Keystroke Logging, Webcam Capture, and Productivity Scoring Have Become Standard.
Mason & Perry LLP | July 6, 2026
The remote-work boom of the early 2020s did more than send desk workers home. It quietly normalized something that would have been unthinkable in most American offices a decade earlier: continuous, automated surveillance of every keystroke, mouse click, browser tab, and — in a growing share of workplaces — the worker’s own face. Tools once marketed to niche security teams are now sold to small business owners as “productivity software,” and workers often have no idea they are installed. A wave of enforcement actions and class action lawsuits argues that many of these deployments cross the line from lawful monitoring into unlawful surveillance.
What “Bossware” Actually Does
The commercial employee-monitoring market — colloquially known as “bossware” — has grown from a handful of enterprise products into a crowded field of software-as-a-service tools. The category typically includes some combination of:
- Continuous keystroke logging, including a running record of every character typed
- Screenshots captured at fixed intervals (as often as every few seconds in aggressive configurations) or triggered by specific keywords
- Webcam capture, either at intervals or continuously, sometimes with facial-attention scoring
- Microphone capture and ambient sound monitoring
- Application and URL tracking, with productivity “scores” assigned to time spent in each
- Idle-time detection based on mouse and keyboard activity
- GPS or Wi-Fi triangulation for mobile devices
- “Sentiment analysis” of chat, email, and voice recordings
Some products also integrate with time-clock systems that capture fingerprint or facial-recognition biometrics — a practice that has generated its own line of class action litigation under state biometric privacy laws.
Workers are often unaware these tools are running. Employers routinely install them silently as part of the standard laptop image, disclose them only in a general “acceptable use” policy signed at hire, or acquire them mid-employment and never update the disclosure at all. Recent surveys suggest that a substantial majority of large U.S. employers now use at least one form of automated worker monitoring.
The NLRB’s Warning: Surveillance May Chill Protected Activity
In October 2022, the General Counsel of the National Labor Relations Board issued a memorandum urging the Board and its regional offices to take an aggressive line against workplace surveillance technology. The memorandum — General Counsel Memorandum GC 23-02, titled Electronic Monitoring and Algorithmic Management of Employees Interfering with the Exercise of Section 7 Rights — argued that pervasive electronic monitoring, particularly monitoring that is not narrowly tailored to a legitimate business purpose, may violate Section 7 of the National Labor Relations Act, 29 U.S.C. § 157, by chilling employees’ rights to discuss wages, organize, and engage in other protected concerted activity.
The memorandum urged the Board to adopt a framework requiring employers to (1) disclose the specific technologies used, the data collected, and the reasons for the collection, (2) demonstrate that the monitoring is narrowly tailored to a substantial business need that outweighs the burden on Section 7 rights, and (3) refrain from using monitoring data to retaliate against employees engaged in protected concerted activity. Employers in every sector — union and nonunion alike — remain subject to the NLRA.
The State Notice Laws Most Employers Are Ignoring
Several states require employers to notify employees before monitoring their electronic communications or activities. The notice statutes vary in their teeth, but the common thread is that surveillance without notice can constitute a per se violation, independent of any harm.
Connecticut, Conn. Gen. Stat. § 31-48d, requires employers to give prior written notice of the types of electronic monitoring that may occur. Delaware, 19 Del. C. § 705, imposes a substantially similar notice obligation. New York, N.Y. Civ. Rights Law § 52-c — effective May 7, 2022 — requires employers with any New York-based employees to provide written notice at hire and to post a notice in a conspicuous place identifying the categories of monitoring the employer engages in. The New York statute is enforced by the state Attorney General, with civil penalties that can accumulate quickly across a workforce.
For employers with distributed workforces, the state notice laws create a compliance trap: a worker who moved from Ohio to New York during the pandemic may be entitled to notice their employer never provided, and a workforce management tool procured centrally in a state without a notice statute may violate the law of every state where a covered worker sits.
