AI Employee Monitoring Laws: What Employers Need to Know
Remote work accelerated the adoption of AI-powered employee monitoring tools. Laws restricting that monitoring are now multiplying. New York and Delaware require advance notice. The EU classifies workplace AI monitoring as high-risk under the AI Act. France and Germany require works council approval. Here is the complete picture.
What counts as AI employee monitoring
Monitoring laws cover more than obvious surveillance. The following are all "employee monitoring" within the scope of most laws:
Laws by jurisdiction
New York State
In forceLaw: New York Labor Law § 740 + Civil Rights Law § 52-C
Key requirements:
- Employers must provide written notice of electronic monitoring at the time of hiring.
- Notice must describe the type of monitoring: email, internet access, telephone calls.
- A signed acknowledgment must be obtained from each new employee.
- A written notice must be posted in the workplace.
- Applies to employers with fewer than 10 employees as well as large employers.
For AI monitoring specifically: The law covers "electronic monitoring" broadly — AI-powered monitoring of email, browser activity, or remote desktop captures falls within scope. AI systems that analyze work patterns, track keystrokes, or monitor employee communications require the same disclosure as basic email monitoring.
Penalties: First violation: warning. Second violation: up to $500. Third and subsequent: up to $1,000 per violation.
Delaware
In forceLaw: Delaware Code Title 19, Chapter 7
Key requirements:
- Employers may not monitor telephone conversations, internet usage, or computer activity without prior written notice.
- Notice must specify the type of monitoring that may occur.
- Applies to all employees in Delaware.
For AI monitoring specifically: Delaware's law is broader than New York's — it prohibits monitoring without prior notice, not merely requires notice at hire. AI productivity analysis tools that analyze employees' computer activity in real time require prior written notice before monitoring begins.
Penalties: Civil penalty up to $100 per day per violation.
Connecticut
In forceLaw: Connecticut General Statutes § 31-48d
Key requirements:
- Employers that engage in "electronic monitoring" must give prior written notice.
- Notice must be given before monitoring begins.
- Must describe the types of monitoring used.
For AI monitoring specifically: Connecticut's law predates AI but applies broadly. Any AI system that processes employee communications, activity logs, or behavioral data is "electronic monitoring" within the statute.
Penalties: Up to $500 for first offense; up to $1,000 for subsequent offenses.
European Union (GDPR)
In forceLaw: GDPR + EU AI Act
Key requirements:
- Employees are data subjects with full GDPR rights — access, correction, deletion, portability, objection.
- Employee monitoring requires a lawful basis — typically legitimate interests (Article 6(1)(f)) but must be proportionate.
- Covert monitoring is only permissible in exceptional circumstances with strong justification.
- Monitoring must be disclosed in an employee privacy notice.
- DPIA required if monitoring is systematic, extensive, or uses biometric data.
- Works councils or employee representatives must be consulted in many EU member states.
For AI monitoring specifically: EU AI Act Annex III explicitly classifies AI systems used for "monitoring and evaluating performance and behaviour of persons in work-related contexts" as high-risk. This means: technical documentation, risk management, human oversight mechanisms, conformity assessment, and EU database registration before deployment.
Penalties: GDPR: up to €20M or 4% of global turnover. EU AI Act (high-risk): up to €15M or 3% of global turnover.
France
In forceLaw: Labour Code + CNIL guidance
Key requirements:
- Employee monitoring must be disclosed before implementation.
- Works councils (Comité Social et Économique) must be informed and consulted before deploying employee monitoring systems.
- Monitoring must be proportionate to the legitimate business purpose.
- Covert monitoring is strictly prohibited except for targeted criminal investigations.
For AI monitoring specifically: CNIL (France's DPA) has specifically addressed AI-powered workforce analytics. Keystroke monitoring, screenshot capture, and behavior analysis tools require works council consultation and GDPR DPIA. CNIL has issued guidance that excessive monitoring — continuous video, second-by-second activity tracking — is disproportionate and therefore unlawful.
Penalties: CNIL can impose GDPR-level fines. Also criminal penalties under French Labour Code for covert monitoring.
