January 6, 2022

Employee Privacy Laws: The Employer’s Guide to Keeping It Ethical and Compliant

a person working at a desk with a security camera in their face

Employees have rights. And those rights include a string of protections under the law. 

From the Fair Labor Standards Act which gives employees the right to get paid for their work, to minimum wage laws that keep pay at certain thresholds, to offices like OSHA that make it so employees can expect a safe working environment, these regulations aim to serve your people’s best interests.

Today’s workers also have privacy protections, most of which fall under the Privacy Act of 1974. When it comes to employee privacy laws, it’s on employers to ensure your workplace policies and procedures don’t conflict with your workers’ rights to privacy.

In the age of remote work and uploading any and everything to the infamous ‘cloud’, the cost of data breaches are higher than ever, reaching a whopping $4.24 million in 2021. The penalties for not protecting your employee’s privacy can be devastating to your business.

Let’s review the key employee privacy laws to help you keep your HR processes ethical and compliant as you grow.

NOTE: While we always aim to provide you with the most valuable and reliable information on all things HR, we are not legal professionals. Nothing you read here should be considered legal advice. Always seek professional legal advice to keep your company compliant.

The employee privacy issues every employer needs to know 

Like most growing companies, you probably have safeguards in place to protect your company, but is your employees’ privacy equally protected?

Employee privacy laws limit how far employers can go when it comes to:

  • Looking into employees’ personal lives, especially while they’re on the job.
  • Monitoring their speech, actions, email and other correspondence.
  • Searching their person or possessions.
  • Exposing their names, contact information, birth dates, social security numbers or other personal information in ways that could jeopardize their safety and wellbeing.

To avoid employee privacy violations, you’ve got to know what to look out for. 🚩

Here is an overview of some of the main ways employees’ privacy may be breached.

Physical Searches

For obvious reasons, these can be the most intrusive kind of actions against an employee.

Your company may be justified in conducting a physical search if, for example, a worker is caught on videotape putting a company-owned laptop in a briefcase to take home without authorization.

But in the case of a public employee, the US Constitution’s Fourth Amendment prohibition on unreasonable search and seizure may limit your ability to do a physical search.

Video Surveillance

If your company is private, you have the right to monitor employees by camera, especially for their safety and security, as well as your company’s. 

But surveillance cameras should only be used for legitimate business reasons, such as deterring violence or theft. 

Avoid using audio in video recordings as this may violate federal wiretap law covering oral communication. Also, avoid using video surveillance in restrooms, break rooms or other spaces where employees expect a reasonable degree of privacy. 

Background and Credit Checks

The Fair Credit Reporting Act (FCRA) requires you to get job applicants’ permission to run a third-party investigation into their background and creditworthiness.

If you hire for roles that require a background check, make sure you’re crystal clear about that in your job description and ad.

Internet and Email

The Electronic Communications Privacy Act of 1986 (ECPA) prohibits anyone from unlawfully and intentionally intercepting oral, wire or electronic communication. 

And the Stored Communications Act (SCA) prohibits access to this kind of information while storing it. However, private employers do have a right to monitor workers’ emails and internet use.

Social Media

Employers are using social media sites more than ever to source talent and review potential hires’ credentials

But using social media can trigger problems with the law, such as:

  • Discrimination. Candidates’ profiles can reveal more about them (e.g., race, gender, religion, age, marital status, sexual orientation) than you’re legally allowed to ask directly in, say, a job interview. 
  • Background checks. The FCRA and similar state laws may or may not require an applicant’s permission for an employer or third party to do an internet search using social media as part of a background check. In any case, you will likely want to get your applicants’ approval to avoid a potential privacy violation. 
  • Monitoring employees’ social media use. There’s little case law addressing employers’ monitoring of workers on social media. But the courts could uphold invasion of privacy claims based on either federal or common state laws when workers voluntarily put information on public sites. 
  • Right to organize. The National Labor Relations Act (NLRB) prohibits videotaping employees while participating in union activity.

Genetic Information

The Genetic Information Nondiscrimination Act (GINA) prohibits employers from discriminating against workers based on their genetic backgrounds. 

The law applies to your company if you’re a public or private employer with 15 or more employees.

Medical Information 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets national standards to protect people’s personal health information, including their medical records.

Alcohol and Drug Testing

As an employer, you have the right to test your employees for drug and alcohol use, but you are not permitted to release records of these tests. 

Some states won’t allow you to force current employees to be drug screened, unless: 

  • Employees’ jobs have high safety or health risks for themselves or others.
  • Injured workers’ job-related accidents involve suspected drug use. 
  • Employees may be using drugs on the job, as shown by visual signs such as bloodshot eyes or slurred speech. 