Employee Data Is Now Consumer Data in California
The California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et seq., extended full CCPA rights to employees, applicants, and independent contractors as of January 1, 2023. That change was quietly one of the most consequential shifts in U.S. workplace privacy law in decades. A California-based employee now generally has the right to:
- Know what categories of personal information the employer collects and the purposes for which each category is used
- Request a copy of the personal information the employer has collected about them
- Request correction of inaccurate personal information
- Request deletion of personal information (subject to statutory exceptions for legal obligations, defense of legal claims, and other narrow business needs)
- Opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising
- Limit the use and disclosure of “sensitive personal information,” which under California’s definition includes precise geolocation, biometric identifiers, and the contents of certain communications
For employers using continuous monitoring tools, these rights raise thorny practical questions. What happens when an employee requests a copy of every screenshot, keystroke log, and productivity score the company has collected? What is the retention period? Which third-party vendors receive the data, and have the employer’s contracts with those vendors included the CCPA-required protective terms? Failure to answer these questions correctly is now the basis for a growing docket of CCPA enforcement inquiries and private letter demands from plaintiff-side firms.
BIPA and the Biometric Time Clock Problem
The Illinois Biometric Information Privacy Act, 740 ILCS 14, has generated a substantial line of class actions targeting employers that use fingerprint or facial-recognition time clocks without the statute’s required written notice and written consent. The Illinois Supreme Court’s decision in Cothron v. White Castle System, Inc., 2023 IL 128004, holding that each separate scan of biometric data can constitute a separate BIPA violation, transformed these cases from marginal claims into six- and seven-figure exposures for even mid-sized employers.
Employers outside Illinois are not immune. Texas’s Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001, and Washington’s biometric privacy statute, RCW 19.375, apply to biometric time clocks used with workers in those states, and Illinois plaintiffs have successfully asserted BIPA claims against out-of-state employers whose Illinois-resident employees used biometric devices.
Federal Law: Old Statutes, New Questions
The federal Electronic Communications Privacy Act, 18 U.S.C. §§ 2510–2523, and the Stored Communications Act, 18 U.S.C. §§ 2701–2712, provide baseline protections against the interception of electronic communications and the unauthorized access of stored electronic communications. Both statutes were enacted in 1986, and their application to modern bossware — which routinely intercepts communications while they are still in transit and stores massive volumes of employee-generated data on vendor cloud infrastructure — has been increasingly contested. Employers typically defend on the ground that the employee “consented” to monitoring by using company equipment; plaintiffs argue that consent buried in an onboarding acknowledgment does not satisfy the statutes’ notice-and-authorization requirements, particularly when the monitoring extends to communications the employee could not reasonably have known were being intercepted.
The Federal Trade Commission has separately signaled that certain deployments of worker surveillance software — particularly those that operate without employee knowledge, disproportionately affect vulnerable workers, or produce discriminatory outcomes — may be actionable as unfair or deceptive acts under Section 5 of the FTC Act, 15 U.S.C. § 45.
What Workers Can Do Right Now
Ask for the surveillance disclosure — in writing. If you work in Connecticut, Delaware, New York, or California, your employer is required to provide written notice of electronic monitoring. If you never received one, or if the notice you received is generic and does not identify the specific tools in use, ask for a current version. The response (or the absence of one) is evidence.
Send a data access request. California employees have the right to request a copy of the personal information their employer has collected about them, including monitoring data. Even outside California, many employers use vendor tools that maintain individual employee dashboards; asking to see yours is often a productive first step.
Watch the biometric time clock. If your employer requires you to scan a fingerprint, palm, or face to clock in or out, and you have not signed a specific written consent form identifying the biometric data being collected, the purpose, and the retention period, that is a potential BIPA (or state analogue) violation. Save any dealer paperwork, onboarding materials, and the app or terminal branding.
Do not delete surveillance software yourself. Uninstalling employer-issued monitoring software from a company device is almost always a violation of the acceptable-use policy and can be treated as insubordination or grounds for termination. The right response to unlawful surveillance is a legal claim, not self-help.
Document what you notice. If your webcam light flickers on when you are not on a call, if your cursor jitters as if it is being screenshotted, if you receive productivity emails you did not authorize — save that information. The best evidence in a workplace surveillance case is often a contemporaneous log kept by the worker.
Mason & Perry LLP represents individuals and groups in workplace privacy, biometric privacy, and consumer protection class action litigation. If you believe your employer’s monitoring practices violate state notice laws, biometric privacy statutes, or federal electronic-communications law, contact us to discuss your options.