Photo of Helena Engfeldt

Helena Engfeldt

Subscribe to Helena Engfeldt's Posts
Contact:Read more about Helena Engfeldt

This article was originally published by IAPP linked here.

When monitoring employees in the workplace in the U.S. and Canada, employers must be cognizant of their obligations under employment and data privacy laws. 

In the US, employers can mostly negate privacy expectations from developing in the workplace by providing clear notice of monitoring practices and which notice is required in certain states, such as New York. But under the California Consumer Privacy Act, data minimization requirements apply and monitoring practices must be justifiable as necessary and proportionate.

In Canada, employers are required to balance operational needs such as safety, security and productivity, with the privacy rights of their employees. Monitoring should be reasonable, proportionate and tied to a legitimate business purpose. Organizations must comply with applicable federal or provincial privacy legislation, which can include safeguarding any employee personal information collected, obtaining employee consent in certain circumstances, and providing notice to employees of monitoring practices. 

For federally regulated private-sector employers — such as banks, airlines and telecommunications companies — employee monitoring is generally governed by the Personal Information Protection and Electronic Documents Act. Provinces that have enacted privacy laws deemed “substantially similar” to PIPEDA are exempt from its collection, use and disclosure provisions under section 26(2)(b). Presently, only Alberta, British Columbia and Québec have privacy legislation that is substantially similar to PIPEDA.

US: A patchwork of requirements apply to employers

At the federal level in the U.S., employee monitoring is primarily governed by the Electronic Communications Privacy Act and the Stored Communications Act, which permit monitoring for legitimate business purposes but impose strict limits on unauthorized interception and access to private communications. Further, employers must conduct all workplace monitoring and surveillance in compliance with federal, state and local anti-discrimination laws. And, all employers, even those with a nonunionized workforce, must comply with the National Labor Relations Act when conducting workplace monitoring and surveillance. Continue Reading Employee Monitoring in the US and Canada: What Employers Need to Know

On December 11, 2025, President Trump signed an Executive Order on “Ensuring A National Policy Framework For Artificial Intelligence” (the “Order”). The Order represents the Administration’s latest and most pointed attempt to stop and reverse the wave of state AI legislation that has emerged over the preceding year, which the Order asserts “creates a patchwork of 50 different regulatory regimes.” The Order raises the political stakes regarding state AI laws and creates uncertainty in the form of anticipated litigation, but does not instantly remove current or impending state AI law obligations for companies developing or deploying AI.Continue Reading Pre-emption by Executive Order: Trump Order Moves to Block State AI Laws

As California continues to set the pace for employment law regulation, 2026 looks to be another high-speed race filled with sharp turns and new obstacles. From restrictions on repayment agreements and expanded Cal WARN notice requirements to stricter pay equity rules, and much more, California employers are entering a compliance race where every second counts.

Fast Track to 2026: A 75-Minute Must-Attend Webinar for In-House Counsel

The legal landscape impacting California employers is evolving at breakneck speed. As we race toward 2026, employers need to stay agile, informed, and ready to shift gears. This high-impact session will cover the most pressing workplace trends, risks, and regulatory changes ahead for California

CPPA Adopts Expanded Regulations

Please join us for our next virtual session to discuss the newly adopted CCPA regulations—on September 30 from 12 to 1pm Pacific. In this session, our interdisciplinary team will discuss what the new regulations cover and what companies can do now to comply.

Click here to register.

CLE will be offered.

Join our AI and Cyber CLE Series

If your last name starts with A-G, you are probably well aware that your (recently extended) MCLE compliance deadline is on March 30, 2025. In addition to the general credit requirement, the state of California requires all attorneys to complete:

  • At least four hours of legal ethics
  • At least two hours on competence issues
  • At least two hours on the elimination of bias in the legal profession and society. Of the two hours, at least one hour must focus on implicit bias and the promotion of bias‑reducing strategies.
  • At least one hour on technology 
  • At least one hour on civility

Continue Reading California’s CLE Compliance Deadline Is Approaching – We can help!

By and large, HR departments are proving to be ground zero for enterprise adoption of artificial intelligence technologies. AI can be used to collect and analyze applicant data, productivity, performance, engagement, and risk to company resources. However, with the recent explosion of attention on AI and the avalanche of new AI technologies, the use of AI is garnering more attention and scrutiny from regulators, and in some cases, employees. At the same time, organizations are anxious to adopt more AI internally to capitalize on productivity and efficiency gains, and often in-house attorneys are under pressure from internal clients to quickly review and sign off on new tools, and new functionalities within existing tools.

This is especially challenging given the onslaught of new regulations, the patchwork of existing data protection and discrimination laws, and heightened regulatory enforcement. For example, there has been a considerable uptick in European data protection authorities investigating how organizations are deploying workforce AI tools in the monitoring space, including time and activity trackers, video surveillance, network and email monitoring, and GPS tracking. Authorities have issued substantial fines for alleged privacy law violations, including for “unlawfully excessive” or “disproportionate” collection. For example, the French data protection authorities recently imposed a USD $34 million fine related to a multinational e-commerce company’s use of a workplace surveillance system.

The AI regulatory landscape is rapidly evolving, and in most places compliance is still voluntary. However, organizations should build their AI governance programs to include key privacy, data protection, intellectual property, anti-discrimination and other concepts – and a good place to start is with these HR tools given their widespread use and the increased scrutiny. Legal Departments should consider these five key actions:Continue Reading The Legal Playbook for AI in HR: Five Practical Steps to Help Mitigate Your Risk

On January 1, 2024, businesses must post updated Privacy Policies under the California Consumer Privacy Act (CCPA), which requires annual updates of disclosures and fully applies in the job applicant and employment context since January 1, 2023.

With respect to job applicants and employees, businesses subject to the CCPA are required to:

  1. Issue detailed privacy notices with prescribed disclosures, terminology, and organization;
  2. Respond to data subject requests from employees and job candidates for copies of information about them, correction, and deletion;
  3. Offer opt-out rights regarding disclosures of information to service providers, vendors, or others, except to the extent they implement qualified agreements that contain particularly prescribed clauses; and
  4. Offer opt-out rights regarding the use of sensitive information except to the extent they have determined they use sensitive personal information only within the scope of statutory exceptions.

If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply. For more: see also our related previous post: Employers Must Prepare Now for New California Employee Privacy Rights.

Key recommendations to heed now

Continue Reading Looking ahead to 2024: California privacy law action items for employers

It is an unprecedented time for California companies’ privacy law obligations. The California Privacy Rights Act (CPRA) took effect on January 1, 2023 with a twelve-month look-back that also applies to the personal data of employees and business contacts. The California Privacy Protection Agency recently finalized regulations and has kicked off a new phase of rulemaking including on

In first-of-its-kind legislation, under SB 54, California will require venture capital companies to collect and report diversity data from portfolio company founders as soon as March 1, 2025. The new Fair Investment Practices by Investment Advisers law intends to increase transparency regarding the diversity of founding teams receiving venture funds from covered entities