Since law enforcement doesn’t regulate drug and alcohol testing, you should have policies stating why, how, and when your company will conduct these tests.

Offsite legal and recreational activities

States may protect workers from being disciplined, demoted, fired or subjected to other forms of employer punishment because of activity that occurred off company grounds. 

Social Security Numbers (SSNs) 

Identity theft has spiraled in recent decades, especially with widespread online activity. 

Many states have passed laws to curb the growth of identity and credit theft. Make sure you know your state’s requirements in this area.

Job References

The law doesn’t prevent disclosing information on a private company’s employee to a prospective employer. 

Still, it’s best not to give out an employee’s name, contact information, social security number, pay grade or other personal data to someone who contacts you for this information. 

GPS Tracking

Employers may rightfully use GPS tracking to monitor employees while they use company-owned vehicles, except in California, Minnesota, Tennessee and Texas. 

However, there are no laws prohibiting companies from installing GPS systems in their vehicles.

Postal Mail

You can open mail that’s delivered to your company but addressed to an employee. 

Mail obstruction is illegal, but once mail arrives at its destination, the USPS considers the mail delivered.

The 4 common-law privacy rights that can help employers keep it ethical

Clearly, there are a lot of ways things could (intentionally or unintentionally) go wrong when it comes to employee privacy and protection.

To stay on the right track with employee personal information protection laws, these four core areas can help employers understand how and when to take extra care to avoid violating employees’ privacy.

  1. Intrusion into a person’s private lifestyle. This may feel as invasive to an employee as a physical search, and can trigger a privacy violation claim. Asking employees about personal matters, such as sexual habits or orientation could also lead to a violation. 
  2. Publicly disclosing private facts. Publicly exposing private or embarrassing facts about an employee without permission could ignite a lawsuit.
  3. Negatively portraying someone. Attributing negative or untrue characteristics to someone could lead to an invasion-of-privacy claim.
  4. Using someone’s name or likeness without permission. When employers use a worker's photo or likeness, or attribute statements to them without their permission, this could be grounds for a misappropriation claim.

Employers still have the edge in workplace privacy

Today there are a lot of employee protections in place for employers to keep an eye on, but they aren’t as one-sided as they may seem. 

In fact, most actions employers take to safeguard the workplace, like surveillance and monitoring, are legal.

As an employer, you have the right to conduct surveillance to curb theft of supplies and equipment and monitor the hours employees spend on non-work-related activities, like online shopping or social media. You also have the right to monitor the possible misuse of company property.

Employees have only a reasonable expectation of privacy at work. This means that employers with clearly stated policies can change their definition of “reasonable expectation” when it comes to privacy and adjust their policies accordingly.

Also, privacy protection may be a bigger problem for private employees than public ones. For instance, states may have constitutional provisions giving all their inhabitants privacy protections, but without these state-issued laws, private employees have fewer privacy rights than public employees.

For these reasons, privacy complaints against employers are often resolved by court orders or common laws.

Case In Point: What the courts have said so far about employee privacy

Having the edge in employee privacy doesn’t mean workers won’t sue employers if they think their privacy has been violated. So, don’t get it twisted.

Employees can and do take legal action against employers. And the courts have even backed up their claims, as in the following case. 

In Dittman v. UPMC, the Pennsylvania Supreme Court ruled that employers have a legal responsibility within reason to protect employees’ sensitive personal information when the employer chooses to store this information on a computer system with internet access.

The plaintiffs in Dittman filed a class-action suit against the University of Pittsburgh Medical Center and UPMC McKeesport, claiming that hackers accessed the center’s computer systems and stole their personal and financial information, including names, addresses, birthdates, social security numbers, bank account information, and tax forms. 

The employees in the case also claimed that the hackers used the stolen data, which the center required as a condition of employment, to file unlawful tax returns causing a loss of $1.7 in revenue for the IRS. The court agreed that this fraudulent action caused the plaintiffs damages.

Stay on the right side of employee privacy laws

Today, laws like Title VII of the 1964 Civil Rights Act, the Americans with Disabilities Act (ADA), and the Age Discrimination in Employment Act (ADEA) remain in force to protect employees.

And these laws are here for a reason.

Remember that, as the employer, the cards are still stacked in your favor when it comes to many of the employee privacy and personal information protection laws that are designed to make workplaces a better place for everyone.

So be intentional in the way you treat your employees and don’t be afraid to consult with a legal professional if you’re unsure about any potential violations in your company’s current practices or policies.

With mutual trust and respect, you’ll be able to provide a safe and protected workplace for everyone in it.