In most cases, yes. If you are using an employer-owned computer, network, email account, or phone, your employer generally has broad legal authority to monitor what you do on it, including the emails you send, the websites you visit, and even the keys you type. The main federal law in this area, the Electronic Communications Privacy Act (ECPA), prohibits intercepting electronic communications, but it contains wide exceptions for employers that swallow most workplace monitoring. A handful of states add stronger protections, most commonly a requirement that employers notify you before monitoring begins.
This is general information, not legal advice, but the sections below explain how the rules actually work, where your state may give you more, and what you can practically do about it.
The federal baseline: ECPA and the "work device" reality
The Electronic Communications Privacy Act of 1986 (often called ECPA, and its first part the Wiretap Act) is the federal law that governs the interception of electronic communications. On paper it makes it illegal to intercept emails, messages, and other electronic data. In practice, it carves out two big exceptions that let employers monitor employees in almost any normal situation.
- The "business use" or "ordinary course of business" exception. Employers may monitor communications on equipment they provide when there is a legitimate business reason, such as protecting trade secrets, ensuring productivity, or maintaining security. Because nearly any monitoring of work systems can be tied to a business purpose, this exception is broad.
- The "consent" exception. If even one party to the communication has consented to monitoring, it is generally allowed. Employers routinely obtain this consent through an acknowledgment in the employee handbook, an acceptable-use policy, or a banner you click through when you log in.
The single most important concept here is the reasonable expectation of privacy. Courts have repeatedly held that when you use an employer's computer, email system, or network, especially after being told it may be monitored, you have little or no reasonable expectation of privacy in what you do there. The device belongs to the employer, the network belongs to the employer, and the work email account belongs to the employer.
What employers can typically monitor on work systems
On company-owned or company-managed equipment, courts and regulators have generally allowed employers to track a wide range of activity. Common examples include:
- Work email. Emails sent and received through a company account can be read, stored, and reviewed, even after deletion, because they live on the employer's servers.
- Web browsing and app usage. Employers can log the sites you visit and the applications you run on the work network or device.
- Keystrokes. Keystroke logging is legal in most situations on employer-owned equipment. It is sometimes used for security or productivity tracking, though it raises obvious privacy concerns.
- Screenshots and screen recording. Periodic screenshots or continuous screen capture are common in remote-work monitoring software.
- Files and chat. Documents stored on company drives and messages sent through company chat tools (Slack, Teams, and similar) are generally accessible to the employer.
- Location and login data. Badge swipes, VPN logins, and GPS on company phones or vehicles can be tracked.
Where the lines get blurry: personal accounts and personal devices
Your protection is stronger when communications are genuinely personal and not on the employer's system. A few important distinctions:
- Personal email and accounts. If you log into a personal Gmail or social media account, an employer reading those stored messages by using your password without authorization may run into the Stored Communications Act (the second part of ECPA), which protects communications held in storage by a service provider. However, if you access that personal account on a work computer, monitoring software may still capture what appears on the screen or the keys you type.
- Personal devices (BYOD). If you use your own phone or laptop, the employer's reach is more limited, but it expands sharply if you install company software, connect to the company network, or enroll the device in a mobile device management (MDM) system. Read any BYOD agreement carefully, because it often grants the employer monitoring or remote-wipe rights.
- Phone calls. The Wiretap Act treats live voice calls more strictly. Many states require all-party consent to record a call. Monitoring of business calls is often permitted, but purely personal calls are supposed to be left alone once their personal nature is clear.
Do employers have to tell you they are monitoring?
Under federal law, there is no general requirement that private employers notify employees about electronic monitoring of company systems. The business-use and consent exceptions do most of the work, and many employers provide notice mainly to lock in that consent and reduce legal risk.
At the state level, this is where the biggest differences appear, and this varies by state. Some states have enacted laws requiring private employers to give employees advance written notice before monitoring their emails, internet activity, or other electronic communications. A few require a one-time notice when monitoring policies are adopted; others require notice at hire. Because the specifics, including who must be notified and how, differ significantly and change over time, do not assume your state has (or lacks) such a law. Check your state labor department's guidance or your state's statutes rather than relying on a number or deadline you read online.
Public-sector employees have an additional layer of protection. Government workers can invoke the Fourth Amendment's protection against unreasonable searches, though courts still weigh the employer's legitimate operational needs and any policies that reduced the worker's expectation of privacy.
