance, not a statute, but it previews how enforcement priorities are shifting. [needs-legal-review]
European Union — GDPR, Article 88, and EDPB guidance
In the EU, employee monitoring is governed by the General Data Protection Regulation (GDPR), supplemented by each member state's labor and data protection laws. Article 88 specifically invites member states to provide more specific rules for processing in the employment context, and many — notably Germany, France, and Italy — have done so.
The core GDPR requirements that apply to any monitoring program:
- Lawful basis (Article 6). Employers usually rely on legitimate interests (Article 6(1)(f)) or contractual necessity (6(1)(b)). Consent (6(1)(a)) is generally considered weak in employment because of the power imbalance — Recital 43 and EDPB guidance flag this explicitly.
- Purpose limitation and data minimization (Article 5). Collect only what is necessary for the stated purpose.
- Transparency (Articles 12-14). Employees must receive a clear notice describing what is collected, why, how long it is kept, and who sees it — before monitoring starts.
- Data Protection Impact Assessment (Article 35). Required for systematic monitoring of employees. Many data protection authorities, including the French CNIL and Italian Garante, have fined employers for skipping this step.
- Works council consultation. In Germany, Austria, and the Netherlands, any new monitoring system typically requires agreement with the works council (Betriebsrat / Ondernemingsraad) under national co-determination law.
The European Data Protection Board's guidelines and the earlier Article 29 Working Party Opinion 2/2017 on data processing at work remain the reference documents regulators cite.
United Kingdom — UK GDPR and the ICO's 2023 monitoring guidance
Post-Brexit, the UK retains the UK GDPR and the Data Protection Act 2018. Substantively the regime is close to the EU's. What's different is the specificity of the regulator: the Information Commissioner's Office (ICO) published updated guidance on monitoring workers in October 2023 that any UK employer should read before buying a tool.
Key ICO expectations:
- A completed Data Protection Impact Assessment (DPIA) is effectively mandatory for any systematic monitoring.
- Covert monitoring is only justified in the narrowest circumstances, such as a specific investigation into suspected criminal activity.
- Continuous keystroke or mouse tracking is unlikely to be proportionate for general performance management.
- Workers must be told about monitoring in plain language, not buried in a handbook.
Canada — PIPEDA plus provincial law
Canadian law splits federal and provincial. The Personal Information Protection and Electronic Documents Act (PIPEDA) governs federally regulated employers and applies broadly to commercial activity. Alberta, British Columbia, and Quebec have their own private-sector privacy statutes that apply to provincially regulated employers in those provinces.
Two 2022 developments matter for every Canadian employer monitoring workers in 2026:
- Ontario's Employment Standards Act, Bill 88 amendments (2022). Employers with 25 or more employees must have a written electronic monitoring policy and provide a copy to each employee.
- Quebec's Law 25 (Bill 64). Toughened consent, notification, and automated decision-making rules. Any workplace system that makes decisions "based exclusively on an automated processing" must disclose that to the worker.
The Office of the Privacy Commissioner of Canada has consistently held that employees have a reasonable expectation of privacy at work and that monitoring must be proportionate to a demonstrable need. [needs-legal-review]
Australia — the Workplace Surveillance Act and federal Privacy Act
Australia regulates monitoring primarily at the state level. New South Wales sets the strictest bar with the Workplace Surveillance Act 2005 (NSW), which distinguishes three types of surveillance — computer, camera, and tracking — and for each requires:
- Written notice to the employee at least 14 days before surveillance starts.
- A policy that specifies what, when, and how surveillance happens.
- A prohibition on covert workplace surveillance without a court-issued covert surveillance authority.
The Australian Capital Territory has a similar Workplace Privacy Act 2011. Victoria's Surveillance Devices Act addresses some overlapping ground. The federal Privacy Act 1988 applies to agencies and many private-sector employers but contains an employee records exemption that is currently under review as part of the Privacy Act reform process. Employers should assume that exemption will narrow.
What "legal" does not mean
Compliance is a floor, not a ceiling. A monitoring program that clears every statute can still wreck your team's trust and push your best people out the door. Three points worth naming:
- Legal does not mean proportionate. Many EU authorities have found continuous keystroke or screenshot capture unlawful even where notice was given, because less invasive alternatives existed.
- Legal does not mean ethical. The EU AI Act and the OECD AI Principles both push employers past a pure compliance mindset toward fairness, contestability, and human oversight — especially for AI-driven productivity tools.
- Legal does not mean effective. A 2023 Gartner study found that employees who knew they were being electronically monitored were twice as likely to fake activity as those in non-monitored environments. [needs-source-verify]
If you want the tool to work, design the policy first, tell your team what it does and why, and give them meaningful privacy inside the monitoring itself. We wrote a full piece on exactly this pattern — see Productivity Monitoring Without Surveillance.
Related reading on gStride
Frequently asked questions
Do I need employee consent to monitor them?
In most EU and UK jurisdictions you need a lawful basis plus transparent notice, and explicit consent is rarely the strongest basis because of the power imbalance between employer and employee. In the US, federal law generally allows monitoring of company devices with notice, but states such as Connecticut, Delaware, and New York require written notice before monitoring begins. As of 2026, most serious jurisdictions require notice; some also require consent for specific techniques such as video or audio recording.
Can I monitor remote workers in a different country?
The law of the worker's jurisdiction usually applies, not the employer's. A US company monitoring an employee in Germany must comply with GDPR, German works-council rules, and any relevant collective agreements. Multi-country teams generally need a layered policy that meets the strictest applicable standard.
Is screenshot monitoring legal?
Screenshot capture is legal in most jurisdictions if the employer gives clear prior notice, limits capture to work devices and work hours, documents a legitimate purpose, and avoids capturing sensitive personal content. Some EU data protection authorities have ruled against continuous screenshot capture as disproportionate; configurable, sampled, or event-triggered capture is the safer pattern.
What's the difference between monitoring and surveillance legally?
Regulators and courts draw the line at proportionality. Monitoring is targeted, disclosed, and limited to a legitimate purpose such as time tracking, security, or productivity. Surveillance tends to be continuous, covert, and gathers more than is needed. Surveillance-style collection is where most legal risk lives.
Do I need to disclose AI-based monitoring specifically?
Increasingly yes. The EU AI Act classifies many workplace AI systems as high-risk and imposes transparency duties. New York City's Local Law 144, Illinois's AI Video Interview Act, and GDPR Article 22 already require disclosure of automated decisions that affect workers. Best practice in 2026 is to name AI features and the decisions they influence in the monitoring policy itself.
Configure monitoring that respects the law and your team
gStride lets you turn screenshots on or off, sample or throttle activity capture, and mask sensitive apps — all per-user and per-project. Pick the settings your policy calls for, not the other way around.
See productivity monitoring View pricingStatutes and citations in this article are accurate to the best of our knowledge as of April 2026. Law changes; this article does not. Always verify with counsel for your specific jurisdiction and workforce before acting. [needs-legal-review]