Germany
In forceLaw: Works Constitution Act (Betriebsverfassungsgesetz) + BDSG + GDPR
Key requirements:
- Works councils have extensive co-determination rights over employee monitoring systems.
- Monitoring technologies require works council agreement (Betriebsvereinbarung) before deployment.
- Federal Data Protection Act (BDSG) Section 26 governs employee data — strict proportionality required.
- Behavioral monitoring is extremely restricted — performance management AI requires strong justification.
For AI monitoring specifically: Germany has the strongest employee protection regime in Europe. AI productivity monitoring tools that would be routine in the US typically require a formal works council agreement in Germany. Without this agreement, the works council can seek an injunction preventing use of the system.
Penalties: Works constitution violations: up to €10,000. GDPR violations: up to €20M or 4% global turnover. Criminal penalties for unauthorized monitoring.
Monitoring practices with significant legal risk
Continuous camera monitoring of remote workers' home offices
EU (GDPR/CNIL), likely unlawful everywhere without strong justification
Continuous video of an employee's home is a serious privacy intrusion. CNIL has specifically stated this is disproportionate. Even where not explicitly prohibited, it is unlikely to survive a proportionality challenge.
Keystroke logging that captures content of typed text
Restricted in EU, requires disclosure in US
Capturing content (what employees type) rather than just metadata (how much they type) creates significant privacy risks, particularly if it captures passwords, personal communications, or health information. Content capture requires stronger justification than activity monitoring.
Facial recognition for attendance and productivity tracking
Prohibited for most purposes in EU (biometric data, high-risk AI). Restricted in US by BIPA (Illinois), CWISA (Washington), NY SHIELD.
Facial recognition is biometric data under GDPR — requires explicit consent or specific legal basis. Illinois BIPA requires written consent before collecting biometric identifiers including facial geometry. EU AI Act classifies real-time biometric identification in workplaces as high-risk.
Productivity scoring systems that make employment decisions without human review
Requires human oversight under EU AI Act (high-risk); violates GDPR Article 22 automated decisions
If an AI system produces a productivity score that triggers disciplinary action or termination without human review, this is "solely automated" decision-making under GDPR Article 22. EU AI Act also classifies this as high-risk. Both require meaningful human review before consequential decisions.
Compliance steps for employers
1. Audit your current monitoring tools
List every tool in use that monitors employee activity — including tools embedded in HR software, collaboration platforms, and productivity suites. Many organisations are surprised to discover they are monitoring employees through features of tools they consider routine (Microsoft Viva Insights, Google Workspace activity reports, Zoom attention tracking).
2. Determine jurisdiction for each employee
Monitoring obligations depend on where employees work — not where the company is incorporated. If you have employees in New York, you need NY notice. If you have employees in France, you need works council consultation. If you have employees in Germany, you need a works council agreement. For remote employees, their home state/country determines the applicable law.
3. Issue required notices before (not after) monitoring begins
New York, Delaware, and Connecticut require notice before monitoring starts. This means you cannot monitor new employees on day one without providing written notice first. For existing employees being subjected to new monitoring: issue notice before the new monitoring begins.
4. Complete DPIA for EU employee monitoring
Under GDPR, systematic monitoring of employees — particularly using AI — almost certainly requires a Data Protection Impact Assessment. The DPIA must identify the monitoring's purpose, assess proportionality, identify risks to employee rights, and document mitigation measures. Complete this before deploying any new monitoring tool for EU employees.
5. Check EU AI Act high-risk classification
Any AI system that evaluates employee performance, identifies behavior patterns, or makes recommendations about employees is high-risk under EU AI Act Annex III. For EU employees, you need technical documentation, human oversight mechanisms, and conformity assessment for these systems before August 2, 2026.
6. Consult works councils in EU member states
In France, Germany, Netherlands, Spain, and most other EU countries, works councils must be informed and consulted before deploying new monitoring technologies. In Germany, works council agreement is required. This process takes time — start before your planned deployment date.
Know which monitoring laws apply to your workforce
ComplianceIQ maps your employee locations to applicable monitoring laws and tells you exactly what disclosures, DPIAs, and works council steps you need.
Get my free risk report