Employee Privacy Rights in the Workplace: What’s Legal and What’s Not

You’re at your desk when an IT pop-up says a new “productivity tool” will track apps, mouse movement, and screenshots. HR also reminds everyone that “all communications may be monitored.” Reasonable? Creepy? In California, the answer depends on what’s being monitored, where, how it’s disclosed, and whether there’s a real business need behind it. This guide breaks down employee privacy rights in California so you can make informed decisions, set expectations with your manager, and protect yourself if something crosses the line.

What “privacy” actually means at work in California

California treats privacy as a fundamental right, not just a policy. That doesn’t mean everything you do at work is private. It means employers must balance their business interests with your reasonable expectations of privacy. Two ideas do most of the heavy lifting.

First, context matters. You have a higher expectation of privacy in a restroom or changing area than at a reception desk. You’ll also have more privacy in personal accounts on your own phone than in a company inbox on a company laptop. The more personal or sensitive the space or data, the stronger your claim that it’s private. California law recognizes that baseline by putting privacy squarely in the state’s constitution—useful framing when you’re assessing whether a monitoring practice is proportionate or overreaching (California Constitution, Article I, Section 1).

Second, notice and necessity matter. Employers who clearly tell employees what’s being monitored, why it’s necessary, and how information is stored and used are on firmer legal footing. Secret monitoring—especially in areas or systems where you reasonably expect privacy—creates risk. In California, “because technology allows it” isn’t a sufficient reason to monitor.

Monitoring and surveillance: email, browsing, cameras, audio, and keystrokes

Most employers can monitor work email and internet use on company systems, especially if the policy says so and the monitoring is tied to legitimate purposes like security, compliance, or safeguarding confidential data. That said, even a well-written policy doesn’t give an employer license to wander into truly personal spaces unrelated to work—think saving your personal medical records on a company drive. The more granular the monitoring (e.g., keystroke logging) and the less it’s tied to a concrete purpose, the bigger the privacy concerns.

Security cameras are generally lawful in non-private areas of the workplace, but cameras in places where people reasonably expect privacy (restrooms, locker rooms, changing areas) are off-limits. A camera over a cash drawer is one thing; a camera pointed toward a bathroom doorway is another. Good policies define covered areas in plain English and avoid any placement that could capture audio by default.

Speaking of audio, California is a two-party consent state for recording confidential conversations. That’s why an employer that records meetings or phone calls typically uses a spoken or written disclosure and requires acknowledgment. If the discussion is confidential—like a medical accommodation or an internal complaint—recording without everyone’s consent risks violating California law (California Penal Code § 632). When in doubt, ask whether a call is being recorded and state whether you consent.

As for productivity tools and screen monitoring, employers should explain what’s collected (e.g., websites visited, application time, screenshots), when the tool is active (work hours only or always on?), and how long data is retained. If the tool can capture personal information unintentionally—say, a banking login that pops up during lunch on a company laptop—the company should minimize and segregate that data, or better yet, configure the tool to avoid collecting it in the first place. If monitoring ramps up after you raise a concern—suddenly putting you under round-the-clock scrutiny after you reported misconduct—that’s a different problem: potential retaliation. If that sounds familiar, review your options and, if needed, speak with a retaliation lawyer in Los Angeles about your specific facts.

Personal data and records: social media, background checks, and medical info

Social media and personal accounts. In California, employers can’t demand your personal social media usernames or passwords, or require you to access a private account in front of them. They also shouldn’t ask you to change privacy settings or add a manager as a friend just to “peek” at private posts. Public posts are fair game, but coercing access to private content is restricted by state law (Labor Code § 980). If a recruiter asks for your Instagram login, you can decline. If pressure continues, document it and consider raising it with HR or counsel.

Background checks and criminal history. California limits when and how employers can use conviction history. In practice, that means many employers ask about convictions only after a conditional job offer and must use an individualized assessment rather than a blanket rule. Privacy-wise, you should expect less invasive up-front screening and reasonable guardrails around sensitive records. If a posting screens out applicants from the start or digs into irrelevant history, ask for the policy and request a review.

Medical information and accommodations. If you request a disability accommodation, your employer may ask for information relevant to the request—not your entire medical history. Keep medical information confined to HR or the accommodation team, not broadcast on public channels. If you’re using a personal device for work, avoid storing medical documents in company apps, and ask how the company handles device monitoring or backups that might capture health details. If sensitive records are being mishandled—or the process feels more like surveillance than accommodation—get a sanity check from an employment lawyer in Los Angeles.

BYOD, off-duty life, and practical boundaries that keep you safer

Bring-Your-Own-Device (BYOD). If you use a personal phone for work email or chat, ask whether the company uses a mobile device manager (MDM) and what it can see or wipe. Many tools can restrict corporate apps without touching personal photos, texts, or notes—but the configuration matters. Ask whether monitoring is limited to work apps during work hours, how screenshots are handled, and whether location data is collected. If the MDM blurs lines between work and personal data, consider using a separate work device.

Off-duty conduct. California protects certain lawful off-duty conduct, but that doesn’t mean every off-duty action is insulated from workplace consequences. If a public post clearly harms the business (e.g., disclosure of trade secrets or unlawful threats), discipline may follow. The privacy sweet spot: keep private accounts private, think carefully about what you make public, and avoid mixing company information with personal channels. If discipline appears tied to a protected activity (like reporting discrimination or wage theft) rather than a genuine policy violation, talk through options with a workplace discrimination lawyer in Los Angeles.

Internal complaints and documentation. If you’re reporting harassment or wage theft, keep communications private and professional. Use company channels when required, but keep your own notes on a personal device or notebook that you don’t sync with company systems. If you’re worried your complaint is being recorded without consent—or a meeting is being taped quietly—remember California’s two-party consent rule and ask for clarity before proceeding (California Penal Code § 632). If the monitoring feels disproportionate to the stated purpose, point back to necessity and scope, and propose a narrower approach.

What to do if you think a line’s been crossed

Start with the paper trail: review the handbook or acceptable-use policy and note any gaps between what the policy promises and what’s actually happening. Ask a simple, direct set of questions in writing: What is being collected, for what purpose, who can access it, and how long is it kept? Clear business reasons and limited access usually indicate a legitimate program.

If something looks off, raise it with HR and propose a fix. For example, suggest disabling screenshots for banking websites or limiting monitoring to specific apps and work hours. If you’re dealing with sensitive matters—complaints, health information, or protected off-duty activities—get advice early. A short consult can help you decide whether to keep pushing internally, escalate to an agency, or preserve evidence for later. And as a practical habit, separate work and personal life as much as you can: use company systems for company work, avoid saving personal files on shared drives, and keep private accounts and devices out of the company’s management tools. That single boundary solves a surprising number of privacy headaches.

Conclusion

In California, employee privacy isn’t absolute, but it’s real. Employers can monitor for legitimate business needs—especially with clear notice and sensible limits. You can ask what’s collected, why it’s collected, and how it’s protected, and you’re entitled to push back when monitoring strays into genuinely private territory.