Monitoring still has legal limits
Even where monitoring itself is lawful, employers cannot use it to break other laws. Watch for these guardrails:
- Protected concerted activity (NLRA). The National Labor Relations Act, enforced by the National Labor Relations Board (NLRB), protects most private-sector employees, union or not, when they discuss wages, hours, and working conditions. Using surveillance to spy on, intimidate, or retaliate against employees for organizing or discussing pay can be an unfair labor practice.
- Discrimination (Title VII, ADA, ADEA). If monitoring is applied selectively, for example targeting workers by race, sex, age, religion, or disability, or if the data is used to discriminate, that can violate laws enforced by the Equal Employment Opportunity Commission (EEOC). Health information picked up through monitoring can also implicate the ADA's confidentiality rules.
- Retaliation. Employers cannot use monitoring to punish employees for legally protected activities, such as filing a complaint with the Department of Labor, the EEOC, or OSHA.
- State privacy and biometric laws. Some states regulate the collection of biometric data (like fingerprints or facial scans) and off-duty conduct. Again, this varies by state.
Practical steps to protect yourself
You cannot out-argue a monitoring policy, but you can make smart choices and build a record if something feels wrong.
- Assume work systems are monitored. Treat every email, message, search, and keystroke on a company device or network as potentially visible to your employer. Keep personal matters off work equipment entirely.
- Read the policies. Find your employer's acceptable-use, electronic-communications, and BYOD policies in the handbook. They usually spell out what is monitored and what consent you have already given.
- Separate personal from work. Use your own device, your own network, and your own accounts for anything private. Do not log into personal accounts on work machines if you want to keep them out of reach.
- Document concerns. If you believe monitoring is being used to retaliate, discriminate, or suppress discussion of wages or working conditions, write down what happened, when, who was involved, and save copies of relevant communications on a personal device, not the company system.
- Know who to contact. For organizing or wage-discussion retaliation, the NLRB handles unfair labor practice charges. For discrimination, the EEOC (or your state civil-rights agency) is the right office, and discrimination charges have firm filing deadlines, often a few months, so do not wait. For wage-and-hour issues, the U.S. Department of Labor Wage and Hour Division applies. For workplace-safety retaliation, OSHA's deadlines are short.
- Ask before assuming your state protects you. Your state labor department can tell you whether a monitoring-notice law applies where you work. A local employment attorney can review your specific facts; many offer free initial consultations.
The bottom line
On equipment and accounts your employer owns, monitoring of your computer, emails, and keystrokes is usually legal, and federal law rarely requires advance notice. Your strongest protections come from keeping personal activity on personal devices, knowing your state's notice rules, and recognizing that monitoring cannot lawfully be used to discriminate, retaliate, or interfere with your right to discuss working conditions. When in doubt, treat the work device as a window your employer can look through, and keep your private life on the other side of the glass.
The law behind your rights at work
Background checks are governed by the federal Fair Credit Reporting Act, plus anti-discrimination law and state ban-the-box rules.
Key federal laws:
Where to get help or file a complaint:
Your state and city matter. Federal law is the floor — many states and cities require higher pay, more leave, and broader protections. Always check your state’s rules (and any local ordinances) in addition to the federal laws above. This is general legal information, not legal advice.
Frequently asked questions
Can my boss read my work emails?
Generally yes. Emails sent and received through a company email account live on the employer's servers, and under the Electronic Communications Privacy Act's business-use and consent exceptions, employers can typically read, store, and review them, even messages you deleted. You usually have little reasonable expectation of privacy in a work email account.
Is it legal for my employer to monitor my computer?
On an employer-owned or employer-managed computer, monitoring is generally legal under federal law. Employers can track browsing, applications, files, and screen activity when there is a business purpose, and they often secure your consent through an acceptable-use policy. Some states require advance notice, so this varies by state.
Can my company monitor my keystrokes?
In most situations, yes, keystroke logging on a company-owned device is legal. It is sometimes used for security or productivity tracking. The main exceptions are state notice laws and situations where the data is used to discriminate, retaliate, or interfere with protected discussions about pay and working conditions.
Can my company monitor my personal laptop?
Its reach is more limited on a device you own, but it grows quickly if you install company software, join the company network, or enroll in a mobile device management system. Check any bring-your-own-device agreement, which often grants monitoring or remote-wipe rights over the portions of your device used for work.
Do employers have to disclose if they are monitoring employees?
Federal law generally does not require private employers to notify employees about electronic monitoring of company systems. However, some states have laws requiring advance written notice before monitoring emails or internet activity. Whether such a law applies depends on your state, so check your state labor department or statutes.
This article is general legal information, not legal advice, and may not reflect the most current law or the law in your jurisdiction. Laws vary by state and change over time. For advice about your specific situation, consult a licensed attorney.
