Done properly, an employer can continuously track an employee’s location and other personal information by monitoring data on the company’s cell phones and computers used by the employee. Done improperly, the company and the company’s managers and agents can be subject to serious criminal and civil penalties. The line between was is legal and what is legal here is thin and faint, but important. There are few lines in the law so faint that separate so much as the line between the legal monitoring of an employee’s mobile devices and monitoring that constitutes a federal crime punishable by up to 24 months in prison.
This blog asks and comments on 12 questions that employees and employers alike must answer to understand what rights an employer has under federal law and some state laws to monitor or obtain cellphone data (mobile laptops present similar issues), and what rights an employee has to prevent the employer’s access to that information.
Because so much hangs on such fine distinctions, however, and because of significant variations among state laws, don’t try this at home without legal counsel. And don’t even think of applying any of this without legal counsel outside of the U.S. where laws may be radically different than in the U.S.
The abstractions about digital privacy are fairly clear and simple:
Most companies allow personal communications on company cell phones and computers. Even companies with policies that limit personal use of these devices often allow more personal use in practice than the restrictive policy allows.
Company ownership, as opposed to employee ownership, of a cell phone or computer increases the likelihood of company liability related to use of the cell phone, but also increases the right of the company to access and monitor data and communications on the phone or computer.
Intentional company “interception” of an employee’s cell phone and computer communications without the employee’s knowledge or consent can constitute a crime under the Stored Communications Act punishable by up to 24 months in prison. SCA § 2701. Other federal statutes also apply in some situations.
Certain employees may under some circumstance have a duty to monitor or access another employee’s cell phone or computer to comply with company policies or to protect the company’s intellectual property.
Most privacy analysis, whether under the U.S. or state constitution or federal or state common law, pivots on the issue whether a person under the particular circumstances had a reasonable (i.e., objective, as opposed to an actual or subjective) expectation of privacy. Company practices and policies have a big impact upon those expectations, and upon the reasonableness of the expectations.
Companies should assume that the law creates inertia in favor of some level of individual privacy. Efforts to overcome that inertia to allow company access and monitoring should be clear, detailed and consistently enforced.
Details and Questions
It’s the nettling details that raise all of the questions:
1. Who owns the phone?
Ownership of the device is important in determining an employee’s rights of privacy. Ownership is not by itself determinative, however. An employee may have privacy rights in data on company phones and computers, and an employer may obtain rights of access and monitoring of employee phones and computers under narrow circumstances.
2. Who owns the information stored on the device?
Likewise, agreements and policies about who owns the data can be important.
3. What do the employee manual and acceptable use policy say about employer access and monitoring?
Employee manuals and policies about the acceptable use of company computers and cell phones should be clear and detailed. Especially if rights of privacy and access are shared instead of absolue, these rights need to be defined in detail.
4. What does the employment contract say?
The more specifically and clearly the written employment agreement specifies a company’s access and ownership rights, and an employee’s right (and therefore reasonable expectation) of privacy, the more likely it is that those rights and expectations will be enforced. Many courts place greater weight upon agreements signed by both parties than on policies and manuals that may not have been read or understood by an employee. City of Ontario v. Quon.
5. Are the duties and rights of the company monitors clear?
To assure access and protection, a company should clearly specify what employees – in the compliance, legal or information technology departments, for example – have what rights and duties under what circumstances to monitor the cell phone and computer data of other employees. The authority of the company (by the board or otherwise, for example) to define and execute such rules and practices should be clear. Shefts v. Petrakis (2010).
6. What do employees know about the company’s actual monitoring practices?
Companies do not normally need to reveal the details of their monitoring practices for them to be lawful, especially where to do so would compromise the effectiveness of the monitoring. Still, the more that employees, and especially the employee involved in the matter, know that actual monitoring is being conducted, the more likely it is that an employee will be held not to have a reasonable expectation that such monitoring is not occurring.
7. Is encryption or privacy protection software permissible?
8. Are passwords allowed, and is their use clear?
Agreements about the duty and right to protect data by passwords should be clear. The company’s need and right of administrators or others to bypass passwords should be clearly stated in policies and agreements.
9. Does the applicable agreement or policy specifically apply to the type of data at issue, such as text, photos or location metadata?
A prohibition upon access to voicemail messages may not create a right to monitor location metadata, and the right to monitor email may not create a right to monitor text messages. City of Ontario v. Quon. An employee who can credibly argue, for example, that he did not appreciate what geolocation data was being created and stored on a smartphone may have more privacy rights in that metadata than if the policy specifies that such metadata may be created and stored by the mobile device in question, and is covered by the access policy.
10. What data from the employee’s phone or computer is stored where?
A policy should clearly define what data is covered by the policy, including data received or created by an employee that is stored on company servers and outside data service providers such as internet service providers and cloud data services. The more transparent a policy is about what data is subject to the policy, and what rights apply to the data on company or third party servers, the more likely those rights will be affirmed.
11. What policies or agreements exist regarding location privacy?
12. What procedures should be followed when a company is requested by warrant, subpoena or other legal process to reveal information from an employee’s phone or computer?
A company’s duties to respond to a civil or criminal subpoena can be tricky. U.S. v. Warshank (2010) (the express right of the government to obtain certain information granted by the Stored Communications Act without a warrant held to be unconstitutional). A policy should expressly allocate the protections and duties of the company and the employee when such requests are made.