Checklist · AI & emerging risk
Employee Monitoring and AI Surveillance
AI has made it cheap to watch everything an employee does and to score what it sees. The legal exposure rarely comes from the watching itself. It comes from the notice nobody gave, the biometric data nobody cleared, and the manager who treats a productivity score as proof. This checklist works through the decisions to make before the tooling is switched on.
Start with purpose, not capability
The vendor demo shows what the tool can capture — keystrokes, screenshots, message sentiment, faces, voice, location, an attrition score for every employee. The legal question is what is actually needed, and why. Most of the exposure on this page is bought when a company collects broadly because it can, then struggles to explain the purpose later. AI changes the workflow here; it does not change the duties. Notice, non-discrimination, and the limits of state privacy and labor law apply to an algorithm exactly as they apply to a human watching over a shoulder, and “the system flagged it” is not a defense to any of them.
Notice and consent — the failure that does the most damage
The single most common and most avoidable exposure is undisclosed monitoring. Many state laws restrict the interception or recording of communications, and several require the consent of all parties rather than just one; thresholds, definitions, and which channels count vary sharply by state and are worth confirming for every jurisdiction where employees sit. Separately, a handful of states impose their own affirmative written-notice requirements for electronic monitoring — obligations that apply on their own terms, independent of any recording or consent question, with the form and timing varying by state; confirm whether any apply where employees sit. Covert monitoring also reads badly to regulators, juries, and the workforce itself. Disclosure is cheap. Litigating its absence is not.
Biometric capture is its own regime — clear it first
The moment a tool processes a faceprint, voiceprint, or similar identifier — facial-recognition video analytics, voice authentication, some “engagement” sensing — it may fall within a biometric privacy law. Illinois’s BIPA is the most developed example, and several other states have their own regimes with differing definitions and requirements; statutory damages and private rights of action under some of these laws can be significant, and the contours are actively litigated. Treat biometric features as off by default until compliance is confirmed.
Labor law: monitoring can chill protected activity
Surveillance of the workforce intersects with the National Labor Relations Act, which protects most employees — union and non-union alike — in their concerted activity over working conditions. New, expanded, or covert monitoring that could reasonably tend to discourage employees from discussing pay, organizing, or raising workplace concerns has drawn scrutiny, and the Board’s posture on AI-driven surveillance has been an area of evolving and shifting attention. Targeting monitoring at union or organizing activity is high-risk. Confirm the current state of the law before rolling out new surveillance.
Health inferences, disability, and uneven analytics
Tools that infer stress, fatigue, mood, attention, or wellness are inferring something close to health. Acting on those inferences can implicate the ADA and related state law, and screening that was not asked for can surface disability information that then has to be handled carefully. Separately, analytics applied unevenly — harsher scrutiny of one group, scoring models that perform worse for some populations — can produce discrimination exposure even where no one intended it. The relevant law here is the familiar law; the tool just creates new ways to run afoul of it.
The hardest decision: using monitoring data on people
This is where a defensible monitoring program becomes an indefensible termination. AI scores are probabilistic, not factual. They generate false positives, they reflect their training data, and they are frequently wrong about any single person. A score is a prompt to look, never the finding itself. The duty to make a fair, evidence-based employment decision stays with the company — a human, not a dashboard, has to own the call.
The exposure is rarely the monitoring itself. It is the notice nobody gave, the biometric feature nobody cleared, and the manager who treated a productivity score as proof of misconduct. Disclose what is collected, keep biometrics off until compliance is confirmed, and make a human — not the dashboard — own every decision about a person. This is general information, not legal advice; AI monitoring law is moving quickly and varies by jurisdiction, so confirm the current rules where employees sit before deploying.